mcpserver.so LogoMCPFly
Submit
MISP MCP Server logo

MISP MCP Server

by bornpresident

Security/Threat IntelligenceMISPThreat IntelligenceMalwareIoC

The MISP MCP Server integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models. It allows querying and submitting threat intelligence data to a MISP instance.

View on GitHub

Last updated: N/A

MISP MCP Server

A Model Context Protocol (MCP) server that integrates with the MISP (Malware Information Sharing Platform) to provide threat intelligence capabilities to Large Language Models.

Features

  • Mac Malware Detection: Search for the latest macOS-related malware samples
  • Cross-Platform Threat Intelligence: Search for threats affecting Windows, macOS, Linux, Android, iOS, and IoT devices
  • Advanced Search Capabilities: Search by attribute type, tag, threat actor, or TLP classification
  • IoC Submission: Submit new Indicators of Compromise directly to your MISP instance
  • Threat Intelligence Reports: Generate comprehensive reports based on MISP data
  • MISP Statistics: Get insights into your MISP instance's data

Prerequisites

  • Python 3.10 or higher
  • MISP instance with API access
  • API key with appropriate permissions

Installation

  1. Clone this repository:

    git clone https://github.com/yourusername/misp-mcp-server.git
cd misp-mcp-server

  2. Create a virtual environment and install dependencies:

    python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate
pip install "mcp[cli]" pymisp

Configuration

Set the following environment variables to connect to your MISP instance:

  • MISP_URL - URL of your MISP instance (e.g., "https://misp.example.com")
  • MISP_API_KEY - Your MISP API key
  • MISP_VERIFY_SSL - Whether to verify SSL certificates (True/False)

Usage

Running as a standalone server

python misp_server.py

Testing with MCP Inspector

mcp dev misp_server.py

Installing in Claude Desktop

Edit your Claude Desktop configuration file:

macOS:

~/Library/Application Support/Claude/claude_desktop_config.json

Windows:

%APPDATA%\Claude\claude_desktop_config.json

Add the MISP MCP server configuration:

{
  "mcpServers": {
    "misp-intelligence": {
      "command": "python",
      "args": ["/path/to/misp_server.py"],
      "env": {
        "MISP_URL": "https://your-misp-instance.com",
        "MISP_API_KEY": "your-api-key-here",
        "MISP_VERIFY_SSL": "True"
      }
    }
  }
}

Alternatively, use the MCP CLI:

mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key

Available Tools

get_mac_malware

Get the latest Mac-related malware samples from MISP.

Parameters:

  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

get_platform_malware

Get the latest malware samples for a specific platform from MISP.

Parameters:

  • platform: Platform to search for (windows, macos, linux, android, ios, iot)
  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

advanced_search

Perform advanced searches in MISP.

Parameters:

  • query_type: Type of search (attribute_type, tag, threatactor, tlp)
  • query_value: Value to search for
  • platform (optional): Platform filter (windows, macos, linux, android, ios, iot)
  • days (default: 30): Number of days to look back
  • limit (default: 10): Maximum number of results to return

submit_ioc

Submit a new Indicator of Compromise (IoC) to MISP.

Parameters:

  • ioc_value: The actual IoC value (e.g., hash, URL, IP)
  • ioc_type: Type of IoC (e.g., md5, sha256, url, ip-dst, filename)
  • event_info: Brief description of the event
  • category (default: "Artifacts dropped"): Category of the attribute
  • platform (optional): Platform affected (windows, macos, linux, android, ios, iot)
  • tlp (default: "amber"): Traffic Light Protocol level (white, green, amber, red)
  • comment (optional): Optional comment for the IoC

generate_threat_report

Generate a comprehensive threat intelligence report based on MISP data.

Parameters:

  • days (default: 30): Number of days to include in the report
  • platforms (default: "all"): Comma-separated list of platforms or "all"
  • threat_level (default: "all"): Filter by threat level (low, medium, high, all)
  • include_stats (default: True): Whether to include statistics

search_misp

Search MISP for specific threats.

Parameters:

  • query: Search term (e.g., CVE ID, malware name, hash)
  • days (default: 30): Number of days to look back

get_misp_stats

Get statistics about the MISP instance.

Available Resources

feeds://recent/{days}

Get information about recent MISP feeds.

Parameters:

  • days (default: 7): Number of days to look back

Example Queries with Claude

  1. "What are the latest Mac-related malware samples?"
  2. "Show me Windows malware from the last 2 weeks"
  3. "Search for CVE-2023-12345 in MISP"
  4. "Submit this IoC to MISP: 1a2b3c4d5e6f7g8h9i0j, type: md5, description: suspicious file found in phishing email"
  5. "Generate a threat intelligence report for the last month"
  6. "What are the current MISP statistics?"
  7. "Get information about recent MISP feeds"
  8. "Perform an advanced search for TLP:RED events related to banking trojans"

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.