API documentation

All feeds are plain static files. No auth, no rate limits, no tokens — just HTTP GET. Please cache responses; feeds refresh once per hour.

Quick start

# Download every malicious IP ever observed
curl https://www.check-the-sum.fr/feeds/ip/all_ip.txt

# Get a pre-computed summary of all feeds
curl https://www.check-the-sum.fr/feeds/stats.json

Summary — stats.json

Pre-computed counters, trends and top-N distributions. Refreshed every hour. Lightweight — load this instead of the raw feeds when you just need an overview.

GET/feeds/stats.json 
{
  "generated_at": "2026-04-23T15:00:02+00:00",
  "totals": { "ips": 156614, "ips_today": 2394, "domains": 22, "hashes": 71, "commands": 455 },
  "ip_distribution":  [{ "key": "45.x.x.x", "count": 8421 }, ...],
  "domain_tlds":      [{ "key": "ru", "count": 12 }, ...],
  "daily_ips_last_30d": [{ "date": "2026-03-25", "count": 549 }, ...]
}

IP blocklist

GET/feeds/ip/all_ip.txt

Every IP ever observed attacking the honeypot, one per line, sorted numerically.

GET/feeds/ip/YYYY-MM-DD.txt · legacy: /feeds/ip/DD_MM_YYYY.txt

Daily files — both ISO-8601 (2026-04-23.txt) and the legacy format (23_04_2026.txt) are published for backwards compatibility.

# Block every seen attacker with iptables
curl -s https://www.check-the-sum.fr/feeds/ip/all_ip.txt \
  | grep -Ev '^(#|$)' \
  | xargs -I{} iptables -A INPUT -s {} -j DROP

Domains & URLs

GET/feeds/domains/all_domains.txt

URLs extracted from attacker shell commands — malware drop points, C2 endpoints.

# Python — drop into Pi-hole / AdGuard
import requests
urls = [u for u in requests.get(
  'https://www.check-the-sum.fr/feeds/domains/all_domains.txt'
).text.splitlines() if u and not u.startswith('#')]

SHA256 hashes

GET/feeds/hashs/sha256.txt

Hashes of payloads that attackers successfully dropped on the honeypot filesystem.

import hashlib, requests
malicious = set(requests.get(
  "https://www.check-the-sum.fr/feeds/hashs/sha256.txt"
).text.splitlines())
with open("suspect.bin", "rb") as f:
    h = hashlib.sha256(f.read()).hexdigest()
print("BAD" if h in malicious else "clean")

Attacker commands

GET/feeds/commands/commands.txt

Every unique shell command observed, sorted by how often we saw it (most-run first). Whitespace is normalised and two header lines begin with #. Useful for YARA/Sigma rule authoring and TTP analysis.

GET/feeds/commands/commands.tsv

Same ranking with observation counts — one row per command, count<TAB>command. First row is a header.

# Top 20 most-run attacker commands
curl -s https://www.check-the-sum.fr/feeds/commands/commands.tsv \
  | tail -n +2 | sort -k1,1 -rn | head -20

Suricata rules

GET/feeds/suricata/suricata_YYYY-MM-DD.rules · legacy: suricata_DD_MM_YYYY.rules

One alert rule per IP observed that day. SIDs start at 1 000 000 + daily offset to avoid collisions with Emerging Threats rules.

Sanitised Cowrie logs

GET/feeds/cowrie/YYYY-MM-DD.json

Full Cowrie JSON event logs with our honeypot's own IP masked. Newline-delimited JSON — parse with jq or stream it into your SIEM.

curl -s https://www.check-the-sum.fr/feeds/cowrie/current.json \
  | jq 'select(.eventid == "cowrie.command.input") | .input'

Integrations

Firewall

iptables, nftables, pfSense aliases, UFW.

DNS

Pi-hole, AdGuard Home, Unbound RPZ.

IDS/IPS

Suricata rules published daily.

SIEM

Splunk lookups, Elastic ECS, Sentinel watchlists.

Best practices

  • Refresh once per hour — feeds rotate on the hour.
  • Use If-Modified-Since / ETag; GitHub Pages sets them correctly.
  • Validate each indicator before acting — regexes are provided above.
  • Cache locally; don't hot-link the raw feed on a public site.

Contact & false positives

Drop us a note at contact@check-the-sum.fr — we de-list legitimate scanners and researchers on request.