Turn Claude Desktop into a network security analyst.
A comprehensive Model Context Protocol (MCP) server that connects Claude Desktop to Suricata IDS/IPS. Analyze PCAPs, manage detection rules, and lint rule quality β all through natural language. Built from scratch with Python and FastMCP.
Instead of running Suricata from the terminal, writing grep pipelines to search rules, and manually linting signatures, you talk to Claude and it does it for you. Ask Claude to:
- "What version of Suricata is installed?" β Runs
suricata -V - "Analyze this PCAP file for threats" β Runs Suricata against a PCAP and returns parsed alerts, stats, and EVE JSON events
- "Show me all enabled rules related to DNS tunneling" β Searches 64,000+ rules instantly
- "Check this rule for quality issues" β Runs suricata-check and returns actionable feedback
- "Disable rule SID 2100498" β Comments out the rule with automatic backup
- "Write a rule to detect HTTP traffic to evil.com and validate it" β Creates the rule, validates syntax through Suricata's engine, and lints it for best practices
All results come back in the chat. No terminal switching. No manual log parsing.
| Tool | Description |
|---|---|
| get_suricata_version | Get installed Suricata version |
| get_suricata_help | Get CLI help output |
| get_suricata_build_info | Get build info β features, libraries, compile flags |
| analyze_pcap | Full PCAP analysis β alerts, stats, and EVE JSON events |
| get_alerts_from_pcap | Alerts only from a PCAP file (parsed fast.log) |
| get_stats_from_pcap | Stats only from a PCAP file |
| get_eve_events_from_pcap | EVE JSON events, filterable by type (alert, dns, http, tls, flow) |
| Tool | Description |
|---|---|
| analyze_rule | Lint a single rule for quality issues |
| analyze_rule_with_checkers | Lint with specific checker include/exclude patterns |
| analyze_ruleset_file | Lint an entire .rules file and get a summary |
| Tool | Description |
|---|---|
| list_rules | List/search rules with filtering (enabled/disabled/keyword) |
| get_rule_by_sid | Look up a specific rule by SID |
| enable_rule | Uncomment a disabled rule |
| disable_rule | Comment out an enabled rule |
| add_rule | Append a new rule to the rules file |
| edit_rule | Replace a rule by SID |
| delete_rule | Remove a rule by SID |
| validate_rule_syntax | Validate rule syntax through Suricata's engine |
- Structured output: Alerts parsed into structured dicts, not raw log lines
- EVE JSON support: Full access to Suricata's rich JSON event output
- Automatic backups: Every rule modification creates a timestamped backup
- Cross-platform: Works on Linux, macOS, and Windows
- Environment-based config: All settings via
.envor environment variables - Graceful degradation: suricata-check is optional β core tools work without it
- Python 3.10+
- Suricata installed (download)
- Claude Desktop
git clone https://github.com/Hackerobi/suricata-mcp-server.git
cd suricata-mcp-serverpython3 -m venv .venv
source .venv/bin/activate # Linux/Mac
# .venv\Scripts\activate # Windows
pip install -r requirements.txtpip install suricata-check# Ubuntu/Debian
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata
# Verify
suricata -Vsudo suricata-updateThis fetches the Emerging Threats Open ruleset (~64,000 rules) to /var/lib/suricata/rules/suricata.rules.
cp .env.example .env
# Edit .env if your paths differ from defaults# Start the server
python server.py
# Or run the test suite
sudo .venv/bin/python test_tools.pyAdd to your Claude Desktop profile config (e.g., ~/.config/Claude/profiles/SOC.json on Linux):
{
"mcpServers": {
"SuricataMCP": {
"command": "sudo",
"args": [
"/path/to/suricata-mcp-server/.venv/bin/python",
"/path/to/suricata-mcp-server/server.py"
],
"cwd": "/path/to/suricata-mcp-server"
}
}
}Note:
sudois needed because Suricata's rules and config files are root-owned. For passwordless operation, add to sudoers:youruser ALL=(root) NOPASSWD: /path/to/.venv/bin/python /path/to/server.py
The SuricataMCP tools will appear automatically. Start analyzing.
