mcp-greynoise

MCP server for the GreyNoise API — check if IP addresses are internet background noise or potentially targeted attacks.

Quick Start

npx mcp-greynoise

That's it. Works out of the box with 10 lookups/day (no API key needed).

What is GreyNoise?

GreyNoise collects and analyzes internet-wide scan traffic. It tells you:

• Noise: Is this IP mass-scanning the internet? (botnets, researchers, crawlers)
• RIOT: Is this IP a known benign service? (Google, Cloudflare, Microsoft, etc.)
• Classification: Malicious, benign, or unknown

Why this matters for security

When you see suspicious traffic in your logs:

| GreyNoise Result | Interpretation | |------------------|----------------| | NOISE + Malicious | Background attack traffic (scanners, botnets) — likely untargeted | | NOISE + Benign | Security researchers, search crawlers — usually safe | | RIOT | Known good service (CDN, DNS, cloud) — almost certainly benign | | NOT NOISE | ⚠️ This IP is NOT mass-scanning — traffic may be targeted at you |

The "NOT NOISE" case is often the most important — it suggests someone is specifically interested in your systems.

Demo

Example output from check_ip:

IP: 51.91.185.74
Classification: MALICIOUS
Noise: YES - This IP has been observed scanning the internet
RIOT: NO - Not a known benign service IP
Last Seen: 2024-01-15
Details: https://viz.greynoise.io/ip/51.91.185.74

--- Interpretation ---
🚨 This IP is actively scanning the internet and classified as MALICIOUS. 
   Likely a scanner, botnet, or threat actor.

Installation

npm (recommended)

npm install -g mcp-greynoise

npx (no install)

npx mcp-greynoise

From source

git clone https://github.com/nickjlucker/mcp-greynoise.git
cd mcp-greynoise
npm install
npm run build
node build/index.js

Configuration

Claude Desktop

Add to your claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "greynoise": {
      "command": "npx",
      "args": ["mcp-greynoise"],
      "env": {
        "GREYNOISE_API_KEY": "your-api-key-here"
      }
    }
  }
}

Environment Variables

| Variable | Required | Description | |----------|----------|-------------| | GREYNOISE_API_KEY | No | API key for higher rate limits (50/day vs 10/day) |

Get a free API key at viz.greynoise.io/signup.

⚠️ Never commit API keys. See .env.example for the recommended setup.

Tools

check_ip

Check a single IP address against GreyNoise.

Input:

• ip (string): IPv4 address to check

check_ips

Check multiple IP addresses in one call (max 10).

Input:

• ips (string[]): Array of IPv4 addresses

Example output:

=== Results ===
8.8.8.8: RIOT (benign service) [Google]
51.91.185.74: NOISE - MALICIOUS
192.168.1.1: NOT NOISE (potentially targeted)

--- Legend ---
RIOT: Known benign service (CDN, DNS, etc.)
NOISE: IP is mass-scanning the internet
NOT NOISE: IP is NOT mass-scanning (traffic may be targeted)

Resources

greynoise://status

Returns API status and rate limit information.

Rate Limits

| Tier | Daily Lookups | |------|---------------| | Unauthenticated | 10 | | Free account | 50 | | Paid plans | Higher |

Rate limits are shared between API calls and the GreyNoise Visualizer.

Security

This server:

• Only reads from the GreyNoise API (no scanning, no exploitation)
• Does not store any data beyond the curre

... View full README on GitHub