| I've been running a small fleet of honeypots for about a year. They get hit by a mix of research scanners (Censys, Shadowserver, etc.), old worms, and a bump of CVE probes the day a new Nuclei template ships. The data was sitting in a database and useful only to me, so I put a front end on it. https://honeylabs.net Paste a public IPv4 and you get its 90-day report: ASN, country, what ports it hit, which CVE signatures matched, recent payloads, JA4 and HASSH fingerprints, and scanner classification (research / commercial / hosting provider / ISP / Tor exit). No signup is required for the basic lookup. What I've been adding lately is an MCP (Model Context Protocol) server so Claude, Cursor, or any MCP-compatible agent can query the data directly. Setup is as easy as getting a token and one command: claude mcp add honeylabs \
--transport http \
https://mcp.honeylabs.net/mcp \
--header "Authorization: Bearer <hlk_…>"
Once configured, the agent can answer complex security questions without any custom glue code, such as:"Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?" "Which top 5 ASNs generate the most probes?" "What scan organisations are probing on port 9200 right now?" The implementation details can be found at https://honeylabs.net/mcp. Or just use the web-interface or curl. For context on how the classifier stays current without manual curation: - rDNS and ASN-org pattern matching.
- ISP, CDN, and Enterprise classifications derived from PeeringDB's CC0 ASN data.
- Tor exit lists refreshed hourly from torproject.org.
- KEV (Known Exploited Vulnerabilities) flags refreshed daily from CISA. Looking forward to your feedback! |