- Home
- MCP servers
- MISP
MISP
- python
8
GitHub Stars
python
Language
6 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
Installation
Add the following to your MCP client configuration file.
Configuration
View docs{
"mcpServers": {
"bornpresident-misp-mcp-server": {
"command": "python",
"args": [
"misp_server.py"
],
"env": {
"MISP_URL": "https://your-misp-instance.com",
"MISP_API_KEY": "your-api-key",
"MISP_VERIFY_SSL": "True"
}
}
}
}You can run a MISP MCP Server to expose MISP threat intelligence capabilities to your MCP clients, enabling Mac malware discovery, cross‑platform threat intelligence, IoC submission, and comprehensive reports from your MISP instance.
How to use
Use an MCP client to interact with the MISP MCP Server and run the available tools to search, submit IoCs, and generate reports. You will typically authenticate by ensuring your MISP connection settings (URL, API key) are provided to the server via environment variables, then invoke the server’s tools through your MCP client. Common workflows include retrieving recent Mac malware samples, performing advanced searches by attribute type or tag, submitting new IoCs to MISP, and generating threat intelligence reports from the collected data.
Practical usage patterns you can follow:
- Look up the latest Mac-related malware samples and other platform malware across Windows, macOS, Linux, Android, iOS, and IoT.
- Perform targeted searches by attribute type, tag, threat actor, or TLP classification to refine results.
- Submit new IoCs directly to your MISP instance from the MCP interface.
- Generate comprehensive threat intelligence reports based on recent MISP data and include statistics when needed.
How to install
git clone https://github.com/bornpresident/misp-mcp-server.git
cd misp-mcp-server
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install "mcp[cli]" pymisp
Prerequisites you need before installing:
- Python 3.10 or higher
- Access to a MISP instance with an API key and permissions
- Internet access to install Python packages from PyPI
If you are using Windows, activate the virtual environment with the Windows-specific command shown above and continue with the same installation steps. After installation, you can start using the MCP server once configuration is complete.
Configuration
Configure the connection to your MISP instance by setting these environment variables for the MCP server process:
- MISP_URL: URL of your MISP instance (for example, https://misp.example.com)
- MISP_API_KEY: Your MISP API key
- MISP_VERIFY_SSL: True or False depending on whether to verify SSL certificates
Example values you can start with (placeholders you should replace with real data):
- MISP_URL=https://your-misp-instance.com
- MISP_API_KEY=your-api-key
- MISP_VERIFY_SSL=True
Starting and testing
To run the server locally, start the script that implements the MCP server.
python misp_server.py
You can also test integration with the MCP Inspector tool to ensure the server is accessible and responding as expected.
mcp dev misp_server.py
Claude Desktop and MCP CLI configuration
If you use Claude Desktop, you can add the MISP MCP server configuration to your Claude Desktop configuration file. The example shows how to reference the local script with environment variables.
{
"mcpServers": {
"misp-intelligence": {
"command": "python",
"args": ["/path/to/misp_server.py"],
"env": {
"MISP_URL": "https://your-misp-instance.com",
"MISP_API_KEY": "your-api-key",
"MISP_VERIFY_SSL": "True"
}
}
}
}
Using MCP CLI to install
Install the MCP server using the command line interface. This sets up your MISP MCP Server with the required environment variables.
mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key
Available tools
get_mac_malware
Retrieve the latest macOS malware samples within a specified time window.
get_platform_malware
Fetch recent malware samples for a specific platform (windows, macos, linux, android, ios, iot).
advanced_search
Perform advanced searches by attribute type, tag, threat actor, or tlp classification with optional platform filters and date range.
submit_ioc
Submit a new Indicator of Compromise to MISP with optional platform, TLP, and description.
generate_threat_report
Create a comprehensive threat intelligence report based on MISP data with optional date range and platform filters.
search_misp
Search MISP for threats using a general query term.
get_misp_stats
Retrieve statistics about the MISP instance.
feeds
Query information about recent MISP feeds.