README.md•5.39 kB
# MISP MCP Server
A Model Context Protocol (MCP) server that integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.
## Features
- **Mac Malware Detection**: Search for the latest macOS-related malware samples
- **Cross-Platform Threat Intelligence**: Search for threats affecting Windows, macOS, Linux, Android, iOS, and IoT devices
- **Advanced Search Capabilities**: Search by attribute type, tag, threat actor, or TLP classification
- **IoC Submission**: Submit new Indicators of Compromise directly to your MISP instance
- **Threat Intelligence Reports**: Generate comprehensive reports based on MISP data
- **MISP Statistics**: Get insights into your MISP instance's data
## Prerequisites
- Python 3.10 or higher
- [MISP](https://github.com/MISP/MISP) instance with API access
- API key with appropriate permissions
## Installation
1. Clone this repository:
```bash
git clone https://github.com/yourusername/misp-mcp-server.git
cd misp-mcp-server
```
2. Create a virtual environment and install dependencies:
```bash
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install "mcp[cli]" pymisp
```
## Configuration
Set the following environment variables to connect to your MISP instance:
- `MISP_URL` - URL of your MISP instance (e.g., "https://misp.example.com")
- `MISP_API_KEY` - Your MISP API key
- `MISP_VERIFY_SSL` - Whether to verify SSL certificates (True/False)
## Usage
### Running as a standalone server
```bash
python misp_server.py
```
### Testing with MCP Inspector
```bash
mcp dev misp_server.py
```
### Installing in Claude Desktop
Edit your Claude Desktop configuration file:
**macOS:**
```
~/Library/Application Support/Claude/claude_desktop_config.json
```
**Windows:**
```
%APPDATA%\Claude\claude_desktop_config.json
```
Add the MISP MCP server configuration:
```json
{
"mcpServers": {
"misp-intelligence": {
"command": "python",
"args": ["/path/to/misp_server.py"],
"env": {
"MISP_URL": "https://your-misp-instance.com",
"MISP_API_KEY": "your-api-key-here",
"MISP_VERIFY_SSL": "True"
}
}
}
}
```
Alternatively, use the MCP CLI:
```bash
mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key
```
## Available Tools
### get_mac_malware
Get the latest Mac-related malware samples from MISP.
**Parameters:**
- `days` (default: 30): Number of days to look back
- `limit` (default: 10): Maximum number of results to return
### get_platform_malware
Get the latest malware samples for a specific platform from MISP.
**Parameters:**
- `platform`: Platform to search for (windows, macos, linux, android, ios, iot)
- `days` (default: 30): Number of days to look back
- `limit` (default: 10): Maximum number of results to return
### advanced_search
Perform advanced searches in MISP.
**Parameters:**
- `query_type`: Type of search (attribute_type, tag, threatactor, tlp)
- `query_value`: Value to search for
- `platform` (optional): Platform filter (windows, macos, linux, android, ios, iot)
- `days` (default: 30): Number of days to look back
- `limit` (default: 10): Maximum number of results to return
### submit_ioc
Submit a new Indicator of Compromise (IoC) to MISP.
**Parameters:**
- `ioc_value`: The actual IoC value (e.g., hash, URL, IP)
- `ioc_type`: Type of IoC (e.g., md5, sha256, url, ip-dst, filename)
- `event_info`: Brief description of the event
- `category` (default: "Artifacts dropped"): Category of the attribute
- `platform` (optional): Platform affected (windows, macos, linux, android, ios, iot)
- `tlp` (default: "amber"): Traffic Light Protocol level (white, green, amber, red)
- `comment` (optional): Optional comment for the IoC
### generate_threat_report
Generate a comprehensive threat intelligence report based on MISP data.
**Parameters:**
- `days` (default: 30): Number of days to include in the report
- `platforms` (default: "all"): Comma-separated list of platforms or "all"
- `threat_level` (default: "all"): Filter by threat level (low, medium, high, all)
- `include_stats` (default: True): Whether to include statistics
### search_misp
Search MISP for specific threats.
**Parameters:**
- `query`: Search term (e.g., CVE ID, malware name, hash)
- `days` (default: 30): Number of days to look back
### get_misp_stats
Get statistics about the MISP instance.
## Available Resources
### feeds://recent/{days}
Get information about recent MISP feeds.
**Parameters:**
- `days` (default: 7): Number of days to look back
## Example Queries with Claude
1. "What are the latest Mac-related malware samples?"
2. "Show me Windows malware from the last 2 weeks"
3. "Search for CVE-2023-12345 in MISP"
4. "Submit this IoC to MISP: 1a2b3c4d5e6f7g8h9i0j, type: md5, description: suspicious file found in phishing email"
5. "Generate a threat intelligence report for the last month"
6. "What are the current MISP statistics?"
7. "Get information about recent MISP feeds"
8. "Perform an advanced search for TLP:RED events related to banking trojans"
## Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
## License
This project is licensed under the MIT License - see the LICENSE file for details.