All settings are prefixed with SURICATA_MCP_ and can be set in .env or as environment variables.
| Variable | Default (Linux) | Description |
|---|---|---|
SURICATA_MCP_SURICATA_DIR |
/usr/bin |
Directory containing Suricata binary |
SURICATA_MCP_SURICATA_EXE |
suricata |
Suricata executable name |
SURICATA_MCP_RULES_FILE |
/var/lib/suricata/rules/suricata.rules |
Default rules file path |
SURICATA_MCP_SURICATA_CONFIG |
/etc/suricata/suricata.yaml |
Suricata YAML config |
SURICATA_MCP_COMMAND_TIMEOUT |
300 |
Max seconds for Suricata commands |
"Analyze the PCAP at /tmp/suspicious_traffic.pcap and show me all alerts"
Claude runs analyze_pcap β returns structured alerts with timestamps, SIDs, and messages.
"Check this rule for issues:
alert tcp any any -> any 443 (msg:"TLS to suspicious port"; sid:1000001; rev:1;)"
Claude runs analyze_rule β returns 10+ actionable suggestions for metadata, content matching, SID ranges, and best practices.
"Find all enabled rules related to SQL injection, then disable SID 2006546"
Claude chains: list_rules (search="sql injection", enabled_only=True) β disable_rule (sid=2006546)
"Write a rule to detect HTTP POST requests to /admin/upload and validate it"
Claude writes the rule β runs validate_rule_syntax through Suricata's engine β fixes any errors β confirms it's valid.
"Run this PCAP through Suricata and show me all DNS queries"
Claude runs get_eve_events_from_pcap with event_type="dns" β returns structured DNS query/response data.
"Analyze this PCAP, check what rules triggered, then lint those rules for quality improvements"
Claude chains: analyze_pcap β extracts SIDs from alerts β get_rule_by_sid for each β analyze_rule on each β synthesizes a report.
- Automatic backups: Every rule file modification creates a timestamped
.backup_YYYYMMDD_HHMMSS.rulesfile - Input validation: Rules are validated before being added (must have action, SID)
- Least privilege sudo: Configure sudoers for only the specific server command
- No destructive defaults: The server never modifies rules without explicit tool calls
- Never commit
.envto version control
suricata-mcp-server/
βββ server.py # FastMCP server β all 18 tools
βββ config.py # Pydantic-settings configuration
βββ test_tools.py # Integration test script
βββ requirements.txt # Python dependencies
βββ .env.example # Configuration template
βββ .gitignore
βββ suricatamcp.service # Systemd service for background running
βββ README.md
Install the systemd service for automatic startup:
sudo cp suricatamcp.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable suricatamcp
sudo systemctl start suricatamcp
# Check status
sudo systemctl status suricatamcp
# View logs
sudo journalctl -u suricatamcp -f# Activate venv
source .venv/bin/activate
# Run with sudo (needed for rules file access)
sudo .venv/bin/python test_tools.py- Suricata β Open-source IDS/IPS engine by OISF
- suricata-check β Rule quality analysis library
- FastMCP β Python MCP server framework
- pydantic-settings β Environment-based configuration
Inspired by Medinios/SuricataMCP β rebuilt from scratch with full rule management and analysis capabilities.
This project is not affiliated with the OISF (Open Information Security Foundation) or the official Suricata project. It is an independent MCP integration built for security analysis workflows. Always ensure you have proper authorization before analyzing network traffic.
Pull requests welcome. To add a new tool:
- Add the function in
server.pywith the@mcp.tool()decorator - Add a test case in
test_tools.py - Update this README
- Submit a PR
- Discord: sgtwolf787
- GitHub: @Hackerobi
White hat or no hat π©
Built with Claude. Tested with Suricata 8.0.3 and 64,357 ET Open rules. Stay legal.