Threat Information API
Access |
Access current threat information via the HoneyDB Threat Information API.
|
Threat Information Endpoints
Helper endpoints
Terms and Conditions
HoneyDB is a community driven honeypot data aggregation platform. HoneyDB collects and publishes honeypot data via its platform API.
Registered HoneyDB users can access the API free of charge for non-commercial uses.
Cases that involve commercialization require a commercial, non-free license. Cases of commercialization include but are not limited to:
- Managed/Software-as-a-Service services.
- Distributing HoneyDB data as a commercial product or as part of one.
- Using or distributing HoneyDB data as a value added service/product.
For more information about commercial licensing, see our commercial plan offerings.
click here.
HoneyDB makes no guarantees as to the availability of its services (web site and APIs). In addition, all information is provided "as is" and HoneyDB disclaims all
warranties. All access to the server is logged.
Request Limits
In an effort to provide a stable service, an API request limit needs to be enforced to manage server load. For all non-enterprise and non-commercial users the request limit is
1500 requests per month. When you're account has exceeded the request limit the API will respond with a status code of 429 (Too Many Requests).
API query responses include two headers to provide usage status:
- honeydb-qpm-consumed - The number of queries you have submitted for the month.
- honeydb-qpm-remaining - The number of queries you have remaining for the month.
The HoneyDB API now requires authentication. To call API endpoints you will need to generate API credentials (apid_id and apid_key).
To genereate credentails you will need to login
here. Once logged in you can
generate credentials
here.
To query the API for threat information you will need to use the Threat Information API key with your HoneyDB API ID. The credentials must
be set as header values in all requests. The headers needed are
X-HoneyDb-ApiId
and
X-HoneyDb-ApiKey
.
An example using curl as the HTTP client is as follows:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/bad-hosts
Bad Hosts
A bad host is a host on the Internet that has connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general,
there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat. If
you see connectivity from any of these hosts on your network it may be malicious and may require some investigation.
Only the last 24 hours of bad host data is made available.
URL:
https://honeydb.io/api/bad-hosts
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/bad-hosts
The response is provided in JSON format and consists of the following fields:
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
Example Response:
[{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}]
Bad Hosts (filtered)
If you operate sensors that log data to HoneyDB, this endpoint enables you to download bad-host data generated by the sensors you operate.
Only the last 24 hours of bad host data is made available.
URL:
https://honeydb.io/api/bad-hosts/mydata
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/bad-hosts/mydata
The response is provided in JSON format and consists of the following fields:
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
Example Response:
[{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}]
Bad Hosts By Service
Retreive bad hosts by service name.
Only the last 24 hours of bad host data is made available.
URL:
https://honeydb.io/api/bad-hosts/<service>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/bad-hosts/VNC
The response is provided in JSON format and consists of the following fields:
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
Example Response:
[{"remote_host": "185.153.198.197", "count": "393819", "last_seen": "2019-10-09"},
{ "remote_host": "185.153.197.251", "count": "365181", "last_seen": "2019-10-10"},
...
{"remote_host": "199.195.251.84", "count": "1", "last_seen": "2019-10-09"}]
Bad Hosts By Service (filtered)
If you operate sensors that log data to HoneyDB, this endpoint enables you to download bad-host data, by service name, generated by the sensors you operate.
Only the last 24 hours of bad host data is made available.
URL:
https://honeydb.io/api/bad-hosts/<service>/mydata
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/bad-hosts/VNC/mydata
The response is provided in JSON format and consists of the following fields:
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
Example Response:
[{"remote_host": "185.153.198.197", "count": "393819", "last_seen": "2019-10-09"},
{ "remote_host": "185.153.197.251", "count": "365181", "last_seen": "2019-10-10"},
...
{"remote_host": "199.195.251.84", "count": "1", "last_seen": "2019-10-09"}]
IP History
IP (bad host) history is a summary of all interaction activity recorded by the HoneyDB network for a given IP address. HoneyDB has IP data going back to 2014.
URL:
https://honeydb.io/api/ip-history/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ip-history/218.92.0.208
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service the IP interacted with.
- even_count - The number of events related to interaction activity.
Example Response:
[{"date": "2019-04-11", "service": "SSH", "event_count": "3377"},
{"date": "2019-04-15", "service": "SSH", "event_count": "71"},
{"date": "2019-04-16", "service": "SSH", "event_count": "1787"},
...
