Skip to main content
Glama

MISP-MCP-SERVER

MISP MCP Server

A Model Context Protocol (MCP) server that integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.

Features

  • Mac Malware Detection: Search for the latest macOS-related malware samples
  • Cross-Platform Threat Intelligence: Search for threats affecting Windows, macOS, Linux, Android, iOS, and IoT devices
  • Advanced Search Capabilities: Search by attribute type, tag, threat actor, or TLP classification
  • IoC Submission: Submit new Indicators of Compromise directly to your MISP instance
  • Threat Intelligence Reports: Generate comprehensive reports based on MISP data
  • MISP Statistics: Get insights into your MISP instance's data

Prerequisites

  • Python 3.10 or higher
  • MISP instance with API access
  • API key with appropriate permissions

Installation

  1. Clone this repository:
    git clone https://github.com/yourusername/misp-mcp-server.git cd misp-mcp-server
  2. Create a virtual environment and install dependencies:
    python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate pip install "mcp[cli]" pymisp

Configuration

Set the following environment variables to connect to your MISP instance:

  • MISP_URL - URL of your MISP instance (e.g., "https://misp.example.com")
  • MISP_API_KEY - Your MISP API key
  • MISP_VERIFY_SSL - Whether to verify SSL certificates (True/False)

Usage

Running as a standalone server

python misp_server.py

Testing with MCP Inspector

mcp dev misp_server.py

Installing in Claude Desktop

Edit your Claude Desktop configuration file:

macOS:

~/Library/Application Support/Claude/claude_desktop_config.json

Windows:

%APPDATA%\Claude\claude_desktop_config.json

Add the MISP MCP server configuration:

{ "mcpServers": { "misp-intelligence": { "command": "python", "args": ["/path/to/misp_server.py"], "env": { "MISP_URL": "https://your-misp-instance.com", "MISP_API_KEY": "your-api-key-here", "MISP_VERIFY_SSL": "True" } } } }

Alternatively, use the MCP CLI:

mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key

Available Tools

get_mac_malware

Get the latest Mac-related malware samples from MISP.

Parameters:

  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

get_platform_malware

Get the latest malware samples for a specific platform from MISP.

Parameters:

  • platform: Platform to search for (windows, macos, linux, android, ios, iot)
  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

Perform advanced searches in MISP.

Parameters:

  • query_type: Type of search (attribute_type, tag, threatactor, tlp)
  • query_value: Value to search for
  • platform (optional): Platform filter (windows, macos, linux, android, ios, iot)
  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

submit_ioc

Submit a new Indicator of Compromise (IoC) to MISP.

Parameters:

  • ioc_value: The actual IoC value (e.g., hash, URL, IP)
  • ioc_type: Type of IoC (e.g., md5, sha256, url, ip-dst, filename)
  • event_info: Brief description of the event
  • category (default: "Artifacts dropped"): Category of the attribute
  • platform (optional): Platform affected (windows, macos, linux, android, ios, iot)
  • tlp (default: "amber"): Traffic Light Protocol level (white, green, amber, red)
  • comment (optional): Optional comment for the IoC

generate_threat_report

Generate a comprehensive threat intelligence report based on MISP data.

Parameters:

  • days (default: 30): Number of days to include in the report
  • platforms (default: "all"): Comma-separated list of platforms or "all"
  • threat_level (default: "all"): Filter by threat level (low, medium, high, all)
  • include_stats (default: True): Whether to include statistics

search_misp

Search MISP for specific threats.

Parameters:

  • query: Search term (e.g., CVE ID, malware name, hash)
  • days (default: 30): Number of days to look back

get_misp_stats

Get statistics about the MISP instance.

Available Resources

feeds://recent/{days}

Get information about recent MISP feeds.

Parameters:

  • days (default: 7): Number of days to look back

Example Queries with Claude

  1. "What are the latest Mac-related malware samples?"
  2. "Show me Windows malware from the last 2 weeks"
  3. "Search for CVE-2023-12345 in MISP"
  4. "Submit this IoC to MISP: 1a2b3c4d5e6f7g8h9i0j, type: md5, description: suspicious file found in phishing email"
  5. "Generate a threat intelligence report for the last month"
  6. "What are the current MISP statistics?"
  7. "Get information about recent MISP feeds"
  8. "Perform an advanced search for TLP:RED events related to banking trojans"

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.

-
security - not tested
-
license - not tested
-
quality - not tested

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

MISP-MCP-SERVER

  1. Features
    1. Prerequisites
      1. Installation
        1. Configuration
          1. Usage
            1. Running as a standalone server
            2. Testing with MCP Inspector
            3. Installing in Claude Desktop
          2. Available Tools
            1. get_mac_malware
            2. get_platform_malware
            3. advanced_search
            4. submit_ioc
            5. generate_threat_report
            6. search_misp
            7. get_misp_stats
          3. Available Resources
            1. feeds://recent/{days}
          4. Example Queries with Claude
            1. Contributing
              1. License

                Related MCP Servers

                View all related MCP servers

                MCP directory API

                We provide all the information about MCP servers via our MCP API.

                curl -X GET 'https://glama.ai/api/mcp/v1/servers/bornpresident/MISP-MCP-SERVER'

                If you have feedback or need assistance with the MCP directory API, please join our Discord server