IP Intelligence MCP Server
Allows querying IP intelligence enriched by abuse.ch threat feeds (Feodo Tracker and ThreatFox) for C2 and malware indicators.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@IP Intelligence MCP Servercheck 203.0.113.5 for threat intelligence"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
IP Intelligence Platform
A self-hosted, containerized threat intelligence aggregation and enrichment service. Ingests 10 open-source threat feeds, enriches IP queries with normalized security context, and exposes results via REST API and MCP server. All output is normalized to OCSF Class 4001 (Network Activity).
Features
10 threat feeds — Feodo Tracker, Emerging Threats, Spamhaus, TOR exits, CINS, Blocklist.de, SAPICS ASN, ThreatFox, OTX, Shadowserver
Real-time enrichment — Geolocation (ip-api.com), Shodan InternetDB, Reverse DNS, AbuseIPDB
OCSF Class 4001 output — All responses normalized to the Open Cybersecurity Schema Framework
REST API — FastAPI with OpenAPI docs at
/docsMCP server — FastMCP 2.x Streamable HTTP, compatible with claude.ai MCP connectors
Self-healing feeds — SelfRepairAgent auto-quarantines drifted or stale feeds
Firewall export — NDJSON, plain-text, and CIDR-block exports
Zero-key Phase 1 — All open feeds work without API keys
Related MCP server: misp-mcp
Quick Start
# 1. Clone and configure
git clone https://github.com/your-username/ip-intelligence.git
cd ip-intelligence
cp .env.example .env
# Edit .env — at minimum set ADMIN_KEY
# 2. Run with Docker Compose
docker compose up -d
# 3. Verify
curl http://localhost:8004/healthThe API will be available at http://localhost:8004 and OpenAPI docs at http://localhost:8004/docs.
API Reference
Method | Endpoint | Description |
|
| Enrich a single IP — returns OCSF 4001 |
|
| Bulk lookup up to 500 IPs |
|
| Feed health and repair agent status |
|
| Export blocklist (ndjson, txt, cidr) |
|
| Expand ASN to IP ranges |
|
| Admin operations (requires |
Example
curl http://localhost:8004/lookup/1.2.3.4{
"class_uid": 4001,
"severity_id": 4,
"dst_endpoint": { "ip": "1.2.3.4" },
"enrichments": [
{ "name": "geo", "value": { "country": "CN", "city": "Beijing" } },
{ "name": "feodo", "value": { "tags": ["C2", "Emotet"] } }
],
"attacks": [{ "technique": { "uid": "T1071" } }]
}MCP Tools
Connect to http://localhost:8004/mcp from any MCP-compatible client (Claude Desktop, claude.ai).
Tool | Description |
| Enrich a single IP |
| Bulk IP enrichment |
| Expand ASN to IP ranges |
| Query feed health |
| Promote an IP to the watchlist |
| Human-readable verdict for an IP |
Threat Feeds
Phase 1 — No API Keys Required
Feed | Source | Update Cadence |
Feodo Tracker | abuse.ch | Every 30 min |
Emerging Threats | ProofPoint | Every 60 min |
Spamhaus DROP | Spamhaus | Every 12 hr |
TOR Exit Nodes | torproject.org | Every 60 min |
CINS Army | CINS | Every 60 min |
Blocklist.de | blocklist.de | Every 60 min |
SAPICS ASN | SAPICS | Every 24 hr |
Phase 2 — Optional API Keys
Feed | Env Var | Where to Get |
ThreatFox |
| |
OTX |
| |
Shadowserver |
| |
AbuseIPDB |
|
Architecture
┌─────────────────────────────────────────────┐
│ Clients │
│ curl / Claude Desktop / Browser UI │
└──────────────┬──────────────────────────────┘
│
┌──────────────▼──────────────────────────────┐
│ FastAPI + FastMCP │
│ app/main.py (port 8004) │
├─────────────────────────────────────────────┤
│ LookupEngine │ Enrichers │ MCP Tools │
│ (bisect) │ geo/shodan │ 6 tools │
├─────────────────────────────────────────────┤
│ IntelStore │
│ (in-memory, atomic swap) │
├─────────────────────────────────────────────┤
│ APScheduler │ SelfRepairAgent │
│ (10 cron jobs)│ (health monitoring) │
├─────────────────────────────────────────────┤
│ Feed Updaters (10) │
└─────────────────────────────────────────────┘Configuration
All configuration is via environment variables. Copy .env.example to .env:
cp .env.example .envKey settings:
Variable | Default | Description |
|
| Server port |
| — | Required for admin endpoints |
|
| Enable auto-repair of degraded feeds |
|
| Alert if feed data is older than N hours |
Development
# Install dependencies
pip install -r requirements.txt
# Run locally (without Docker)
uvicorn app.main:app --reload --port 8004
# Run tests (unit only, no network)
pytest tests/ -v -m "not live_feeds"
# Run all tests (requires network access)
pytest tests/ -vProject Structure
app/
├── main.py # FastAPI app + FastMCP mount
├── mcp_tools.py # MCP @mcp.tool() definitions
├── intel_store.py # Unified in-memory store
├── lookup.py # Bisect engine
├── scorer.py # Risk score computation
├── repair_agent.py # Self-healing feed monitor
├── scheduler.py # APScheduler cron setup
├── ocsf.py # OCSF 4001 serialization
├── enrichers/ # Geo, Shodan, rDNS, AbuseIPDB
├── models/ # Pydantic v2 models
└── updaters/ # Per-feed update scripts (10 feeds)Claude Code Integration
This repo ships with a complete Claude Code setup. When you open the project in Claude Code, it automatically loads:
Project instructions (
CLAUDE.md) — architecture, invariants, conventions, and test commandsSpecialized subagents (
.claude/agents/) — each agent knows one layer of the stack:
Agent | Owns |
|
|
|
|
|
|
|
|
|
|
Auto-test hooks (
.claude/settings.json) — runspytest -m "not live_feeds"after every Python file editDev server launch (
.claude/launch.json) — starts the UI dev server on port 5173
No extra setup needed — clone the repo, open it in Claude Code, and the agents are ready to use.
Contributing
See CONTRIBUTING.md for guidelines.
Security
To report a vulnerability, see SECURITY.md. Do not open a public issue.
License
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ard1102/ip-intelligence'
If you have feedback or need assistance with the MCP directory API, please join our Discord server