Misp Mcp Server
What is Misp Mcp Server
MISP-MCP-SERVER is a Model Context Protocol (MCP) server that integrates with the Malware Information Sharing Platform (MISP) to enhance threat intelligence capabilities for Large Language Models.
Use cases
Use cases include detecting and analyzing macOS malware, submitting new Indicators of Compromise (IoCs) to MISP, generating comprehensive threat reports, and providing threat intelligence insights for organizations.
How to use
To use MISP-MCP-SERVER, clone the repository, set up a virtual environment, install dependencies, configure the necessary environment variables for your MISP instance, and run the server using the provided command.
Key features
Key features include Mac malware detection, cross-platform threat intelligence for various operating systems, advanced search capabilities, IoC submission, generation of threat intelligence reports, and MISP statistics insights.
Where to use
MISP-MCP-SERVER can be utilized in cybersecurity, threat intelligence analysis, malware detection, and any domain requiring enhanced data sharing and analysis of threats across different platforms.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Overview
What is Misp Mcp Server
MISP-MCP-SERVER is a Model Context Protocol (MCP) server that integrates with the Malware Information Sharing Platform (MISP) to enhance threat intelligence capabilities for Large Language Models.
Use cases
Use cases include detecting and analyzing macOS malware, submitting new Indicators of Compromise (IoCs) to MISP, generating comprehensive threat reports, and providing threat intelligence insights for organizations.
How to use
To use MISP-MCP-SERVER, clone the repository, set up a virtual environment, install dependencies, configure the necessary environment variables for your MISP instance, and run the server using the provided command.
Key features
Key features include Mac malware detection, cross-platform threat intelligence for various operating systems, advanced search capabilities, IoC submission, generation of threat intelligence reports, and MISP statistics insights.
Where to use
MISP-MCP-SERVER can be utilized in cybersecurity, threat intelligence analysis, malware detection, and any domain requiring enhanced data sharing and analysis of threats across different platforms.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Content
MISP MCP Server
A Model Context Protocol (MCP) server that integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.
Features
- Mac Malware Detection: Search for the latest macOS-related malware samples
- Cross-Platform Threat Intelligence: Search for threats affecting Windows, macOS, Linux, Android, iOS, and IoT devices
- Advanced Search Capabilities: Search by attribute type, tag, threat actor, or TLP classification
- IoC Submission: Submit new Indicators of Compromise directly to your MISP instance
- Threat Intelligence Reports: Generate comprehensive reports based on MISP data
- MISP Statistics: Get insights into your MISP instance’s data
Prerequisites
- Python 3.10 or higher
- MISP instance with API access
- API key with appropriate permissions
Installation
-
Clone this repository:
git clone https://github.com/yourusername/misp-mcp-server.git cd misp-mcp-server -
Create a virtual environment and install dependencies:
python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate pip install "mcp[cli]" pymisp
Configuration
Set the following environment variables to connect to your MISP instance:
MISP_URL- URL of your MISP instance (e.g., “https://misp.example.com”)MISP_API_KEY- Your MISP API keyMISP_VERIFY_SSL- Whether to verify SSL certificates (True/False)
Usage
Running as a standalone server
python misp_server.py
Testing with MCP Inspector
mcp dev misp_server.py
Installing in Claude Desktop
Edit your Claude Desktop configuration file:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.json
Windows:
%APPDATA%\Claude\claude_desktop_config.json
Add the MISP MCP server configuration:
{
"mcpServers": {
"misp-intelligence": {
"command": "python",
"args": [
"/path/to/misp_server.py"
],
"env": {
"MISP_URL": "https://your-misp-instance.com",
"MISP_API_KEY": "your-api-key-here",
"MISP_VERIFY_SSL": "True"
}
}
}
}Alternatively, use the MCP CLI:
mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key
Available Tools
get_mac_malware
Get the latest Mac-related malware samples from MISP.
Parameters:
days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
get_platform_malware
Get the latest malware samples for a specific platform from MISP.
Parameters:
platform: Platform to search for (windows, macos, linux, android, ios, iot)days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
advanced_search
Perform advanced searches in MISP.
Parameters:
query_type: Type of search (attribute_type, tag, threatactor, tlp)query_value: Value to search forplatform(optional): Platform filter (windows, macos, linux, android, ios, iot)days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
submit_ioc
Submit a new Indicator of Compromise (IoC) to MISP.
Parameters:
ioc_value: The actual IoC value (e.g., hash, URL, IP)ioc_type: Type of IoC (e.g., md5, sha256, url, ip-dst, filename)event_info: Brief description of the eventcategory(default: “Artifacts dropped”): Category of the attributeplatform(optional): Platform affected (windows, macos, linux, android, ios, iot)tlp(default: “amber”): Traffic Light Protocol level (white, green, amber, red)comment(optional): Optional comment for the IoC
generate_threat_report
Generate a comprehensive threat intelligence report based on MISP data.
Parameters:
days(default: 30): Number of days to include in the reportplatforms(default: “all”): Comma-separated list of platforms or “all”threat_level(default: “all”): Filter by threat level (low, medium, high, all)include_stats(default: True): Whether to include statistics
search_misp
Search MISP for specific threats.
Parameters:
query: Search term (e.g., CVE ID, malware name, hash)days(default: 30): Number of days to look back
get_misp_stats
Get statistics about the MISP instance.
Available Resources
feeds://recent/{days}
Get information about recent MISP feeds.
Parameters:
days(default: 7): Number of days to look back
Example Queries with Claude
- “What are the latest Mac-related malware samples?”
- “Show me Windows malware from the last 2 weeks”
- “Search for CVE-2023-12345 in MISP”
- “Submit this IoC to MISP: 1a2b3c4d5e6f7g8h9i0j, type: md5, description: suspicious file found in phishing email”
- “Generate a threat intelligence report for the last month”
- “What are the current MISP statistics?”
- “Get information about recent MISP feeds”
- “Perform an advanced search for TLP:RED events related to banking trojans”
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Dev Tools Supporting MCP
The following are the main code editors that support the Model Context Protocol. Click the link to visit the official website for more information.
