zeek-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@zeek-mcpshow me connection logs from 10.0.0.0/24 in the last hour"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
An MCP (Model Context Protocol) server for Zeek and Suricata, providing intelligent log parsing, querying, and analysis over network security monitoring data. Enables LLMs to query connection logs, DNS activity, HTTP requests, SSL certificates, file extractions, security notices, IDS alerts, and cross-reference findings between both sensors.
Features
25 tools for querying and analyzing Zeek + Suricata logs
2 resources for log type metadata and sensor stats
4 prompts for guided investigation workflows
Dual format support - JSON and TSV (Zeek's native tab-separated format)
Suricata integration - Query eve.json alerts, cross-correlate with Zeek, engine stats
CIDR matching - Filter by IP ranges (10.0.0.0/8, 192.168.1.0/24)
IPv6 support - Full IPv6 CIDR matching
Wildcard matching - Search domains and URIs with patterns (*.evil.com)
Beaconing detection - Statistical C2 beacon analysis with jitter scoring
Anomaly detection - Port scan, data exfiltration, and unusual port detection
DNS tunneling detection - Shannon entropy analysis with encoding detection
DHCP asset mapping - MAC-to-IP/hostname device inventory
Compressed log support - Reads .gz archived logs
Date-based rotation - Navigates Zeek's archived log directories by date
Prerequisites
Node.js 20+
Zeek sensor generating logs (JSON or TSV format)
Suricata (optional, for IDS alert correlation)
Installation
git clone https://github.com/solomonneas/zeek-mcp.git
cd zeek-mcp
npm install
npm run buildConfiguration
Zeek
Variable | Default | Description |
|
| Path to current Zeek logs |
|
| Path to archived/rotated logs |
|
| Log format: |
|
| Maximum results per query |
Suricata
Variable | Default | Description |
|
| Path to Suricata eve.json |
|
| Path to Suricata fast.log |
|
| Path to Suricata rules directory |
Usage
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"zeek": {
"command": "zeek-mcp",
"env": {
"ZEEK_LOG_DIR": "/opt/nids/zeek/logs",
"ZEEK_LOG_FORMAT": "tsv",
"SURICATA_EVE_LOG": "/opt/nids/suricata/logs/eve.json"
}
}
}
}Claude Code
claude mcp add zeek \
--env ZEEK_LOG_DIR=/opt/nids/zeek/logs \
--env ZEEK_LOG_FORMAT=tsv \
--env SURICATA_EVE_LOG=/opt/nids/suricata/logs/eve.json \
-- zeek-mcpAdd --scope user to make it available from any directory instead of only the current project.
OpenClaw
If you're running from a source checkout instead of the npm-installed binary, point command/args at the built dist/index.js:
openclaw mcp set zeek '{
"command": "node",
"args": ["/absolute/path/to/zeek-mcp/dist/index.js"],
"env": {
"ZEEK_LOG_DIR": "/opt/nids/zeek/logs",
"ZEEK_LOG_FORMAT": "tsv",
"SURICATA_EVE_LOG": "/opt/nids/suricata/logs/eve.json"
}
}'Or, with the global npm install:
openclaw mcp set zeek '{
"command": "zeek-mcp",
"env": {
"ZEEK_LOG_DIR": "/opt/nids/zeek/logs",
"ZEEK_LOG_FORMAT": "tsv",
"SURICATA_EVE_LOG": "/opt/nids/suricata/logs/eve.json"
}
}'Then restart the OpenClaw gateway so the new server is picked up:
systemctl --user restart openclaw-gateway
openclaw mcp list # confirm "zeek" is registeredHermes Agent
Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:
mcp_servers:
zeek:
command: "zeek-mcp"
env:
ZEEK_LOG_DIR: "/opt/nids/zeek/logs"
ZEEK_LOG_FORMAT: "tsv"
SURICATA_EVE_LOG: "/opt/nids/suricata/logs/eve.json"Or, when running from a source checkout instead of the global npm install:
mcp_servers:
zeek:
command: "node"
args: ["/absolute/path/to/zeek-mcp/dist/index.js"]
env:
ZEEK_LOG_DIR: "/opt/nids/zeek/logs"
ZEEK_LOG_FORMAT: "tsv"
SURICATA_EVE_LOG: "/opt/nids/suricata/logs/eve.json"Then reload MCP from inside a Hermes session:
/reload-mcpCodex CLI
Codex CLI registers MCP servers via codex mcp add:
codex mcp add zeek \
--env ZEEK_LOG_DIR=/opt/nids/zeek/logs \
--env ZEEK_LOG_FORMAT=tsv \
--env SURICATA_EVE_LOG=/opt/nids/suricata/logs/eve.json \
-- zeek-mcpOr, when running from a source checkout:
codex mcp add zeek \
--env ZEEK_LOG_DIR=/opt/nids/zeek/logs \
--env ZEEK_LOG_FORMAT=tsv \
--env SURICATA_EVE_LOG=/opt/nids/suricata/logs/eve.json \
-- node /absolute/path/to/zeek-mcp/dist/index.jsCodex writes the entry to ~/.codex/config.toml under [mcp_servers.zeek]. Verify with:
codex mcp listStandalone
ZEEK_LOG_DIR=/opt/nids/zeek/logs ZEEK_LOG_FORMAT=tsv node dist/index.jsDevelopment
ZEEK_LOG_DIR=./test-data npm run devTools
Connection Analysis
Tool | Description |
| Search connection logs with flexible filters (CIDR, protocol, duration, bytes) |
| Statistical summary: top talkers, services, bytes, connection counts |
| Find long-lived connections (potential C2 beacons, tunnels) |
DNS Analysis
