SuricataMCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SuricataMCP ServerList all enabled rules related to DNS tunneling"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
๐ฆ SuricataMCP Server
Turn Claude Desktop into a network security analyst.
A comprehensive Model Context Protocol (MCP) server that connects Claude Desktop to Suricata IDS/IPS. Analyze PCAPs, manage detection rules, and lint rule quality โ all through natural language. Built from scratch with Python and FastMCP.
What This Does
Instead of running Suricata from the terminal, writing grep pipelines to search rules, and manually linting signatures, you talk to Claude and it does it for you. Ask Claude to:
"What version of Suricata is installed?" โ Runs
suricata -V"Analyze this PCAP file for threats" โ Runs Suricata against a PCAP and returns parsed alerts, stats, and EVE JSON events
"Show me all enabled rules related to DNS tunneling" โ Searches 64,000+ rules instantly
"Check this rule for quality issues" โ Runs suricata-check and returns actionable feedback
"Disable rule SID 2100498" โ Comments out the rule with automatic backup
"Write a rule to detect HTTP traffic to evil.com and validate it" โ Creates the rule, validates syntax through Suricata's engine, and lints it for best practices
All results come back in the chat. No terminal switching. No manual log parsing.
Related MCP server: Cooper Cyber Coffee OpenCTI MCP Server
๐ ๏ธ Integrated Tools (18)
Core Suricata (7 tools)
Tool | Description |
get_suricata_version | Get installed Suricata version |
get_suricata_help | Get CLI help output |
get_suricata_build_info | Get build info โ features, libraries, compile flags |
analyze_pcap | Full PCAP analysis โ alerts, stats, and EVE JSON events |
get_alerts_from_pcap | Alerts only from a PCAP file (parsed fast.log) |
get_stats_from_pcap | Stats only from a PCAP file |
get_eve_events_from_pcap | EVE JSON events, filterable by type (alert, dns, http, tls, flow) |
Rule Analysis โ via suricata-check (3 tools)
Tool | Description |
analyze_rule | Lint a single rule for quality issues |
analyze_rule_with_checkers | Lint with specific checker include/exclude patterns |
analyze_ruleset_file | Lint an entire .rules file and get a summary |
Rule Management (8 tools)
Tool | Description |
list_rules | List/search rules with filtering (enabled/disabled/keyword) |
get_rule_by_sid | Look up a specific rule by SID |
enable_rule | Uncomment a disabled rule |
disable_rule | Comment out an enabled rule |
add_rule | Append a new rule to the rules file |
edit_rule | Replace a rule by SID |
delete_rule | Remove a rule by SID |
validate_rule_syntax | Validate rule syntax through Suricata's engine |
Key Features
Structured output: Alerts parsed into structured dicts, not raw log lines
EVE JSON support: Full access to Suricata's rich JSON event output
Automatic backups: Every rule modification creates a timestamped backup
Cross-platform: Works on Linux, macOS, and Windows
Environment-based config: All settings via
.envor environment variablesGraceful degradation: suricata-check is optional โ core tools work without it
๐ Quick Start
Prerequisites
Python 3.10+
Suricata installed (download)
Claude Desktop
1. Clone the Repository
git clone https://github.com/Hackerobi/suricata-mcp-server.git
cd suricata-mcp-server2. Create Virtual Environment and Install Dependencies
python3 -m venv .venv
source .venv/bin/activate # Linux/Mac
# .venv\Scripts\activate # Windows
pip install -r requirements.txt3. Install suricata-check (Optional โ for rule analysis tools)
pip install suricata-check4. Install Suricata (if not already installed)
# Ubuntu/Debian
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata
# Verify
suricata -V5. Download Detection Rules
sudo suricata-updateThis fetches the Emerging Threats Open ruleset (~64,000 rules) to /var/lib/suricata/rules/suricata.rules.
6. Configure
cp .env.example .env
# Edit .env if your paths differ from defaults7. Test the Server
# Start the server
python server.py
# Or run the test suite
sudo .venv/bin/python test_tools.py8. Configure Claude Desktop
Add to your Claude Desktop profile config (e.g., ~/.config/Claude/profiles/SOC.json on Linux):
{
"mcpServers": {
"SuricataMCP": {
"command": "sudo",
"args": [
"/path/to/suricata-mcp-server/.venv/bin/python",
"/path/to/suricata-mcp-server/server.py"
],
"cwd": "/path/to/suricata-mcp-server"
}
}
}Note:
sudois needed because Suricata's rules and config files are root-owned. For passwordless operation, add to sudoers:youruser ALL=(root) NOPASSWD: /path/to/.venv/bin/python /path/to/server.py
9. Restart Claude Desktop
The SuricataMCP tools will appear automatically. Start analyzing.
