suricata-mcp

Active

MCP server for Suricata IDS/IPS - analyze network-security alerts.

GitHub repo → npm: suricata-mcp →
npm i -g suricata-mcp

WHAT IT DOES

suricata-mcp is a Model Context Protocol server for network security monitoring. It gives an LLM intelligent analysis over Suricata IDS/IPS EVE JSON alerts and Zeek NSM logs: query alerts, flows, and protocol records; analyze connections, DNS, HTTP, TLS, and SSH; and cross-correlate between the two sensors.

It exposes 36 tools, 5 resources, and 5 prompts. Beyond raw querying it ships advanced analytics: DGA detection via Shannon entropy, C2 beaconing detection, data-exfiltration and lateral-movement detection. Threat intel is integrated through MISP IOC lookups and TheHive case/alert creation, and PCAPs can be listed and replayed through either engine.

The server is read-only by default. Mutating tools (rule writes, ruleset reload, PCAP replay) stay disabled until you both set SURICATA_ALLOW_MUTATION=1 and pass confirm: true on the call. Threat-intel HTTP calls use manual redirect handling so a 3xx from a compromised endpoint is refused, not followed with the API key.

INSTALL

Published to npm. Install globally to get the suricata-mcp binary, or run it on demand with npx. Requires Node.js 20+ and a Suricata sensor producing EVE JSON logs. Zeek, PCAP, MISP, and TheHive integrations are optional.

$ npm i -g suricata-mcp # install the server binary
$ npx suricata-mcp # or run it without installing

Point SURICATA_EVE_LOG at your EVE JSON log. Set ZEEK_LOGS_DIR, PCAP_DIR, and MISP/TheHive vars to light up the optional tool groups.

CLIENT CONFIG

A sample mcpServers entry (Claude Desktop, or any MCP client that reads the same shape). It runs the installed binary over stdio. 

{
  "mcpServers": {
    "suricata": {
      "command": "suricata-mcp",
      "env": {
        "SURICATA_EVE_LOG": "/var/log/suricata/eve.json",
        "SURICATA_RULES_DIR": "/etc/suricata/rules",
        "ZEEK_LOGS_DIR": "/opt/zeek/logs",
        "PCAP_DIR": "/opt/pcaps"
      }
    }
  }
}

For Claude Code use claude mcp add suricata ... -- suricata-mcp. The repo README also documents OpenClaw, Codex CLI, and Hermes Agent.

CAPABILITIES / TOOLS EXPOSED

36 MCP tools across Suricata alerts, flows, and protocols, advanced analytics, Zeek NSM analysis, cross-correlation, rules, PCAP, and threat intel. Grouped below; see the README for the full per-argument reference.

Suricata alerts & flows

suricata_query_alerts / suricata_alert_summary
Search EVE alerts by SID, signature, category, severity, IP, port, protocol, and time; aggregate counts.
suricata_top_alerts / suricata_alert_timeline
Top alerts by frequency/severity and time-bucketed alert counts.
suricata_query_flows / suricata_flow_summary
Search flows and surface top talkers, protocol distribution, and bandwidth stats.

Suricata protocol analysis

suricata_query_dns / suricata_query_http / suricata_query_tls
Inspect DNS, HTTP, and TLS (SNI, JA3/JA4, cert subject/issuer) transactions.
suricata_query_ssh / suricata_query_fileinfo / suricata_query_anomalies
SSH versions, extracted files (name/magic/hash), and protocol anomalies.

Advanced analytics

suricata_beaconing_detection
Detect C2 beaconing via connection-interval analysis with jitter and confidence scoring.
suricata_dga_detection
Detect DGA domains using Shannon-entropy analysis on DNS queries.
suricata_exfiltration_detection / suricata_lateral_movement_detection
Flag abnormal outbound transfer and internal-to-internal scanning on unusual ports.

Investigation & Zeek

suricata_investigate_host / suricata_investigate_alert
Full host investigation across event types; deep alert investigation with correlated data.
zeek_query_connections / dns / http / ssl / files / ssh / weird
Query Zeek NSM TSV logs across conn, dns, http, ssl, files, ssh, and weird.
correlate_alert_with_zeek
Cross-correlate Suricata alerts with Zeek logs by IP pair and time window.

Rules, engine, PCAP & threat intel

suricata_search_rules / suricata_rule_stats / suricata_create_rule / suricata_toggle_rule
Search and stat the ruleset; create or enable/disable rules (mutation-gated).
suricata_engine_stats / suricata_reload_rules / suricata_iface_stat
Engine, decoder, and interface stats plus live rule reload via Unix socket.
pcap_list / pcap_replay_suricata / pcap_replay_zeek
List PCAPs and replay them through Suricata or Zeek (mutation-gated).
misp_search_ioc / thehive_create_case / thehive_create_alert
Look up IOCs in MISP and push cases/alerts to TheHive for triage.

Plus 5 resources (event types, current stats, rule summary, sanitized config, Zeek log types) and 5 prompts (investigate-alert, hunt-for-threats, incident-response, network-baseline, daily-alert-report).

36
MCP tools
5
resources
5
prompts
MIT
license