{"date": "2020-12-31", "service": "SSH", "event_count": "1745"}]
Sensor Data Count (filtered)
If you operate sensors that log data to HoneyDB, this endpoint enables you to retrieve a count of sensor event data collected for a given date.
Only the last 30 days of sensor data is made available.
URL:
https://honeydb.io/api/sensor-data/count/mydata
Parameters:
- sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/sensor-data/count/mydata?sensor-data-date=<date>
The response is provided in JSON format and consists of the following field:
- sensor_data_count - The number of events.
Example Response:
[{"sensor_data_count":"81120"}]
Sensor Data
This endpoint enables you to download all sensor event data collected for a given date.
Each call the endpoint will return a maximum of 1000 records. To retrieve the next set of 1000 records, specify the from-id value from the previous result set.
Only the last 30 days of sensor data is made available.
URL:
https://honeydb.io/api/sensor-data
Parameters:
- sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
- from-id (optional) - The id used as a starting point to retrieve the next 1000 results.
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/sensor-data/mydata?sensor-data-date=<date>&from-id=<from-id>
The response is provided in JSON format and consists of the following fields:
-
data - An array of events.
- date - The event date.
- time - The event time.
- millisecond - The event millisecond.
- session - The session id for events.
- protocol - The protocol used to connect (TCP or UDP).
- event - The type of event (CONNECT, RX, TX, INFO).
- service - The service emulated on the sensor.
- remote_host - The host that caused the event.
- data - The payload the event.
- bytes - The size of the event data in bytes.
- data_hash - The MD5 hash of the event data.
- from_id - The ID of the last event in the results.
If you have more than 1000 results for the given date, use the from_id value to query for the next 1000.
Repeat this process until from_id is 0 (the data array will also be empty), this means you’ve retrieved
all data for the given date.
Example Response:
[
{
"data": [
{
"date": "2017-12-29",
"time": "03:12:28",
"millisecond": "980",
"session": "583d7e20-eb65-11e7-bde4-00163e008b1e",
"protocol": "TCP",
"event": "RX",
"service": "Telnet",
"remote_host": "183.147.39.45",
"data": "6364202f746d70207c7c206364202f76617...22f727",
"bytes": "802",
"data_hash": "211e17b9d6a2565522d107a1e4217a85"
}
]
},
{
"from_id": "68430237"
}
]
Sensor Data (filtered)
If you operate sensors that log data to HoneyDB, this endpoint enables you to download all of your sensor event data collected for a given date.
Each call the endpoint will return a maximum of 1000 records. To retrieve the next set of 1000 records, specify the from-id value from the previous result set.
Only the last 30 days of sensor data is made available.
URL:
https://honeydb.io/api/sensor-data/mydata
Parameters:
- sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
- from-id (optional) - The id used as a starting point to retrieve the next 1000 results.
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/sensor-data/mydata?sensor-data-date=<date>&from-id=<from-id>
The response is provided in JSON format and consists of the following fields:
-
data - An array of events.
- date - The event date.
- time - The event time.
- millisecond - The event millisecond.
- session - The session id for events.
- protocol - The protocol used to connect (TCP or UDP).
- event - The type of event (CONNECT, RX, TX, INFO).
- service - The service emulated on the sensor.
- remote_host - The host that caused the event.
- data - The payload the event.
- bytes - The size of the event data in bytes.
- data_hash - The MD5 hash of the event data.
- from_id - The ID of the last event in the results.
If you have more than 1000 results for the given date, use the from_id value to query for the next 1000.
Repeat this process until from_id is 0 (the data array will also be empty), this means you’ve retrieved
all data for the given date.
Example Response:
[
{
"data": [
{
"date": "2017-12-29",
"time": "03:12:28",
"millisecond": "980",
"session": "583d7e20-eb65-11e7-bde4-00163e008b1e",
"protocol": "TCP",
"event": "RX",
"service": "Telnet",
"remote_host": "183.147.39.45",
"data": "6364202f746d70207c7c206364202f76617...22f727",
"bytes": "802",
"data_hash": "211e17b9d6a2565522d107a1e4217a85"
}
]
},
{
"from_id": "68430237"
}
]
Services
Services are the network protocols emulated by honeypot sensors.
Only the last 24 hours of services data is made available.
URL:
https://honeydb.io/api/services
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/services
The response is provided in JSON format and consists of the following field:
- service - The name of the service.
