Threat Information API

The HoneyDB Threat Information API is open for anyone to consume and/or contribute. Current API end points are:



Terms and Conditions

HoneyDB is a community driven honeypot data aggregation site. HoneyDB collects and publishes honeypot data via its web site and API. Registered HoneyDB site users can access the API without restriction for non-commercial uses.

Cases that involve commercialization require a commercial, non-free license. Cases of commercialization include but are not limited to:
  • Managed/Software-as-a-Service services.
  • Distributing HoneyDB data as a commercial product or as part of one.
  • Using or distributing HoneyDB data as a value added service/product.
To inquire about commercial licensing click here.

HoneyDB makes no guarantees as to the availability of its services (web site and APIs). In addition, all information is provided "as is" and HoneyDB disclaims all warranties. All access to the server is logged.

Request Limits

In an effort to provide a stable service, an API request limit needs to be enforced to manage server load. For all non-commercial users the request limit is 1500 requests per month. When you're account has exceeded the request limit the API will respond with a status code of 429 (Too Many Requests).

API Authentication

The HoneyDB API now requires authentication. To call API endpoints you will need to generate API credentials (apid_id and apid_key). To genereate credentails you will need to login here. Once logged in you can generate credentials here.

To query the API for threat information you will need to use the Threat Information API key with your HoneyDB API ID. The credentials must be set as header values in all requests. The headers needed are X-HoneyDb-ApiId and X-HoneyDb-ApiKey.

An example using curl as the HTTP client is as follows:
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/bad-hosts


Bad Hosts

A bad host is a host on the Internet that has connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat. If you see connectivity from any of these hosts on your network it may be malicious and may require some investigation.

Only the last 24 hours of bad host data is made available.

URL:

https://riskdiscovery.com/honeydb/api/bad-hosts

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/bad-hosts

The response is provided in JSON format and consists of the following fields:
  • remote_host - The IP address of the bad host.
  • count - The number of connections made by the bad host.
  • last_seen - The date of the connection made by the bad host.

Example Response:
[{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}]


Bad Hosts (filtered)

If you operate sensors that log data to HoneyDB, this endpoint enables you to download bad-host data generated by the sensors you operate.

Only the last 24 hours of bad host data is made available.

URL:

https://riskdiscovery.com/honeydb/api/bad-hosts/mydata

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/bad-hosts/mydata

The response is provided in JSON format and consists of the following fields:
  • remote_host - The IP address of the bad host.
  • count - The number of connections made by the bad host.
  • last_seen - The date of the connection made by the bad host.

Example Response:
[{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}]


Sensor Data Count (filtered)

If you operate sensors that log data to HoneyDB, this endpoint enables you to retrieve a count of sensor event data collected for a given date.

Only the last 90 days of sensor data is made available.

URL:

https://riskdiscovery.com/honeydb/api/sensor-data/count/mydata

Parameters:
  • sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/sensor-data/count/mydata?sensor-data-date=<date>

The response is provided in JSON format and consists of the following field:
  • sensor_data_count - The number of events.

Example Response:
[{"sensor_data_count":"81120"}]


Sensor Data (filtered)

If you operate sensors that log data to HoneyDB, this endpoint enables you to download all sensor event data collected for a given date. Each call the endpoint will return a maximum of 1000 records. To retrieve the next set of 1000 records, specify the from-id value from the previous result set.

Only the last 90 days of sensor data is made available.

URL:

https://riskdiscovery.com/honeydb/api/bad-hosts/mydata

Parameters:
  • sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
  • from-id (optional) - The id used as a starting point to retrieve the next 1000 results.

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/sensor-data/mydata?sensor-data-date=<date>&from-id=<from-id>

The response is provided in JSON format and consists of the following fields:
  • data - An array of events.
    • date - The event date.
    • time - The event time.
    • millisecond - The event millisecond.
    • session - The session id for events.
    • protocol - The protocol used to connect (TCP or UDP).
    • event - The type of event (CONNECT, RX, TX, INFO).
    • service - The service emulated on the sensor.
    • remote_host - The host that caused the event.
    • data - The payload the event.
    • bytes - The size of the event data in bytes.
    • data_hash - The MD5 hash of the event data.
  • from_id - The ID of the last event in the results. If you have more than 1000 results for the given date, use the from_id value to query for the next 1000. Repeat this process until from_id is 0 (the data array will also be empty), this means you’ve retrieved all data for the given date.

