Show HN: HoneyLabs – Public honeypot threat Intel feed and MCP server(honeylabs.net)
honeylabs.net
Show HN: HoneyLabs – Public honeypot threat Intel feed and MCP server
https://honeylabs.net
3 comments
Interesting tool! The MCP server integration is a nice touch. Do you have plans to add IPv6 support for the lookups?
Absolutely. I started with IPv4 because it sees significantly more scan traffic, but expanding to IPv6 is on the roadmap. Once I update the underlying honeypots to capture IPv6 traffic, those lookups will automatically populate on the main site.
https://honeylabs.net
Paste a public IPv4 and you get its 90-day report: ASN, country, what ports it hit, which CVE signatures matched, recent payloads, JA4 and HASSH fingerprints, and scanner classification (research / commercial / hosting provider / ISP / Tor exit). No signup is required for the basic lookup.
What I've been adding lately is an MCP (Model Context Protocol) server so Claude, Cursor, or any MCP-compatible agent can query the data directly.
Setup is as easy as getting a token and one command:
Once configured, the agent can answer complex security questions without any custom glue code, such as:
"Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?"
"Which top 5 ASNs generate the most probes?"
"What scan organisations are probing on port 9200 right now?"
The implementation details can be found at https://honeylabs.net/mcp. Or just use the web-interface or curl.
For context on how the classifier stays current without manual curation:
- rDNS and ASN-org pattern matching. - ISP, CDN, and Enterprise classifications derived from PeeringDB's CC0 ASN data. - Tor exit lists refreshed hourly from torproject.org. - KEV (Known Exploited Vulnerabilities) flags refreshed daily from CISA.
Looking forward to your feedback!