Skip to main content
Glama
Hackerobi

SuricataMCP Server

by Hackerobi

๐ŸฆŠ SuricataMCP Server

Turn Claude Desktop into a network security analyst.

A comprehensive Model Context Protocol (MCP) server that connects Claude Desktop to Suricata IDS/IPS. Analyze PCAPs, manage detection rules, and lint rule quality โ€” all through natural language. Built from scratch with Python and FastMCP.

Python Suricata Tools License


What This Does

Instead of running Suricata from the terminal, writing grep pipelines to search rules, and manually linting signatures, you talk to Claude and it does it for you. Ask Claude to:

  • "What version of Suricata is installed?" โ†’ Runs suricata -V

  • "Analyze this PCAP file for threats" โ†’ Runs Suricata against a PCAP and returns parsed alerts, stats, and EVE JSON events

  • "Show me all enabled rules related to DNS tunneling" โ†’ Searches 64,000+ rules instantly

  • "Check this rule for quality issues" โ†’ Runs suricata-check and returns actionable feedback

  • "Disable rule SID 2100498" โ†’ Comments out the rule with automatic backup

  • "Write a rule to detect HTTP traffic to evil.com and validate it" โ†’ Creates the rule, validates syntax through Suricata's engine, and lints it for best practices

All results come back in the chat. No terminal switching. No manual log parsing.


Related MCP server: Cooper Cyber Coffee OpenCTI MCP Server

๐Ÿ› ๏ธ Integrated Tools (18)

Core Suricata (7 tools)

Tool

Description

get_suricata_version

Get installed Suricata version

get_suricata_help

Get CLI help output

get_suricata_build_info

Get build info โ€” features, libraries, compile flags

analyze_pcap

Full PCAP analysis โ€” alerts, stats, and EVE JSON events

get_alerts_from_pcap

Alerts only from a PCAP file (parsed fast.log)

get_stats_from_pcap

Stats only from a PCAP file

get_eve_events_from_pcap

EVE JSON events, filterable by type (alert, dns, http, tls, flow)

Rule Analysis โ€” via suricata-check (3 tools)

Tool

Description

analyze_rule

Lint a single rule for quality issues

analyze_rule_with_checkers

Lint with specific checker include/exclude patterns

analyze_ruleset_file

Lint an entire .rules file and get a summary

Rule Management (8 tools)

Tool

Description

list_rules

List/search rules with filtering (enabled/disabled/keyword)

get_rule_by_sid

Look up a specific rule by SID

enable_rule

Uncomment a disabled rule

disable_rule

Comment out an enabled rule

add_rule

Append a new rule to the rules file

edit_rule

Replace a rule by SID

delete_rule

Remove a rule by SID

validate_rule_syntax

Validate rule syntax through Suricata's engine

Key Features

  • Structured output: Alerts parsed into structured dicts, not raw log lines

  • EVE JSON support: Full access to Suricata's rich JSON event output

  • Automatic backups: Every rule modification creates a timestamped backup

  • Cross-platform: Works on Linux, macOS, and Windows

  • Environment-based config: All settings via .env or environment variables

  • Graceful degradation: suricata-check is optional โ€” core tools work without it


๐Ÿš€ Quick Start

Prerequisites

  • Python 3.10+

  • Suricata installed (download)

  • Claude Desktop

1. Clone the Repository

git clone https://github.com/Hackerobi/suricata-mcp-server.git
cd suricata-mcp-server

2. Create Virtual Environment and Install Dependencies

python3 -m venv .venv
source .venv/bin/activate    # Linux/Mac
# .venv\Scripts\activate     # Windows

pip install -r requirements.txt

3. Install suricata-check (Optional โ€” for rule analysis tools)

pip install suricata-check

4. Install Suricata (if not already installed)

# Ubuntu/Debian
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata

# Verify
suricata -V

5. Download Detection Rules

sudo suricata-update

This fetches the Emerging Threats Open ruleset (~64,000 rules) to /var/lib/suricata/rules/suricata.rules.

6. Configure

cp .env.example .env
# Edit .env if your paths differ from defaults

7. Test the Server

# Start the server
python server.py

# Or run the test suite
sudo .venv/bin/python test_tools.py

8. Configure Claude Desktop

Add to your Claude Desktop profile config (e.g., ~/.config/Claude/profiles/SOC.json on Linux):

{
  "mcpServers": {
    "SuricataMCP": {
      "command": "sudo",
      "args": [
        "/path/to/suricata-mcp-server/.venv/bin/python",
        "/path/to/suricata-mcp-server/server.py"
      ],
      "cwd": "/path/to/suricata-mcp-server"
    }
  }
}

Note: sudo is needed because Suricata's rules and config files are root-owned. For passwordless operation, add to sudoers:

youruser ALL=(root) NOPASSWD: /path/to/.venv/bin/python /path/to/server.py

9. Restart Claude Desktop

The SuricataMCP tools will appear automatically. Start analyzing.