Example Response:
[
    {
        "data": [

	   {
                "date": "2017-12-29",
                "time": "03:12:28",
                "millisecond": "980",
                "session": "583d7e20-eb65-11e7-bde4-00163e008b1e",
                "protocol": "TCP",
                "event": "RX",
                "service": "Telnet",
                "remote_host": "183.147.39.45",
                "data": "6364202f746d70207c7c206364202f76617...22f727",
                "bytes": "802",
                "data_hash": "211e17b9d6a2565522d107a1e4217a85"
            }
        ]
    },
    {
        "from_id": "68430237"
    }
]


ThreatBin

Download all entries in your ThreatBin.

URL:

https://riskdiscovery.com/honeydb/api/threatbin

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/threatbin

The response is provided in JSON format and consists of the following fields:
  • host - The IP address of the remote host.
  • notes - Notes associated with remote host.
  • created - Date the record was created.
  • modified - Date the record was last modified.
Example Response:
[{"host": "27.254.152.193","notes": "Telnet busybox echo","created": "2015-09-10 14:56:17","modified": "2015-09-10 14:58:38"},
{"host": "95.6.64.20","notes": "Telnet weget bbk.sh","created": "2015-09-10 14:56:27","modified": "2015-09-10 14:56:51"},
...
{"host": "80.82.64.81","notes": "RDP NTCRACK_USER","created": "2015-09-10 19:18:08","modified": "2015-09-10 19:18:27"}]


Twitter Threat Feed

Twitter threat feed provides a list of bad hosts that have connected or attempted to connect to other honeypots on the Internet (even honeypots that do not directly send data to HoneyDB). The source of this bad host information is based on tweets by these other honeypots, example: https://riskdiscovery.com/honeydb/#twitter. You can download the last 24 hours of twitter threat feed data by making the API calls described below.

URL:

https://riskdiscovery.com/honeydb/api/twitter-threat-feed

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/twitter-threat-feed

The response is provided in JSON format and consists of the following fields:
  • remote_host - The IP address of the bad host.
  • count - The number of connections made by the bad host.
  • last_seen - The date of the connection made by the bad host.

Example Response:
[{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}]

URL:

https://riskdiscovery.com/honeydb/api/twitter-threat-feed/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
     --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
     https://riskdiscovery.com/honeydb/api/twitter-threat-feed/104.148.55.162

The response is provided in JSON format and consists of the following fields:
  • tweet_id - The Twitter ID of the tweet.
  • created - The timestamp of when the tweet was created.
  • screen_name - The screen name of the Twitter account that created the tweet.
  • tweet_text - The text of the tweet.

Example Response:
[{"tweet_id":"759667279315529728","created":"2016-07-31 08:29:27","screen_name":"HoneyPoint","tweet_text":"Suspicious Activity Captured From: 104.148.55.162 on port 123 #HITME"},
{"tweet_id":"759538428618866688","created":"2016-07-30 23:57:27","screen_name":"atma_es","tweet_text":"NTP abused from 104.148.55.162 (AS46573 US, United States)"},
{"tweet_id":"759474528892383232","created":"2016-07-30 19:43:32","screen_name":"atma_es","tweet_text":"NTP abused from 104.148.55.162 (AS46573 Global Frag Networks - IPv4)"},
{"tweet_id":"759421709359325184","created":"2016-07-30 16:13:39","screen_name":"HoneyPyLog","tweet_text":"HyPy3: #NTP Possible NTP attack from 104.148.55.162 https:\/\/t.co\/OmaPePCxkS"},
{"tweet_id":"759323363252854784","created":"2016-07-30 09:42:52","screen_name":"atma_es","tweet_text":"NTP abused from 104.148.55.162 (AS46573 US, United States)"},
{"tweet_id":"759275103251226624","created":"2016-07-30 06:31:05","screen_name":"atma_es","tweet_text":"NTP abused from 104.148.55.162 (AS46573 Global Frag Networks - IPv4)"},
{"tweet_id":"759262961198333952","created":"2016-07-30 05:42:51","screen_name":"HoneyPyLog","tweet_text":"HyPy3: #NTP Possible NTP attack from 104.148.55.162 https:\/\/t.co\/OmaPePU8Js"},
{"tweet_id":"759241021968486400","created":"2016-07-30 04:15:40","screen_name":"HoneyPoint","tweet_text":"Suspicious Activity Captured From: 104.148.55.162 on port 123 #HITME"}]