Python
Searches for threats and malware affecting Android devices through MISP's threat intelligence database
Searches for threats and malware affecting iOS devices through MISP's threat intelligence database
Searches for threats and malware affecting Linux systems through MISP's threat intelligence database
Specialized malware detection for macOS, allowing search and retrieval of the latest Mac-related malware samples from MISP
Uses Python for implementation and requires Python 3.10+ for installation and execution of the MISP MCP server
MISP MCP Server
A Model Context Protocol (MCP) server that integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.
Features
- Mac Malware Detection: Search for the latest macOS-related malware samples
- Cross-Platform Threat Intelligence: Search for threats affecting Windows, macOS, Linux, Android, iOS, and IoT devices
- Advanced Search Capabilities: Search by attribute type, tag, threat actor, or TLP classification
- IoC Submission: Submit new Indicators of Compromise directly to your MISP instance
- Threat Intelligence Reports: Generate comprehensive reports based on MISP data
- MISP Statistics: Get insights into your MISP instance's data
Prerequisites
- Python 3.10 or higher
- MISP instance with API access
- API key with appropriate permissions
Installation
- Clone this repository:
- Create a virtual environment and install dependencies:
Configuration
Set the following environment variables to connect to your MISP instance:
MISP_URL- URL of your MISP instance (e.g., "https://misp.example.com")MISP_API_KEY- Your MISP API keyMISP_VERIFY_SSL- Whether to verify SSL certificates (True/False)
Usage
Running as a standalone server
Testing with MCP Inspector
Installing in Claude Desktop
Edit your Claude Desktop configuration file:
macOS:
Windows:
Add the MISP MCP server configuration:
Alternatively, use the MCP CLI:
Available Tools
get_mac_malware
Get the latest Mac-related malware samples from MISP.
Parameters:
days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
get_platform_malware
Get the latest malware samples for a specific platform from MISP.
Parameters:
platform: Platform to search for (windows, macos, linux, android, ios, iot)days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
advanced_search
Perform advanced searches in MISP.
Parameters:
query_type: Type of search (attribute_type, tag, threatactor, tlp)query_value: Value to search forplatform(optional): Platform filter (windows, macos, linux, android, ios, iot)days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
submit_ioc
Submit a new Indicator of Compromise (IoC) to MISP.
Parameters:
ioc_value: The actual IoC value (e.g., hash, URL, IP)ioc_type: Type of IoC (e.g., md5, sha256, url, ip-dst, filename)event_info: Brief description of the eventcategory(default: "Artifacts dropped"): Category of the attributeplatform(optional): Platform affected (windows, macos, linux, android, ios, iot)tlp(default: "amber"): Traffic Light Protocol level (white, green, amber, red)comment(optional): Optional comment for the IoC
generate_threat_report
Generate a comprehensive threat intelligence report based on MISP data.
Parameters:
days(default: 30): Number of days to include in the reportplatforms(default: "all"): Comma-separated list of platforms or "all"threat_level(default: "all"): Filter by threat level (low, medium, high, all)include_stats(default: True): Whether to include statistics
search_misp
Search MISP for specific threats.
Parameters:
query: Search term (e.g., CVE ID, malware name, hash)days(default: 30): Number of days to look back
get_misp_stats
Get statistics about the MISP instance.
Available Resources
feeds://recent/{days}
Get information about recent MISP feeds.
Parameters:
days(default: 7): Number of days to look back
Example Queries with Claude
- "What are the latest Mac-related malware samples?"
- "Show me Windows malware from the last 2 weeks"
- "Search for CVE-2023-12345 in MISP"
- "Submit this IoC to MISP: 1a2b3c4d5e6f7g8h9i0j, type: md5, description: suspicious file found in phishing email"
- "Generate a threat intelligence report for the last month"
- "What are the current MISP statistics?"
- "Get information about recent MISP feeds"
- "Perform an advanced search for TLP events related to banking trojans"
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the MIT License - see the LICENSE file for details.
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
MISP-MCP-SERVER
Related MCP Servers
- -securityAlicense-qualityMarineTraffic MCP ServerLast updated -4TypeScriptMIT License
- JavaScriptMIT License
- TypeScriptMIT License