Tool | Description |
| Search DNS queries with domain wildcards and response code filtering |
| Top domains, NXDOMAIN counts (DGA detection), query type distribution |
| Detect DNS tunneling via entropy analysis and encoding detection |
HTTP Analysis
Tool | Description |
| Search HTTP requests by host, URI, method, user agent, status code |
| Find suspicious HTTP: POSTs to IPs, unusual agents, large bodies, base64 in URLs |
SSL/TLS Analysis
Tool | Description |
| Search SSL/TLS by SNI, version, validation status, certificate fields |
| Find expired, self-signed, or invalid certificates |
File Analysis
Tool | Description |
| Search file extractions by MIME type, hash, filename, size |
| Find executable transfers (PE, ELF, scripts) on the wire |
Security Notices
Tool | Description |
| Search Zeek security notices (port scans, invalid certs, custom alerts) |
SSH Analysis
Tool | Description |
| Search SSH connections by auth status, direction, client/server |
| Detect SSH brute force attempts exceeding a failure threshold |
DHCP & Asset Discovery
Tool | Description |
| Search DHCP logs for lease assignments and device discovery |
| Build MAC-to-IP/hostname asset map for network inventory |
Cross-Log Investigation
Tool | Description |
| Full host investigation across all log types |
| Follow a connection UID across all log types |
Software Discovery
Tool | Description |
| List detected software and versions on the network |
Analytics
Tool | Description |
| Detect C2 beaconing by analyzing connection interval regularity and jitter |
| Statistical anomaly detection: port scans, data exfiltration, unusual ports |
Suricata IDS
Tool | Description |
| Search Suricata alerts by signature, severity, IP, protocol, time |
| High-level alert summary: top signatures, categories, IPs, severity distribution |
| Cross-reference Suricata alerts with Zeek logs for full context |
| Suricata engine statistics: packets, flows, detection performance |
Sensor Management
Tool | Description |
| Live sensor status: log inventory, sizes, freshness, health checks |
Resources
Resource | URI | Description |
Log Types |
| All Zeek log types with field descriptions |
Stats |
| Sensor statistics and available log types |
Prompts
Prompt | Description |
| Triage a Suricata alert by cross-referencing with Zeek logs |
| Guided host investigation workflow across all logs |
| Threat hunting for C2 communication patterns |
| Generate a network activity baseline |
Supported Log Types
conn, dns, http, ssl, files, notice, weird, x509, smtp, ssh, dpd, software, dhcp, ntp, ocsp, websocket
Testing
npm test110 tests covering parsers (JSON + TSV), query engine, CIDR/wildcard filters, analytics (entropy, beaconing, anomaly detection), Suricata eve.json parsing, DHCP log parsing, and sensor status.
Generate Test Data
npm run generate-logs
npx tsx scripts/generate-zeek-logs.ts --output=/tmp/zeek-logs --format=jsonProject Structure
zeek-mcp/
src/
index.ts # MCP server entry point
config.ts # Environment config + validation
types.ts # Zeek log type definitions (16 log types)
resources.ts # MCP resources
prompts.ts # MCP prompts (4 workflows)
parser/
index.ts # Format-agnostic parser + log resolution
json.ts # JSON log parser
tsv.ts # TSV log parser with header detection
query/
engine.ts # Query engine with filtering/sorting
filters.ts # CIDR match (v4+v6), wildcard, range operators
aggregation.ts # Statistical aggregation functions
tools/
connections.ts # Connection analysis tools
dns.ts # DNS analysis tools
http.ts # HTTP analysis tools
ssl.ts # SSL/TLS analysis tools
files.ts # File analysis tools
notices.ts # Security notice tools
ssh.ts # SSH analysis tools
investigation.ts # Cross-log investigation tools
software.ts # Software/asset discovery
dhcp.ts # DHCP log tools + asset mapping
beaconing.ts # Beaconing detection tool
anomaly.ts # Anomaly detection tool
suricata.ts # Suricata eve.json tools
sensor.ts # Sensor status + health checks
analytics/
entropy.ts # Shannon entropy calculation
beaconing.ts # Beacon detection algorithms
anomaly.ts # Statistical anomaly detection
tests/
parser.test.ts # Parser unit tests (JSON + TSV)
query.test.ts # Query engine + filter tests
analytics.test.ts # Entropy, beaconing, anomaly tests
tools.test.ts # Integration tests with sample data
suricata.test.ts # Suricata eve.json parsing tests
dhcp.test.ts # DHCP log parsing + asset map tests
beaconing-tools.test.ts # Beaconing + anomaly detection tests
sensor.test.ts # Sensor status tests
test-data/ # Sample Zeek + Suricata logs
scripts/
generate-zeek-logs.ts # Mock data generatorLicense
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/solomonneas/zeek-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server