Agent Tools
Back to MCP servers

HoneyLabs

https://mcp.honeylabs.net/mcp
● healthy

skills: {'id': 'search_events_tool', 'name': 'search_events_tool', 'description': "Return individual raw honeypot events with all fields. Use when the user wants to see\nactual records: 'show me events from this IP', 'what hit port 443 last week', 'events from\nRussia yesterday'. Filters: source_ip, country (2-letter code), asn (e.g. 'AS12345'),\ndest_port, protocol ('tls' or ''), http_method, request_header (substring of the masked\nHTTP request headers, e.g. 'x-forwarded-for' or 'CensysInspect'). since/until are ISO-8601\nUTC strings. Each record includes: source_ip, country, asn, dest_port, user_agent, url_path,\nhttp_request_headers, tls_client_ja4, http_request_ja4h, ssh_client_hassh, network_protocol,\ntimestamp.", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}, {'id': 'top_attackers_tool', 'name': 'top_attackers_tool', 'description': "Ranked leaderboard of attack sources. Use for: 'who is attacking the most?', 'top\nattacking countries', 'most targeted ports', 'most common user agents', 'top ASNs by\nattack volume', 'top IPs from China', 'top attackers hitting port 22'.\n'by' controls grouping: ip, asn, country, port, user_agent, ja4, url_path.\nOptional filters: country (2-letter ISO, e.g. 'CN'), dest_port, asn (e.g. 'AS12345').\nAdding a filter is required for large time ranges to stay within memory limits.\nsince/until are ISO-8601 UTC strings.", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}, {'id': 'ioc_lookup_tool', 'name': 'ioc_lookup_tool', 'description': "Look up any IP address or domain in the honeypot dataset. Use this FIRST whenever the\nuser asks: 'is this IP malicious?', 'is this a known scanner?', 'have you seen this IP?',\n'what does this IP do?', 'when was it last seen?', 'is this IP in your data?'. Returns:\ntotal_events (0 = never observed), first_seen, last_seen, country, ASN, all ports targeted,\ntop user agents, top URL paths, TLS/HTTP/SSH fingerprints. Covers both IPv4 and domains.", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}, {'id': 'payload_search_tool', 'name': 'payload_search_tool', 'description': "Full-text search across HTTP URL paths and user agents in attack traffic. Use for:\n'find attacks targeting /wp-admin', 'show exploit attempts for CVE-2024-XXXX', 'find\nrequests with this user agent string', 'what payloads hit port 80 last week'. Pro/Team\nplan only. since/until are ISO-8601 UTC strings.", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}, {'id': 'attack_timeline_tool', 'name': 'attack_timeline_tool', 'description': "Attack volume over time, bucketed by hour or day. Use for: 'show attack trends this\nweek', 'was there a spike on port 22?', 'how has SSH scanning changed?', 'attack volume\nfrom China over 30 days'. bucket: 'hour' or 'day'. Optional filters: filter_protocol\n('tls'/'''), filter_country (2-letter code), filter_dest_port. since/until ISO-8601 UTC.", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}, {'id': 'asn_enrich_tool', 'name': 'asn_enrich_tool', 'description': "Full honeypot profile for an ASN (autonomous system / hosting provider). Use for:\n'tell me about AS202425', 'what is Vultr doing in my honeypots?', 'attacks from this\nhosting provider', 'attribute this IP to its network'. asn format: 'AS12345'.\nReturns: total events, unique IPs, top targeted ports, top source countries, top user\nagents, org name. since/until are ISO-8601 UTC strings.", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}, {'id': 'fingerprint_search_tool', 'name': 'fingerprint_search_tool', 'description': "Search honeypot activity by TLS, HTTP, or SSH fingerprint. Use when a user asks:\n'have you seen this JA4 fingerprint?', 'which IPs share this TLS fingerprint?', 'how\ncommon is this HASSH?', 'find all scanners with this SSH client fingerprint'. fp_type:\n'ja4' (TLS client, 3.7M events), 'ja4h' (HTTP client, 3.2M events), 'hassh' (SSH\nclient, 26K events). since/until are ISO-8601 UTC strings.", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}, {'id': 'fingerprint_population_tool', 'name': 'fingerprint_population_tool', 'description': "The population behind a single client fingerprint: how many source IPs carry it,\nacross how many networks (ASNs) and countries, the ports they hit, the top networks\nand a sample of the IPs, plus a read on whether it is concentrated (a likely\ncoordinated operation, many IPs on few networks) or spread thin (a common client).\nUse when a user asks: 'is this JA4 one botnet or a common tool?', 'how many networks\nuse this HASSH?', 'how specific / concentrated is this fingerprint?'. fp_type: 'ja4'\n(TLS), 'ja4h' (HTTP), 'hassh' (SSH). Covers the full retained window (no date range).", 'tags': [], 'examples': None, 'input_modes': None, 'output_modes': None}; uptime_30d 1.0%; p95 386.6ms; conformance: pass

Transport
streamable-http
Auth
Cost

How to connect

MCP endpoint (streamable-http)
https://mcp.honeylabs.net/mcp
JSON-RPC initialize probe
curl -X POST https://mcp.honeylabs.net/mcp \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
Homepage
https://mcp.honeylabs.net/mcp
Listed at (chiark)
https://chiark.ai/agents/e2b1f828-35e0-4ab0-a64f-98702378a08d