Skip to main content
Glama
Sign In

MISP-MCP-SERVER

by bornpresident
GitHub
Python
RedditDiscord
OverviewInspectNewSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue

MISP MCP Server

A Model Context Protocol (MCP) server that integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.

Features

  • Mac Malware Detection: Search for the latest macOS-related malware samples
  • Cross-Platform Threat Intelligence: Search for threats affecting Windows, macOS, Linux, Android, iOS, and IoT devices
  • Advanced Search Capabilities: Search by attribute type, tag, threat actor, or TLP classification
  • IoC Submission: Submit new Indicators of Compromise directly to your MISP instance
  • Threat Intelligence Reports: Generate comprehensive reports based on MISP data
  • MISP Statistics: Get insights into your MISP instance's data

Prerequisites

  • Python 3.10 or higher
  • MISP instance with API access
  • API key with appropriate permissions

Installation

  1. Clone this repository:
    git clone https://github.com/yourusername/misp-mcp-server.git cd misp-mcp-server
  2. Create a virtual environment and install dependencies:
    python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate pip install "mcp[cli]" pymisp

Configuration

Set the following environment variables to connect to your MISP instance:

  • MISP_URL - URL of your MISP instance (e.g., "https://misp.example.com")
  • MISP_API_KEY - Your MISP API key
  • MISP_VERIFY_SSL - Whether to verify SSL certificates (True/False)

Usage

Running as a standalone server

python misp_server.py

Testing with MCP Inspector

mcp dev misp_server.py

Installing in Claude Desktop

Edit your Claude Desktop configuration file:

macOS:

~/Library/Application Support/Claude/claude_desktop_config.json

Windows:

%APPDATA%\Claude\claude_desktop_config.json

Add the MISP MCP server configuration:

{ "mcpServers": { "misp-intelligence": { "command": "python", "args": ["/path/to/misp_server.py"], "env": { "MISP_URL": "https://your-misp-instance.com", "MISP_API_KEY": "your-api-key-here", "MISP_VERIFY_SSL": "True" } } } }

Alternatively, use the MCP CLI:

mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key

Available Tools

get_mac_malware

Get the latest Mac-related malware samples from MISP.

Parameters:

  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

get_platform_malware

Get the latest malware samples for a specific platform from MISP.

Parameters:

  • platform: Platform to search for (windows, macos, linux, android, ios, iot)
  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

Perform advanced searches in MISP.

Parameters:

  • query_type: Type of search (attribute_type, tag, threatactor, tlp)
  • query_value: Value to search for
  • platform (optional): Platform filter (windows, macos, linux, android, ios, iot)
  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

submit_ioc

Submit a new Indicator of Compromise (IoC) to MISP.

Parameters:

  • ioc_value: The actual IoC value (e.g., hash, URL, IP)
  • ioc_type: Type of IoC (e.g., md5, sha256, url, ip-dst, filename)
  • event_info: Brief description of the event
  • category (default: "Artifacts dropped"): Category of the attribute
  • platform (optional): Platform affected (windows, macos, linux, android, ios, iot)
  • tlp (default: "amber"): Traffic Light Protocol level (white, green, amber, red)
  • comment (optional): Optional comment for the IoC

generate_threat_report

Generate a comprehensive threat intelligence report based on MISP data.

Parameters:

  • days (default: 30): Number of days to include in the report
  • platforms (default: "all"): Comma-separated list of platforms or "all"
  • threat_level (default: "all"): Filter by threat level (low, medium, high, all)
  • include_stats (default: True): Whether to include statistics

search_misp

Search MISP for specific threats.

Parameters:

  • query: Search term (e.g., CVE ID, malware name, hash)
  • days (default: 30): Number of days to look back

get_misp_stats

Get statistics about the MISP instance.

Available Resources

feeds://recent/{days}

Get information about recent MISP feeds.

Parameters:

  • days (default: 7): Number of days to look back

Example Queries with Claude

  1. "What are the latest Mac-related malware samples?"
  2. "Show me Windows malware from the last 2 weeks"
  3. "Search for CVE-2023-12345 in MISP"
  4. "Submit this IoC to MISP: 1a2b3c4d5e6f7g8h9i0j, type: md5, description: suspicious file found in phishing email"
  5. "Generate a threat intelligence report for the last month"
  6. "What are the current MISP statistics?"
  7. "Get information about recent MISP feeds"
  8. "Perform an advanced search for TLP:RED events related to banking trojans"

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.

This server cannot be installed

-
security - not tested
-
license - not tested
-
quality - not tested

MISP-MCP-SERVER

  1. Features
    1. Prerequisites
      1. Installation
        1. Configuration
          1. Usage
            1. Running as a standalone server
            2. Testing with MCP Inspector
            3. Installing in Claude Desktop
          2. Available Tools
            1. get_mac_malware
            2. get_platform_malware
            3. advanced_search
            4. submit_ioc
            5. generate_threat_report
            6. search_misp
            7. get_misp_stats
          3. Available Resources
            1. feeds://recent/{days}
          4. Example Queries with Claude
            1. Contributing
              1. License
                ID: ydtcspgk2c