@greynoise/greynoise-mcp-server
v0.4.0
Published
MCP Server for the GreyNoise Enterprise API
Downloads
191
Readme
MCP Server For GreyNoise
REQUIRES AN ENTERPRISE API KEY
Installation
MCPB (MCP Bundle)
If you use Claude Desktop or another client that supports MCPB bundles, download greynoise-mcp-server.mcpb from the releases page and double-click to install.
For Production/NPX Usage
npx @greynoise/greynoise-mcp-server --helpSample entry for Claude Desktop:
{
"mcpServers": {
"greynoise": {
"command": "npx",
"args": ["@greynoise/greynoise-mcp-server"],
"env": {
"GREYNOISE_API_KEY": "your-greynoise-api-key"
}
}
}
}Or for local development:
{
"mcpServers": {
"greynoise": {
"command": "node",
"args": ["/absolute/path/to/greynoise-mcp-server/build/index.js"],
"env": {
"GREYNOISE_API_KEY": "your-greynoise-api-key"
}
}
}
}For Development
Clone the repo and then npm install && npm run build.
Build System
This project uses tsup for modern bundling:
npm run build: Creates optimized bundle for distributionnpm run build:dev: Development build with source mapsnpm run dev: Watch mode with auto-rebuild
The bundled output includes all core dependencies except Express (for HTTP transport) and dotenv (due to dynamic require limitations).
Transport Options
stdio (Default)
npx @greynoise/greynoise-mcp-server --transport stdiohttp
HTTP transport requires Express to be available:
npm install express
node @greynoise/greynoise-mcp-server --transport httpAvailable Tools
IP Analysis
lookup-ip-context - Get detailed context for an IP address including Internet Scanner Intelligence (ISI) and Business Service Intelligence (BSI). Returns classification, tags, scanning activity, HTTP/TLS/SSH fingerprints, geographic info, and more.
quick-check-ip - Fast, lightweight check returning just classification and BSI status.
multi-ip-check - Check up to 10,000 IP addresses at once. Returns classification, BSI status, and trust level for each IP.
GNQL (GreyNoise Query Language)
gnql-query - Search GreyNoise data with GNQL. Returns full IP context results including raw scan data. Supports scroll pagination.
gnql-metadata-query - Lightweight GNQL search returning IP metadata without raw scan data. Supports CSV output format.
gnql-stats - Get aggregate statistics for GNQL query results (classification breakdown, top organizations, countries, tags, etc).
Recall (Temporal Analysis)
gnql-timeseries - Retrieve hourly IP activity records for a time range. Enables temporal analysis of scanning patterns.
gnql-timeseries-stats - Get unique IP counts per hour/day over a time range for trend analysis.
Tags
get-tag-list - Retrieve the complete list of GreyNoise tags with metadata.
search-tags - Search for tags matching a query.
get-tag-details - Get comprehensive metadata about a specific tag.
get-tag-activity - Get activity data for a tag including trends over time.
analyze-tags-activity - Analyze activity patterns across multiple tags.
Vulnerabilities
get-trending-vulnerabilities - Get vulnerabilities actively being exploited in the wild.
get-cve-details - Get detailed CVE information including GreyNoise exploitation observations.
Sessions (PCAP)
get-session - Get full metadata and connection details for a single sensor session by ID.
get-session-pcap - Download the raw PCAP capture for a single session. Saves to a temporary file and returns the path.
export-sessions-pcap - Export a PCAP file containing packets from multiple sessions matching a time range and optional Lucene query. Saves to a temporary file and returns the path.
Usage Examples
IP Analysis
// Get detailed context for an IP
{ "tool_name": "lookup-ip-context", "parameters": { "ip": "71.6.135.131" } }
// Quick check
{ "tool_name": "quick-check-ip", "parameters": { "ip": "8.8.8.8" } }
// Bulk check
{ "tool_name": "multi-ip-check", "parameters": { "ips": ["8.8.8.8", "1.1.1.1"] } }GNQL Queries
// Search for malicious IPs seen today
{ "tool_name": "gnql-query", "parameters": { "query": "classification:malicious last_seen:1d", "size": 10 } }
// Lightweight metadata search
{ "tool_name": "gnql-metadata-query", "parameters": { "query": "tags:Mirai", "size": 25 } }
// Get stats for a query
{ "tool_name": "gnql-stats", "parameters": { "query": "classification:malicious", "count": 10 } }Temporal Analysis (Recall)
// Hourly activity for an IP
{ "tool_name": "gnql-timeseries", "parameters": { "query": "ip:71.6.135.131" } }
// Daily unique IP counts for malicious activity
{ "tool_name": "gnql-timeseries-stats", "parameters": { "query": "classification:malicious", "interval": "day" } }Sessions
// Get session metadata
{ "tool_name": "get-session", "parameters": { "session_id": "7e98a36cf76f29a020876691892c5f" } }
// Download session PCAP
{ "tool_name": "get-session-pcap", "parameters": { "session_id": "7e98a36cf76f29a020876691892c5f" } }
// Export PCAPs for sessions matching a query
{ "tool_name": "export-sessions-pcap", "parameters": { "start_time": "2026-01-01T00:00:00Z", "end_time": "2026-01-07T23:59:59Z", "query": "destination.port:443", "size": 50 } }Available Prompts
vendor-threat-report - Comprehensive threat report for a vendor technology. Parameters: vendor (required), technology (optional), timeframe 1-90 days (required)
ip-threat-analysis - Detailed IP threat analysis with classification, tags, history, and recommendations. Parameters: ip (required), include_related (optional)
cve-analysis - CVE analysis including exploitation status and risk assessment. Parameters: cve_id (required), timeframe 1-90 days (optional)
emerging-threat-report - Report on emerging threats based on trending activity. Parameters: days (optional: 1/7/30), focus_area (optional)
security-posture-assessment - Security posture assessment for an organization's technology stack. Parameters: organization (required), technologies (required), industry (optional)
threat-hunting - Threat hunting plan for specific indicators or patterns. Parameters: indicator_type (required: ip/tag/behavior/actor/cve), indicator_value (required), environment (required)
Changelog
See NEWS.md for release notes.