- count - The number of events associated with the service name.
Example Response:
[
{
"service": "VNC",
"count": "1702004"
},
{
"service": "SSH",
"count": "177504"
},
{
"service": "SIP",
"count": "147935"
},
{
"service": "Telnet",
"count": "57142"
}
]
Stats
The stats collected from HoneyDB data. Starting from April 2018, this endpoint offers data used to publish the monthly HoneyDB report (
example).
URL:
https://honeydb.io/api/stats
Parameters:
- year (required) - The year published. Format: YYYY
- month (required) - The month published. Format: MM
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/stats?year=2020&month=06
The response is provided in JSON format and consists of the following fields:
- period - The month and year the stats were published.
- total_events - Total number of events for the month.
- total_remote_hosts - Total number of remote hosts for the month.
- top_services - Array of the top 10 services for the month by number of events.
Example Response:
{
"period": "June 2020",
"total_events": "170881194",
"total_remote_hosts": "110048",
"top_services": {
"VNC": "136103108",
"SSH": "10157612",
"TFTP": "9531258",
"SIP": "6850356",
"DNS.udp": "2858125",
"Telnet": "2282469",
"RDP": "1031500",
"HTTP": "847191",
"Echo": "396332",
"SMTP": "370009"
}
}
Stats ASN
The list of Autonomus System's (AS) and count of corresponding IP addresses that have interacted with HoneyDB honeypots. The count is based on the last 7 days of activity.
URL:
https://honeydb.io/api/stats/asn
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/stats/asn
The response is provided in JSON format and consists of the following fields:
- asn - The autonomous system number (ASN).
- entity - The entity name.
- count - The number of AS IPs.
Example Response:
[
{
"asn": 14061,
"entity": "DIGITALOCEAN-ASN",
"count": 2828
},
{
"asn": 4134,
"entity": "CHINANET-BACKBONE No.31,Jin-rong Street",
"count": 2001
},
{
"asn": 4837,
"entity": "CHINA169-BACKBONE CHINA UNICOM China169 Backbone",
"count": 1267
},
]
Nodes
Nodes are deployed honeydb-agent sensors. This endpoint returns all nodes that have been seen within the last 3 days.
URL:
https://honeydb.io/api/nodes
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/nodes
The response is provided in JSON format and consists of the following field:
- node - An MD5 sum representing a node.
- country - The country based on IP address.
Example Response:
[
{
"node": "3386e49be694e179a429344f745703d6",
"country": "Canada"
},
{
"node": "83eca3581f1e214473d88c8a11251a4f",
"country": "Private IP"
},
{
"node": "d62eb87ddec830c500142c621b119feb",
"country": "United Kingdom"
}
]
Nodes (filtered)
Nodes are deployed honeydb-agent sensors. This endpoint returns your nodes that have been seen within the last 3 days.
URL:
https://honeydb.io/api/nodes/mydata
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/nodes/mydata
The response is provided in JSON format and consists of the following field:
- node - An MD5 sum representing a node.
- country - The country based on IP address.
Example Response:
[
{
"node": "3386e49be694e179a429344f745703d6",
"country": "Canada"
},
{
"node": "83eca3581f1e214473d88c8a11251a4f",
"country": "Private IP"
},
{
"node": "d62eb87ddec830c500142c621b119feb",
"country": "United Kingdom"
}
]
Payload History
BETA - Payload history endpoints are in beta and may change without notice.
In addition, data provided by these endpoints will evolve as data clean up, data normalization, and expansion
of the data is ongoing.
Payload history endpoints provide insights into HoneyDB's historical honeypot interaction activity data as far back as 2014.
Summary of what the set of payload history endpoints provides:
- Get all payload data for a given year or year-month
- Get the list of all services from which payload history was extracted from
- Get all payload data for a given service
- Get all payload data for a given payload data hash
- Get the list of all IP addresses (remote hosts) associated with payload data grouped by year
- Get the list of all remote hosts associated with a payload data hash by year
- Get all payload data hashes for a give remote host
- Get the list of all attributes parsed out of payload history data
- Get all hashes and attribute values for a given attribute
Payload data by year
This endpoint returns all payload data for a given year.
URL:
https://honeydb.io/api/payload-history/<year>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/2014
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
Example Response:
[
...