๐Ÿ”‘ Environment Variables

All settings are prefixed with SURICATA_MCP_ and can be set in .env or as environment variables.

Variable

Default (Linux)

Description

SURICATA_MCP_SURICATA_DIR

/usr/bin

Directory containing Suricata binary

SURICATA_MCP_SURICATA_EXE

suricata

Suricata executable name

SURICATA_MCP_RULES_FILE

/var/lib/suricata/rules/suricata.rules

Default rules file path

SURICATA_MCP_SURICATA_CONFIG

/etc/suricata/suricata.yaml

Suricata YAML config

SURICATA_MCP_COMMAND_TIMEOUT

300

Max seconds for Suricata commands


๐Ÿ’ก Usage Examples

PCAP Threat Analysis

"Analyze the PCAP at /tmp/suspicious_traffic.pcap and show me all alerts"

Claude runs analyze_pcap โ†’ returns structured alerts with timestamps, SIDs, and messages.

Rule Quality Audit

"Check this rule for issues: alert tcp any any -> any 443 (msg:"TLS to suspicious port"; sid:1000001; rev:1;)"

Claude runs analyze_rule โ†’ returns 10+ actionable suggestions for metadata, content matching, SID ranges, and best practices.

Rule Search and Management

"Find all enabled rules related to SQL injection, then disable SID 2006546"

Claude chains: list_rules (search="sql injection", enabled_only=True) โ†’ disable_rule (sid=2006546)

Syntax Validation

"Write a rule to detect HTTP POST requests to /admin/upload and validate it"

Claude writes the rule โ†’ runs validate_rule_syntax through Suricata's engine โ†’ fixes any errors โ†’ confirms it's valid.

EVE JSON Deep Dive

"Run this PCAP through Suricata and show me all DNS queries"

Claude runs get_eve_events_from_pcap with event_type="dns" โ†’ returns structured DNS query/response data.

Combined Workflow

"Analyze this PCAP, check what rules triggered, then lint those rules for quality improvements"

Claude chains: analyze_pcap โ†’ extracts SIDs from alerts โ†’ get_rule_by_sid for each โ†’ analyze_rule on each โ†’ synthesizes a report.


๐Ÿ”’ Security

  • Automatic backups: Every rule file modification creates a timestamped .backup_YYYYMMDD_HHMMSS.rules file

  • Input validation: Rules are validated before being added (must have action, SID)

  • Least privilege sudo: Configure sudoers for only the specific server command

  • No destructive defaults: The server never modifies rules without explicit tool calls

  • Never commit .env to version control


๐Ÿ“ Project Structure

suricata-mcp-server/
โ”œโ”€โ”€ server.py              # FastMCP server โ€” all 18 tools
โ”œโ”€โ”€ config.py              # Pydantic-settings configuration
โ”œโ”€โ”€ test_tools.py          # Integration test script
โ”œโ”€โ”€ requirements.txt       # Python dependencies
โ”œโ”€โ”€ .env.example           # Configuration template
โ”œโ”€โ”€ .gitignore
โ”œโ”€โ”€ suricatamcp.service    # Systemd service for background running
โ””โ”€โ”€ README.md

๐Ÿ”ง Running as a Background Service

Install the systemd service for automatic startup:

sudo cp suricatamcp.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable suricatamcp
sudo systemctl start suricatamcp

# Check status
sudo systemctl status suricatamcp

# View logs
sudo journalctl -u suricatamcp -f

๐Ÿงช Running Tests

# Activate venv
source .venv/bin/activate

# Run with sudo (needed for rules file access)
sudo .venv/bin/python test_tools.py

๐Ÿ—๏ธ Built With

Inspired by Medinios/SuricataMCP โ€” rebuilt from scratch with full rule management and analysis capabilities.


โš ๏ธ Disclaimer

This project is not affiliated with the OISF (Open Information Security Foundation) or the official Suricata project. It is an independent MCP integration built for security analysis workflows. Always ensure you have proper authorization before analyzing network traffic.


๐Ÿค Contributing

Pull requests welcome. To add a new tool:

  1. Add the function in server.py with the @mcp.tool() decorator

  2. Add a test case in test_tools.py

  3. Update this README

  4. Submit a PR


๐Ÿ“ฌ Contact

White hat or no hat ๐ŸŽฉ


Built with Claude. Tested with Suricata 8.0.3 and 64,357 ET Open rules. Stay legal.

A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
โ€“Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Hackerobi/suricata-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server