zeek-mcp

Active

MCP server for Zeek + Suricata network logs.

GitHub repo → npm: zeek-mcp →

WHAT IT DOES

zeek-mcp is a Model Context Protocol server for Zeek and Suricata. It parses your network-security-monitoring logs and exposes them as tools an AI client can call directly: connection logs, DNS activity, HTTP requests, SSL certificates, file extractions, security notices, and Suricata IDS alerts.

Beyond raw queries, it ships analytics: statistical C2 beaconing detection with jitter scoring, port-scan and data-exfiltration anomaly detection, and DNS-tunneling checks via Shannon entropy. Suricata alerts cross-correlate back to the matching Zeek connection for full context.

It reads both Zeek's native TSV and JSON, handles gzip-archived and date-rotated logs, and matches IPv4/IPv6 CIDR ranges and domain wildcards. 25 tools, 2 resources, and 4 guided-investigation prompts in total.

INSTALL

Published to npm as zeek-mcp. Install the global binary, or run it on demand with npx. Requires Node.js 20+ and a Zeek sensor producing logs.

$ npm i -g zeek-mcp
$ npx zeek-mcp # run on demand

CAPABILITIES / TOOLS EXPOSED

Connection analysis

zeek_query_connections
Search connection logs (CIDR, protocol, duration, bytes).
zeek_connection_summary
Top talkers, services, bytes, and connection counts.
zeek_long_connections
Find long-lived connections (potential C2 beacons, tunnels).

DNS analysis

zeek_query_dns
Search DNS queries with domain wildcards and response-code filters.
zeek_dns_summary
Top domains, NXDOMAIN counts (DGA), query-type distribution.
zeek_dns_tunneling_check
Detect DNS tunneling via entropy and encoding analysis.

HTTP analysis

zeek_query_http
Search HTTP by host, URI, method, user agent, status code.
zeek_suspicious_http
POSTs to IPs, unusual agents, large bodies, base64 in URLs.

SSL/TLS analysis

zeek_query_ssl
Search SSL/TLS by SNI, version, validation status, cert fields.
zeek_expired_certs
Find expired, self-signed, or invalid certificates.

File analysis

zeek_query_files
Search file extractions by MIME type, hash, filename, size.
zeek_executable_downloads
Find executable transfers (PE, ELF, scripts) on the wire.

Notices, SSH & DHCP

zeek_query_notices
Search Zeek security notices (port scans, invalid certs).
zeek_query_ssh
Search SSH connections by auth status, direction, client/server.
zeek_ssh_bruteforce
Detect SSH brute-force attempts over a failure threshold.
zeek_query_dhcp
Search DHCP logs for lease assignments and device discovery.
zeek_dhcp_asset_map
Build a MAC-to-IP/hostname asset map for inventory.

Cross-log investigation & analytics

zeek_investigate_host
Full host investigation across every log type.
zeek_investigate_uid
Follow one connection UID across all log types.
zeek_software_inventory
List detected software and versions on the network.
zeek_detect_beaconing
Detect C2 beaconing via interval regularity and jitter.
zeek_detect_anomalies
Statistical anomaly detection: scans, exfil, unusual ports.

Suricata IDS & sensor

suricata_query_alerts
Search Suricata alerts by signature, severity, IP, protocol, time.
suricata_alert_summary
Top signatures, categories, IPs, severity distribution.
suricata_correlate_zeek
Cross-reference Suricata alerts with Zeek logs for context.
suricata_eve_stats
Engine stats: packets, flows, detection performance.
nids_sensor_status
Live sensor status: log inventory, sizes, freshness, health.

Plus 2 resources (zeek://log-types, zeek://stats) and 4 prompts (triage-alert, investigate-host, hunt-for-c2, network-baseline). Full reference in the README.

CLIENT CONFIG

Stdio transport. Point any MCP host at the zeek-mcp binary and set the log paths in env. Example mcpServers entry (Claude Desktop / Claude Code): 

{
  "mcpServers": {
    "zeek": {
      "command": "zeek-mcp",
      "env": {
        "ZEEK_LOG_DIR": "/opt/nids/zeek/logs",
        "ZEEK_LOG_FORMAT": "tsv",
        "SURICATA_EVE_LOG": "/opt/nids/suricata/logs/eve.json"
      }
    }
  }
}

Config keys: ZEEK_LOG_DIR, ZEEK_LOG_FORMAT (json or tsv), ZEEK_LOG_ARCHIVE, SURICATA_EVE_LOG, and optional MISP / TheHive / PCAP vars.