{
"date": "2014-05-30",
"service": "HTTP.ALT",
"attribute": "useragent",
"hash": "f8adebbcedfa5797922250e204f277f2",
"value": "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
},
{
"date": "2014-11-16",
"service": "HTTP.ALT",
"attribute": "method",
"hash": "7528035a93ee69cedb1dbddb2f0bfcc8",
"value": "GET"
},
{
"date": "2014-08-10",
"service": "TELNET",
"attribute": null,
"hash": "072b1847d9f4194b1f049e1d2947c578",
"value": "chmod\r"
},
{
"date": "2014-01-05",
"service": "HTTP.ALT",
"attribute": "version",
"hash": "68318e5604cfae075e15b8d83850d982",
"value": "HTTP/1.1"
},
...
]
Payload data by year and month
This endpoint returns all payload data for a given year and month.
URL:
https://honeydb.io/api/payload-history/<year>/<month>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/2014/05
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
Example Response:
[
...
{
"date": "2014-05-30",
"service": "HTTP.ALT",
"attribute": "useragent",
"hash": "f8adebbcedfa5797922250e204f277f2",
"value": "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
},
...
]
Services
This endpoint returns the list of services from which all payload data was extracted from.
URL:
https://honeydb.io/api/payload-history/services
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/services
The response is provided in JSON format and is a list of all service names.
Example Response:
[
"CLICKHOUSEHTTP",
"DNS",
"DNS.UDP",
"HTTP",
"HTTP.ALT",
"ECHO",
"ECHO.UDP",
"ELASTICSEARCH",
"FTP",
"KUBLETAPI",
"SIP",
"MEMCACHED",
"MODBUS",
"REDIS",
"SMTP",
"TELNET",
"TFTP",
"VNC",
"WEBLOGIC"
]
Payload data by service
This endpoint returns all payload data for a given service.
URL:
https://honeydb.io/api/payload-history/<service>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/REDIS
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
Example Response:
[
...
{
"date": "2019-08-21",
"service": "REDIS",
"attribute": null,
"hash": "efd7c8e9aa906a97022dbed05369bf6a",
"value": "info\n"
},
...
]
Payload data by hash
This endpoint returns all payload data for a given hash.
URL:
https://honeydb.io/api/payload-history/<hash>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/084e0343a0486ff05530df6c705c8bb4
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
Example Response:
[
...
{
"date": "2017-06-08",
"service": "TELNET",
"attribute": null,
"hash": "084e0343a0486ff05530df6c705c8bb4",
"value": "guest"
},
...
]
Remote hosts by year
This endpoint returns all remote hosts from which payload data was extracted, grouped by year.
URL:
https://honeydb.io/api/payload-history/remote-hosts
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/remote-hosts
The response is provided in JSON format and consists of the following fields:
- <year> - The year, starting from 2014.
- <remote hosts> - Array of remote hosts.
Example Response:
{
"2014": ["1.177.63.23", "1.177.9.13", "1.179.153.202",...],
"2015": ["1.177.63.23", "1.177.9.13", "1.179.153.202",...]
...
}
Remote hosts by hash and year
This endpoint returns all remote hosts for a given hash and year.
URL:
https://honeydb.io/api/payload-history/<hash>/remote-hosts/<year>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/084e0343a0486ff05530df6c705c8bb4/remote-hosts/2019
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- remote_host - The remote host.
Example Response:
[
...
{
"date": "2017-06-08",
"remote_host": "1.6.176.157",
},
...
]
Payload data hashes by remote host
This endpoint returns all payload data hashes for a given remote host.
URL:
https://honeydb.io/api/payload-history/remote-hosts/<remote host>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/remote-hosts/80.241.222.98
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- hash - The payload data hash.
Example Response:
[
{
"date": "2016-01-15",
"hash": "59676a6e51135fc7a38c24682c617503"
},
{
"date": "2016-01-15",
"hash": "63a44ffb31b1f2f78dc4028c2ff36106"
},
{
"date": "2016-01-15",
"hash": "6666cd76f96956469e7be39d750cc7d9"
},
{
"date": "2016-01-15",
"hash": "7528035a93ee69cedb1dbddb2f0bfcc8"
},
{
"date": "2016-01-15",
"hash": "c4408d335012a56ff58937d78050efad"
}
]
Attributes
This endpoint returns the list of specific attributes extracted from all payload data.
