Blocklists

Public blocklists are generated from attacks shared by users with public feeds enabled. They are observation feeds, not verdicts; each level states the matched signals used.

Level	Window	Matched signals	Formats
`all_attackers_24h` Every attacker IP observed by public HoneyMire feeds.	24 hours	attack observed	txt · json · csv
`authenticated_only_24h` Sessions where the honeypot reported that the attacker was let in.	24 hours	authenticated=true	txt · json · csv
`wget_exec_only_7d` A transparent command-summary match for loader-style behavior.	7 days	command_summary contains wget plus chmod, shell, or ./ execution	txt · json · csv
`high_confidence_botnet_30d` High-confidence classifications from reported profile metadata.	30 days	botnet-family profile such as Mirai-family and profile_confidence >= 80	txt · json · csv

Usage

Omit level to use all_attackers_24h. Text output is one IP per line with leading metadata comments. CSV output includes a header row. JSON includes generated_at, level metadata, attacker IPs, counts, time bounds, profiles, and matched signals.

curl -fsSL 'https://your-hub.example/api/v1/blocklist.txt?level=authenticated_only_24h'

HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire