API Documentation
Check-The-Sum provides free, public access to all threat intelligence feeds via simple HTTP GET requests. No authentication required.
Getting Started
All feeds are accessible via simple HTTP GET requests. No API key or authentication is required.
curl https://www.check-the-sum.fr/feeds/ip/all_ip.txt
Each feed returns a plain text file with one indicator per line.
IP Address Feeds
Malicious IP addresses detected by our honeypot network.
Returns all malicious IP addresses in our database.
Example Request:
# cURL
curl https://www.check-the-sum.fr/feeds/ip/all_ip.txt
# Python
import requests
response = requests.get('https://www.check-the-sum.fr/feeds/ip/all_ip.txt')
ips = response.text.strip().split('\n')
# PowerShell
$ips = (Invoke-WebRequest -Uri 'https://www.check-the-sum.fr/feeds/ip/all_ip.txt').Content -split "`n"
Example Response:
192.168.1.100 10.0.0.45 172.16.5.23 ...
Returns IP addresses collected on a specific date.
Example:
curl https://www.check-the-sum.fr/feeds/ip/24_08_2025.txt
Domain & URL Feeds
Malicious domains and URLs used for phishing, malware distribution, and C2 communication.
Returns all malicious domains and URLs.
Example Request:
# cURL
curl https://www.check-the-sum.fr/feeds/domains/all_domains.txt
# Python
import requests
response = requests.get('https://www.check-the-sum.fr/feeds/domains/all_domains.txt')
domains = response.text.strip().split('\n')
# JavaScript/Node.js
fetch('https://www.check-the-sum.fr/feeds/domains/all_domains.txt')
.then(res => res.text())
.then(data => {
const domains = data.trim().split('\n');
console.log(domains);
});
File Hash Feeds
MD5, SHA1, and SHA256 hashes of malware samples collected through our honeypot network.
Returns all malicious file hashes.
Example Request:
# cURL
curl https://www.check-the-sum.fr/feeds/hashs/sha256.txt
# Python - Check file reputation
import requests
import hashlib
def check_file_reputation(file_path):
# Calculate file hash
with open(file_path, 'rb') as f:
file_hash = hashlib.sha256(f.read()).hexdigest()
# Get malicious hashes
response = requests.get('https://www.check-the-sum.fr/feeds/hashs/sha256.txt')
malicious_hashes = response.text.strip().split('\n')
if file_hash in malicious_hashes:
print(f"⚠️ MALICIOUS: {file_path}")
return True
else:
print(f"✓ Clean: {file_path}")
return False
Malicious Command Feeds
Real commands and payloads executed by attackers on our honeypots.
Returns all malicious commands captured.
Example Request:
curl https://www.check-the-sum.fr/feeds/commands/all_commands.txt
Suricata Rules
IDS/IPS rules generated from our threat intelligence.
Browse available Suricata rule files.
Integration Examples
Firewall Integration (iptables)
#!/bin/bash
# Block malicious IPs with iptables
# Download IP list
curl -s https://www.check-the-sum.fr/feeds/ip/all_ip.txt -o /tmp/malicious_ips.txt
# Block each IP
while IFS= read -r ip; do
iptables -A INPUT -s "$ip" -j DROP
done < /tmp/malicious_ips.txt
echo "Blocked $(wc -l < /tmp/malicious_ips.txt) malicious IPs"
Pi-hole DNS Blocking
#!/bin/bash # Add malicious domains to Pi-hole blocklist curl -s https://www.check-the-sum.fr/feeds/domains/all_domains.txt \ -o /etc/pihole/custom.list pihole -g # Reload gravity
SIEM Integration (Splunk)
#!/usr/bin/env python3
import requests
import json
# Download threat intel
ips = requests.get('https://www.check-the-sum.fr/feeds/ip/all_ip.txt').text.split('\n')
domains = requests.get('https://www.check-the-sum.fr/feeds/domains/all_domains.txt').text.split('\n')
# Create Splunk lookup
threat_intel = []
for ip in ips:
if ip.strip():
threat_intel.append({'indicator': ip, 'type': 'ip', 'threat': 'malicious'})
for domain in domains:
if domain.strip():
threat_intel.append({'indicator': domain, 'type': 'domain', 'threat': 'malicious'})
# Save as CSV for Splunk lookup
with open('threat_intel.csv', 'w') as f:
f.write('indicator,type,threat\n')
for item in threat_intel:
f.write(f"{item['indicator']},{item['type']},{item['threat']}\n")
Python Security Scanner
import requests
from typing import Set, Dict
class ThreatIntelligence:
def __init__(self):
self.base_url = 'https://www.check-the-sum.fr/feeds'
self.cache: Dict[str, Set[str]] = {}
def load_feed(self, feed_type: str) -> Set[str]:
"""Load a threat feed and cache it"""
if feed_type in self.cache:
return self.cache[feed_type]
url = f"{self.base_url}/{feed_type}/all_{feed_type}.txt"
response = requests.get(url)
data = set(response.text.strip().split('\n'))
self.cache[feed_type] = data
return data
def is_malicious_ip(self, ip: str) -> bool:
"""Check if an IP is malicious"""
malicious_ips = self.load_feed('ip')
return ip in malicious_ips
def is_malicious_domain(self, domain: str) -> bool:
"""Check if a domain is malicious"""
malicious_domains = self.load_feed('domains')
return domain in malicious_domains
def is_malicious_hash(self, file_hash: str) -> bool:
"""Check if a file hash is malicious"""
malicious_hashes = self.load_feed('hashs')
return file_hash in malicious_hashes
# Usage
ti = ThreatIntelligence()
if ti.is_malicious_ip('192.168.1.100'):
print('⚠️ Malicious IP detected!')
Best Practices
1. Implement Caching
Feeds are updated hourly. Cache the data locally and refresh once per hour to minimize bandwidth.
2. Handle Errors Gracefully
Always implement error handling for network requests. Have a fallback strategy if feeds are temporarily unavailable.
3. Use Async/Background Processing
For large feeds, process updates in the background to avoid blocking your application.
4. Validate Data
Always validate IOCs before using them (e.g., validate IP formats, domain formats, hash lengths).
5. Rate Limiting
While there are no hard rate limits, please be respectful. One request per feed per hour is sufficient.
6. Attribution
If you use our feeds in your product or research, attribution to Check-The-Sum is appreciated but not required.
Support & Contact
For questions, issues, or feature requests, please contact us:
- Email: contact@check-the-sum.fr
- Report issues with feeds or false positives
- Request new feed types or formats