URL:
https://honeydb.io/api/payload-history/attributes
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/attributes
The response is provided in JSON format and is a list of all attribute names.
Example Response:
[
"http-header",
"http-path",
"http-scheme",
"http-host",
"http-version",
"http-user-agent",
"http-method",
"http-query",
"domain",
"remote-frame-buffer",
"sip-header",
"sip-method",
"sip-header-user-agent",
...
]
Attribute Values
This endpoint returns all attribute values for a given attribute name.
URL:
https://honeydb.io/api/payload-history/attributes/<attribute name>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/payload-history/attributes/http-user-agent
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- value - The attribute value.
Example Response:
[
...
{
"hash": "a5ecd7e3ca14fcb38a69343d1d47985a",
"value": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
},
{
"hash": "1cba7d39a7293c7e1de4e3333c3242f4",
"value": "Mozilla/3.0 (compatible; Indy Library)"
},
{
"hash": "55f9ce2b352fbe0f623b0a9513252de5",
"value": "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
},
{
"hash": "080ce9f58739390cf4d36e1e3b8eab1d",
"value": "Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]"
},
...
]
Internet Scanner
Indicates if the IP provided is part of a known Internet scanning service. These services are typically not malicious
Internet Scanner
Returns true or false to indicate if the IP provided is part of a known Internet scanning service.
URL:
https://honeydb.io/api/internet-scanner/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/internet-scanner/65.49.20.67
The response is provided in JSON format.
Example Response:
{
"internet_scanner": true
}
Internet Scanner Info
Returns true or false to indicate if the IP provided is part of a known Internet scanning service as well as additional information about the scanning entity.
URL:
https://honeydb.io/api/internet-scanner/info/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/internet-scanner/info/65.49.20.67
The response is provided in JSON format.
Example Response:
{
"domain": "shadowserver.org",
"name": "The Shadow Server Foundation",
"url": "https://www.shadowserver.org/",
"published_ip_list": [],
"internet_scanner": true
}
IP Info
Provides additional context on a given IP. This data is collected from publicly available sources.
IP Info
Returns true or false to indicate if the IP provided is part of a known IP list. The current set of IP lists include: Bogon IP, Tor exit nodes, SANS IP, CIArmy, Emerging Threats Compromised IP, and Project Honeypot.
URL:
https://honeydb.io/api/ipinfo/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ipinfo/65.49.20.67
The response is provided in JSON format.
Example Response:
{
"is_bogon": false,
"is_tor": false,
"is_threat": true,
"threat_lists": {
"is_sansip": false,
"is_ciarmy": true,
"is_et_compromised": false,
"is_project_honeypot": false
}
}
IP Info Bogon
Returns true or false to indicate if the IP provided is bogon IP address.
URL:
https://honeydb.io/api/ipinfo/bogon/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ipinfo/bogon/192.168.1.1
The response is provided in JSON format.
Example Response:
{
"is_bogon": true
}
IP Info Tor
Returns true or false to indicate if the IP provided is a Tor exit node.
URL:
https://honeydb.io/api/ipinfo/tor/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ipinfo/tor/65.49.20.67
The response is provided in JSON format.
Example Response:
{
"is_tor": false
}
IP Info SANS IP
Returns true or false to indicate if the IP provided is on the SANS IP list, all data from the SANS IP list, and data from the SANS Intel list.
URL:
https://honeydb.io/api/ipinfo/sansip/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ipinfo/sansip/218.92.0.198
The response is provided in JSON format.
Example Response:
{
"is_sansip": true,
"attacks": 982,
"count": 290664,
"firstseen": "2020-12-31",
"lastseen": "2021-02-01",
"sansintel": {
"is_sansintel": true,
"intel": "blocklistde22"
}
}
IP Info CI Army
Returns true or false to indicate if the IP provided is on the
CINS Army List.
URL:
https://honeydb.io/api/ipinfo/ciarmy/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ipinfo/ciarmy/1.189.88.70
The response is provided in JSON format.
Example Response:
{
"is_ciarmy": true
}
IP Info Emerging Threats Compromised
Returns true or false to indicate if the IP provided is on the Emerging Threats Compromised IP list.
URL:
https://honeydb.io/api/ipinfo/et-compromised/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ipinfo/et-compromised/1.189.88.70
The response is provided in JSON format.
