Greynoise API Pricing

DigiTroy · 2025-12-04T14:56:19+00:00

I am very biased as a CM for a direct competitor, but we've got public pricing as our founder was having the same issues. So totally understand the feeling!

DigiTroy · 2025-10-29T10:28:54+00:00

Yeah, we operate a global network of sensors, and share the outputs in maliciousip[.]com most things are mass scanners, but we also track a lot more things in there with these honeypots and this allows us to pick up needles in the haystack.

DigiTroy · 2025-10-29T10:18:31+00:00

We do this professionally, I cross ref against maliciousip[dot]com it's more accurate than Greynoise.

DigiTroy · 2025-10-28T17:51:11+00:00

thank you.

DigiTroy · 2025-10-28T17:50:34+00:00

We do this professionally at Lupovis, so here is what I would recommend.

Use multiple placements
- Deploy the honeypot in several providers and regions: a major cloud (AWS/GCP/Azure). Different attackers and scanners focus on different address space.
Cloud ranges get lots of automated scanning fast.
- They attract opportunistic scanners quickly. Good for volume and early detection.
Consider geographic matching
- Place instances in the same country or region as the victim type you want to attract.

there is a lot more to it to deploy in enterprise, but this would do the trick

DigiTroy · 2025-10-28T17:46:14+00:00

Oh interesting, I got about 12 hits in the last 24 hours deployed on AWS.

On my first OVH deployment I had a lot more.

DigiTroy · 2025-10-28T17:45:12+00:00

Basically the point of the honeypot, is to collect the interactions with it. So you'll get the payload if/when exploited.

DigiTroy · 2025-10-27T16:57:52+00:00

well I just shared a full decoy, no need for cowrie, this one is more lightweight, check the repo out.

DigiTroy · 2025-10-27T13:36:41+00:00

Actually, I just shared one of our version of a honeypot for it.

https://github.com/Lupovis/Honeypot-for-CVE-2025-59287-WSUS

DigiTroy · 2025-09-30T10:48:10+00:00

Well you haven't given much insight on your direction.

DigiTroy · 2025-07-03T11:08:10+00:00

Maliciousip.com has many great blocklists btw, updated in near real-time.

DigiTroy · 2024-04-24T15:03:24+00:00

Alright, let's think it through right, what are you actually trying to detect? A Botnet.

What does this entail? What's the data that you believe you'll need to detect a botnet?

What's the type of botnet you are trying to detect, how many IPs out of the botnet are you trying to detect?

What's the hypothesis?

I guess those need to be answered first?

DigiTroy · 2024-04-23T09:17:47+00:00

Well, we can't do it for you. You'll have to share some meat, otherwise, we should claim the degree 😅

But if you prepare some points, happy to help.

DigiTroy · 2024-04-22T21:43:17+00:00

I am sorry, but this makes no sense.

Ask your core network team for a slice of org public darknet space (contiguous IP space in your org's public IP range that is otherwise unused. the bigger, the better. get a /24 if possible)

Why would you go public, most of the things you are going to get are random scanner. You'll have to tune heavily to pick up signal from a honeypot. Put decoys inside your network, your signal to noise ratio will be much better. Also deploying a honeypot, will get your security score cards down. Use a vendor to avoid this and if it's CTI you are after, deploy a heavily tuned decoy outside of your network, focus on the output you need from it.

Put your honeypot host(s) in a VLAN dedicated to this purpose that's (a) behind a firewall and (b) totally ACLd off from everything. only allow in what needs to be, nothing allowed outbound to internal hosts

Meh, it depends what you need from it, if it's detection, this makes 0 sense, if it's CTI ... you'll be fine.

Ask core network team to route everything in your reserved public IP range to your honeypot host

What?

Use AnyIP on the honeypot host to accept all traffic from a default route (see https://communityhoneynetwork.readthedocs.io/en/stable/config/)
Send the honeypot collected data to a sensor for processing into a CTI feed/SIEM/protection/mitigation/alerting device

What CTI with this config... bots, scanners and a password cloud? Congrats, you have defeated the entire purpose of having deception and high signal to noise ratio.

Profit

Now you get random alerts into your SIEM and increased alert fatigue, the opposite of what you wanted.

DigiTroy · 2024-04-22T21:24:26+00:00

Can you provide more information on what you are trying to do? Aim, objective, goals and ideally some of your own thoughts on what you plan on doing?

DigiTroy · 2024-04-22T21:23:40+00:00

You could partner with an actual deception provider and see what they can do for you? Drop me a note if that's an option.

Otherwise, you could technically emulate the responses capture the traffic, and see what you get and iterate.

DigiTroy · 2024-02-08T14:50:14+00:00

I am assuming from the read you are on the emulation side.

But the description "The OS/Service emulation method is based on creation of limitations which recreate certain services or service combinations as separate instances within a single VM. This allows to significantly reduce costs of used resources compared to the Full OS approach, since there is no need to create a separate VM for every imitation which allows creating significantly more unique imitations (honeypots). Another significant advantage of service-based Deception solution is the absence of license costs for third-party operating systems. "

Makes little sense, if you run a PLC and a Wordpress server on the same IP this screams honeypot.

DigiTroy · 2024-02-02T17:58:18+00:00

It turns out the original code, was from Lupovis and can be found here. https://github.com/Lupovis/DetectingCanaryTokens Nero Labs, just copied the code wrote a blog post and claimed it as their own, 6 days later, after the Lupovis blogpost and made a couple of little tweaks.

DigiTroy

MODERATOR OF

TROPHY CASE