# HoneyLabs MCP server

Query 90 days of honeypot probe data: IP reputation, scanners, CVE probing, TLS/SSH fingerprints.

## Links
- Registry page: https://www.getdrio.com/mcp/net-honeylabs-mcp
- Repository: https://github.com/honeylabshq/honeylabs-mcp
- Website: https://honeylabs.net

## Install
- Endpoint: https://mcp.honeylabs.net/mcp
- Auth: Auth required by registry metadata

## Setup notes
- Remote header: Authorization (required; secret)
- The upstream registry signals required auth or secrets.
- Remote endpoint: https://mcp.honeylabs.net/mcp
- Header: Authorization

## Tools
- search_events_tool - Return individual raw honeypot events with all fields. Use when the user wants to see
actual records: 'show me events from this IP', 'what hit port 443 last week', 'events from
Russia yesterday'. Filters: source_ip, country (2-letter code), asn (e.g. 'AS12345'),
dest_port, protocol ('tls' or ''), http_method, request_header (substring of the masked
HTTP request headers), ja4/ja3 (exact TLS client fingerprint), community_id (exact Corelight
flow hash), has_client_cert (true = only events where the client presented an mTLS cert),
ip_version (4 or 6 = only IPv4 or IPv6 sources).
since/until are ISO-8601 UTC strings. Each record includes: source_ip, country, asn,
dest_port, user_agent, url_path, http_request_headers, tls_client_ja4, tls_client_ja3,
http_request_ja4h, ssh_client_hassh, community_id, tls_client_cert_subject/issuer,
event_sequence, event_duration, source_bytes/dest_bytes/network_bytes, network_protocol,
timestamp. Endpoint: https://mcp.honeylabs.net/mcp
- top_attackers_tool - Ranked leaderboard of attack sources. Use for: 'who is attacking the most?', 'top
attacking countries', 'most targeted ports', 'most common user agents', 'top ASNs by
attack volume', 'top IPs from China', 'top attackers hitting port 22'.
'by' controls grouping: ip, asn, country, port, user_agent, ja4, url_path.
Optional filters: country (2-letter ISO, e.g. 'CN'), dest_port, asn (e.g. 'AS12345').
Adding a filter is required for large time ranges to stay within memory limits.
since/until are ISO-8601 UTC strings. Endpoint: https://mcp.honeylabs.net/mcp
- ioc_lookup_tool - Look up any IP address or domain in the honeypot dataset. Use this FIRST whenever the
user asks: 'is this IP malicious?', 'is this a known scanner?', 'have you seen this IP?',
'what does this IP do?', 'when was it last seen?', 'is this IP in your data?'. Returns:
total_events (0 = never observed), first_seen, last_seen, country, ASN, all ports targeted,
top user agents, top URL paths, TLS/HTTP/SSH fingerprints. Covers both IPv4 and domains. Endpoint: https://mcp.honeylabs.net/mcp
- payload_search_tool - Full-text search across HTTP URL paths and user agents in attack traffic. Use for:
'find attacks targeting /wp-admin', 'show exploit attempts for CVE-2024-XXXX', 'find
requests with this user agent string', 'what payloads hit port 80 last week'. Pro/Team
plan only. since/until are ISO-8601 UTC strings. Endpoint: https://mcp.honeylabs.net/mcp
- attack_timeline_tool - Attack volume over time, bucketed by hour or day. Use for: 'show attack trends this
week', 'was there a spike on port 22?', 'how has SSH scanning changed?', 'attack volume
from China over 30 days'. bucket: 'hour' or 'day'. Optional filters: filter_protocol
('tls'/'''), filter_country (2-letter code), filter_dest_port. since/until ISO-8601 UTC. Endpoint: https://mcp.honeylabs.net/mcp
- asn_enrich_tool - Full honeypot profile for an ASN (autonomous system / hosting provider). Use for:
'tell me about AS202425', 'what is Vultr doing in my honeypots?', 'attacks from this
hosting provider', 'attribute this IP to its network'. asn format: 'AS12345'.
Returns: total events, unique IPs, top targeted ports, top source countries, top user
agents, org name. since/until are ISO-8601 UTC strings. Endpoint: https://mcp.honeylabs.net/mcp
- fingerprint_search_tool - Search honeypot activity by TLS, HTTP, or SSH fingerprint. Use when a user asks:
'have you seen this JA4 fingerprint?', 'which IPs share this TLS fingerprint?', 'how
common is this HASSH?', 'find all scanners with this SSH client fingerprint'. fp_type:
'ja4' (TLS client), 'ja3' (legacy TLS client, MD5 — still keyed by many TI feeds),
'ja4h' (HTTP client), 'hassh' (SSH client). since/until are ISO-8601 UTC strings. Endpoint: https://mcp.honeylabs.net/mcp
- fingerprint_population_tool - The population behind a single client fingerprint: how many source IPs carry it,
across how many networks (ASNs) and countries, the ports they hit, the top networks
and a sample of the IPs, plus a read on whether it is concentrated (a likely
coordinated operation, many IPs on few networks) or spread thin (a common client).
Use when a user asks: 'is this JA4 one botnet or a common tool?', 'how many networks
use this HASSH?', 'how specific / concentrated is this fingerprint?'. fp_type: 'ja4'
(TLS), 'ja4h' (HTTP), 'hassh' (SSH). Covers the full retained window (no date range). Endpoint: https://mcp.honeylabs.net/mcp

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: net.honeylabs
- Version: 1.0.0
- Runtime: Streamable Http
- Transports: HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 20, 2026
- Source: https://registry.modelcontextprotocol.io