Example Response:
{
"is_et_compromised": false
}
IP Info Project Honeypot
Returns true or false to indicate if the IP provided is on the Project Honeypot list and additional threat data.
URL:
https://honeydb.io/api/ipinfo/project-honeypot/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/ipinfo/project-honeypot/134.119.219.71
The response is provided in JSON format.
Example Response:
{
"is_project_honeypot": true,
"answer": "127.1.67.5",
"days": "1",
"threat": "67 (Under 1,000,000)",
"type": "Suspicious & Comment Spammer"
}
Net Info
Convenient helper endpoint for IP enrichment data. Use this endpoint to get addtional data related to an IP address.
This functionality is provided using
https://github.com/9b/netinfo.
Calls to NetInfo endpoints do not count against monthly limits.
Lookup
Returns AS, network information and geolocation for an IP address.
URL:
https://honeydb.io/api/lookup/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/netinfo/lookup/8.8.8.8
The response is provided in JSON format.
Example Response:
{
"as_name": "GOOGLE - Google LLC, US",
"as_num": 15169,
"city": null,
"country_iso": "US",
"country_name": "United States",
"ip": "8.8.8.8",
"ip_hex": "0x8080808",
"ip_version": 4,
"latitude": 37.751,
"longitude": -97.822,
"network": "8.8.8.0/24",
"network_broadcast": "8.8.8.255",
"network_hostmask": "0.0.0.255",
"network_netmask": "255.255.255.0",
"network_size": 256,
"postal_code": null,
"region_iso": null,
"region_name": null
}
Network Addresses
Returns all IP addresses as part of a network range.
URL:
https://honeydb.io/api/netinfo/network-addresses/<cidr>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/netinfo/network-addresses/8.8.8.8/24
The response is provided in JSON format.
Example Response:
{
"cidr": "8.8.8.8/24",
"network_addresses": [
"8.8.8.0",
"8.8.8.1",
"8.8.8.2",
...
"8.8.8.253",
"8.8.8.254",
"8.8.8.255"
],
"network_size": 256
}
Prefixes
Returns all prefixes advertised for a specific AS network.
URL:
https://honeydb.io/api/netinfo/prefixes/<asn>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/netinfo/prefixes/15169
The response is provided in JSON format.
Example Response:
{
"as_num": 15169,
"count": 493,
"prefixes": [
"104.134.92.0/24",
"34.104.0.0/14",
"104.154.224.0/19",
...
"64.233.162.0/24",
"64.233.182.0/24",
"209.85.233.0/24"
]
}
AS Name
Returns the name of the AS network.
URL:
https://honeydb.io/api/netinfo/as-name/<asn>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/netinfo/as-name/15169
The response is provided in JSON format.
Example Response:
{
"as_name": "GOOGLE - Google LLC, US",
"as_num": "15169"
}
Geo Location
Returns geolocation information for an IP address.
URL:
https://honeydb.io/api/netinfo/geolocation/<ip address>
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/netinfo/geolocation/8.8.8.8
The response is provided in JSON format.
Example Response:
{
"city": null,
"country_iso": "US",
"country_name": "United States",
"latitude": 37.751,
"longitude": -97.822,
"postal_code": null,
"region_iso": null,
"region_name": null
}
Datacenter
AWS
Returns AWS IP ranges.
URL:
https://honeydb.io/api/datacenter/aws
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/aws
Azure
Returns Azure IP ranges.
URL:
https://honeydb.io/api/datacenter/azure
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/azure
Azure China
Returns Azure China IP ranges.
URL:
https://honeydb.io/api/datacenter/azure/china
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/azure/china
Azure Germany
Returns Azure Germany IP ranges.
URL:
https://honeydb.io/api/datacenter/azure/germany
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/azure/germany
Azure Gov
Returns Azure Gov IP ranges.
URL:
https://honeydb.io/api/datacenter/azure/gov
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/azure/gov
Google Cloud
Returns Google Cloud IP ranges.
URL:
https://honeydb.io/api/datacenter/gcp
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/gcp
IBM Cloud
Returns IBM Cloud IP ranges.
URL:
https://honeydb.io/api/datacenter/ibm
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/ibm
Oracle Cloud
Returns Oracle Cloud IP ranges.
URL:
https://honeydb.io/api/datacenter/oracle
Example Request:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
--header "X-HoneyDb-ApiKey: <enter your api_key here>" \
https://honeydb.io/api/datacenter/oracle