MISP MCP Server
Integrates with MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.
MISP MCP Server
A Model Context Protocol (MCP) server that integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.
Features
- Mac Malware Detection: Search for the latest macOS-related malware samples
- Cross-Platform Threat Intelligence: Search for threats affecting Windows, macOS, Linux, Android, iOS, and IoT devices
- Advanced Search Capabilities: Search by attribute type, tag, threat actor, or TLP classification
- IoC Submission: Submit new Indicators of Compromise directly to your MISP instance
- Threat Intelligence Reports: Generate comprehensive reports based on MISP data
- MISP Statistics: Get insights into your MISP instance's data
Prerequisites
- Python 3.10 or higher
- MISP instance with API access
- API key with appropriate permissions
Installation
-
Clone this repository:
git clone https://github.com/yourusername/misp-mcp-server.git cd misp-mcp-server -
Create a virtual environment and install dependencies:
python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate pip install "mcp[cli]" pymisp
Configuration
Set the following environment variables to connect to your MISP instance:
MISP_URL- URL of your MISP instance (e.g., "https://misp.example.com")MISP_API_KEY- Your MISP API keyMISP_VERIFY_SSL- Whether to verify SSL certificates (True/False)
Usage
Running as a standalone server
python misp_server.py
Testing with MCP Inspector
mcp dev misp_server.py
Installing in Claude Desktop
Edit your Claude Desktop configuration file:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.json
Windows:
%APPDATA%\Claude\claude_desktop_config.json
Add the MISP MCP server configuration:
{
"mcpServers": {
"misp-intelligence": {
"command": "python",
"args": ["/path/to/misp_server.py"],
"env": {
"MISP_URL": "https://your-misp-instance.com",
"MISP_API_KEY": "your-api-key-here",
"MISP_VERIFY_SSL": "True"
}
}
}
}
Alternatively, use the MCP CLI:
mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key
Available Tools
get_mac_malware
Get the latest Mac-related malware samples from MISP.
Parameters:
days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
get_platform_malware
Get the latest malware samples for a specific platform from MISP.
Parameters:
platform: Platform to search for (windows, macos, linux, android, ios, iot)days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
advanced_search
Perform advanced searches in MISP.
Parameters:
query_type: Type of search (attribute_type, tag, threatactor, tlp)query_value: Value to search forplatform(optional): Platform filter (windows, macos, linux, android, ios, iot)days(default: 30): Number of days to look backlimit(default: 10): Maximum number of results to return
submit_ioc
Submit a new Indicator of Compromise (IoC) to MISP.
Parameters:
ioc_value: The actual IoC value (e.g., hash, URL, IP)ioc_type: Type of IoC (e.g., md5, sha256, url, ip-dst, filename)event_info: Brief description of the eventcategory(default: "Artifacts dropped"): Category of the attributeplatform(optional): Platform affected (windows, macos, linux, android, ios, iot)tlp(default: "amber"): Traffic Light Protocol level (white, green, amber, red)comment(optional): Optional comment for the IoC
generate_threat_report
Generate a comprehensive threat intelligence report based on MISP data.
Parameters:
days(default: 30): Number of days to include in the reportplatforms(default: "all"): Comma-separated list of platforms or "all"threat_level(default: "all"): Filter by threat level (low, medium, high, all)include_stats(default: True): Whether to include statistics
search_misp
Search MISP for specific threats.
Parameters:
query: Search term (e.g., CVE ID, malware name, hash)days(default: 30): Number of days to look back
get_misp_stats
Get statistics about the MISP instance.
Available Resources
feeds://recent/{days}
Get information about recent MISP feeds.
Parameters:
days(default: 7): Number of days to look back
Example Queries with Claude
- "What are the latest Mac-related malware samples?"
- "Show me Windows malware from the last 2 weeks"
- "Search for CVE-2023-12345 in MISP"
- "Submit this IoC to MISP: 1a2b3c4d5e6f7g8h9i0j, type: md5, description: suspicious file found in phishing email"
- "Generate a threat intelligence report for the last month"
- "What are the current MISP statistics?"
- "Get information about recent MISP feeds"
- "Perform an advanced search for TLP:RED events related to banking trojans"
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Related Servers
Tenki
A server for fetching weather information in Japan.
Plex
Provides AI assistants with comprehensive access to a Plex Media Server.
Flyworks MCP
A server for creating fast and free lipsync videos for digital avatars, supporting both realistic and cartoon styles.
N.I.N.A. Advanced API
Control the N.I.N.A. (Nighttime Imaging 'N' Astronomy) software through its Advanced API.
Current Time JST
Provides the current time in Japan Standard Time (JST, UTC+9).
MCP Servers
A collection of MCP servers for Cursor IDE, including demo and weather services.
SuricataMCP
A server that allows MCP clients to use Suricata for network traffic analysis.
Smithsonian Open Access
An MCP server to interact with the Smithsonian’s Open Access collection.
MCP Weather Server
Provides real-time weather information and forecasts using the OpenWeatherMap API.
通胜 MCP 服务
Provides Chinese Tung Shing (almanac) data, including calendar conversions, auspicious activities, and traditional metaphysical elements.