๐ Environment Variables
All settings are prefixed with SURICATA_MCP_ and can be set in .env or as environment variables.
Variable | Default (Linux) | Description |
|
| Directory containing Suricata binary |
|
| Suricata executable name |
|
| Default rules file path |
|
| Suricata YAML config |
|
| Max seconds for Suricata commands |
๐ก Usage Examples
PCAP Threat Analysis
"Analyze the PCAP at /tmp/suspicious_traffic.pcap and show me all alerts"
Claude runs analyze_pcap โ returns structured alerts with timestamps, SIDs, and messages.
Rule Quality Audit
"Check this rule for issues:
alert tcp any any -> any 443 (msg:"TLS to suspicious port"; sid:1000001; rev:1;)"
Claude runs analyze_rule โ returns 10+ actionable suggestions for metadata, content matching, SID ranges, and best practices.
Rule Search and Management
"Find all enabled rules related to SQL injection, then disable SID 2006546"
Claude chains: list_rules (search="sql injection", enabled_only=True) โ disable_rule (sid=2006546)
Syntax Validation
"Write a rule to detect HTTP POST requests to /admin/upload and validate it"
Claude writes the rule โ runs validate_rule_syntax through Suricata's engine โ fixes any errors โ confirms it's valid.
EVE JSON Deep Dive
"Run this PCAP through Suricata and show me all DNS queries"
Claude runs get_eve_events_from_pcap with event_type="dns" โ returns structured DNS query/response data.
Combined Workflow
"Analyze this PCAP, check what rules triggered, then lint those rules for quality improvements"
Claude chains: analyze_pcap โ extracts SIDs from alerts โ get_rule_by_sid for each โ analyze_rule on each โ synthesizes a report.
๐ Security
Automatic backups: Every rule file modification creates a timestamped
.backup_YYYYMMDD_HHMMSS.rulesfileInput validation: Rules are validated before being added (must have action, SID)
Least privilege sudo: Configure sudoers for only the specific server command
No destructive defaults: The server never modifies rules without explicit tool calls
Never commit
.envto version control
๐ Project Structure
suricata-mcp-server/
โโโ server.py # FastMCP server โ all 18 tools
โโโ config.py # Pydantic-settings configuration
โโโ test_tools.py # Integration test script
โโโ requirements.txt # Python dependencies
โโโ .env.example # Configuration template
โโโ .gitignore
โโโ suricatamcp.service # Systemd service for background running
โโโ README.md๐ง Running as a Background Service
Install the systemd service for automatic startup:
sudo cp suricatamcp.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable suricatamcp
sudo systemctl start suricatamcp
# Check status
sudo systemctl status suricatamcp
# View logs
sudo journalctl -u suricatamcp -f๐งช Running Tests
# Activate venv
source .venv/bin/activate
# Run with sudo (needed for rules file access)
sudo .venv/bin/python test_tools.py๐๏ธ Built With
Suricata โ Open-source IDS/IPS engine by OISF
suricata-check โ Rule quality analysis library
FastMCP โ Python MCP server framework
pydantic-settings โ Environment-based configuration
Inspired by Medinios/SuricataMCP โ rebuilt from scratch with full rule management and analysis capabilities.
โ ๏ธ Disclaimer
This project is not affiliated with the OISF (Open Information Security Foundation) or the official Suricata project. It is an independent MCP integration built for security analysis workflows. Always ensure you have proper authorization before analyzing network traffic.
๐ค Contributing
Pull requests welcome. To add a new tool:
Add the function in
server.pywith the@mcp.tool()decoratorAdd a test case in
test_tools.pyUpdate this README
Submit a PR
๐ฌ Contact
Discord: sgtwolf787
GitHub: @Hackerobi
White hat or no hat ๐ฉ
Built with Claude. Tested with Suricata 8.0.3 and 64,357 ET Open rules. Stay legal.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Hackerobi/suricata-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server