HoneyDB is excited to release a new payload-history endpoint to HoneyDB’s Threat Information API. This new API endpoint provides access to historical payload data going back to 2014. The data behind this endpoint has been distilled down to key attributes from honeypot interactions. Examples of this data include commands issued in Telnet sessions or Redis sessions. Also, in HTTP-based services, you’ll find request header attributes like method, path, version, user-agent, etc. This offering enables researchers to query and extract information from the billions of honeypot interactions collected by HoneyDB over the years without having to mine raw payload data.
Note, consider the endpoint and data “beta” as it is still a work in progress. Continued work is being done to improve API efficiency and ensure data quality.
Payload history data can be queried using the https://honeydb.io/api/payload-history endpoint with path parameters, which breaks the data down by year, month, service, and payload hash. For each of these data sets, the data is reduced to a unique value per day. For example, for a user agent string payload of “xyz”, the API only returns one record of this payload for each day it was observed on the HoneyDB honeypot network. This effectively provides a daily timeline of a payload’s history.
Each record returned consists of the following fields:
- date — The date (day) the interaction was recorded.
- service — The service that recorded the interaction.
- attribute — The specific attribute the payload value is sourced from. Not all records will have an attribute, for these records the value is null.
- hash — The MD5 hash of payload value.
- value — The payload value.
Payloads By Year
To query payload history by year, simply specify the year at the end of the path. The earliest year available is 2014. Later years will produce large responses due to the volume of data.
curl --header “X-HoneyDb-ApiId: <enter your api_id here>” <br /> --header “X-HoneyDb-ApiKey: <enter your api_key here>” <br /> https://honeydb.io/api/payload-history/2014
Payloads By Month
Rather than consuming an entire year of data, you can query the data by month. Specify the year and month at the end of the path.
curl --header “X-HoneyDb-ApiId: <enter your api_id here>” <br /> --header “X-HoneyDb-ApiKey: <enter your api_key here>” <br /> https://honeydb.io/api/payload-history/2014/05
Payloads By Service
If you are interested in specific services, you can query the data by service name. Specify the service name at the end of the path.
curl --header “X-HoneyDb-ApiId: <enter your api_id here>” <br /> --header “X-HoneyDb-ApiKey: <enter your api_key here>” <br /> https://honeydb.io/api/payload-history/REDIS
Below is the current list of supported service names. This list will be updated over time.
DNS, DNS.UDP, ECHO, ECHO.UDP, ELASTICSEARCH, FTP, HTTP.ALT, HTTP, MEMCACHED, MODBUS, REDIS, SIP, SMTP, TELNET, TFTP, VNC, WEBLOGIC
Payloads By Payload Hash
Finally, each payload value has an associated MD5 hash sum. Specify the MD5 hash sum at the end of the path to return all instances of a given payload value.
curl --header “X-HoneyDb-ApiId: <enter your api_id here>” <br /> --header “X-HoneyDb-ApiKey: <enter your api_key here>” <br /> https://honeydb.io/api/payload-history/084e0343a0486ff05530df6c705c8bb4
Give It A Try!
To get started using this endpoint:
- Sign-in here to create an account on HoneyDB.io.
- Generate a secret key for the HoneyDB Threat information API.
- Use the curl command examples above to query the API.
You can find the full Threat Information API documentation here. There is also Postman hosted documentation which contains more code example options here. If you have questions or want to report any issues, please use this HoneyDB contact form.
Originally published at https://deception.substack.com on November 28, 2022.