Suricata

Provides programmatic Suricata analysis via MCP endpoints to get version, help, and PCAP alerts.
  • python

13

GitHub Stars

python

Language

4 months ago

First Indexed

3 weeks ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "medinios-suricatamcp": {
      "command": "cmd",
      "args": [
        "/c",
        "mcp",
        "run",
        "[YourPath]\\\\SuricataMcp\\\\suricata-mcp.py"
      ]
    }
  }
}

SuricataMCP is a Model Context Protocol Server that lets MCP clients autonomously use Suricata for network traffic analysis. It provides programmatic access to Suricata features such as querying the Suricata version, obtaining CLI help, and parsing PCAP files to retrieve alerts, all through a unified MCP interface.

How to use

You interact with SuricataMCP from an MCP client to perform three core actions: check the Suricata version, view Suricata CLI help, and analyze a PCAP file to extract alerts. Start the MCP server, then call the available tools to retrieve the information you need and feed results into your workflow or coding tools.

How to install

Prerequisites you need before installation: Python, and a Suricata installation on your system. You should also have an MCP-capable environment or toolchain to run the MCP server.

  1. Install Suricata on your system by following the Suricata installation steps for your operating system. If you are on Linux, you can use the package manager to install Suricata. For example:
sudo apt install suricata
  1. Prepare a Python environment and install required Python packages for SuricataMCP:
pip install -r requirements.txt
  1. Clone the SuricataMCP project and navigate into its directory:
git clone https://github.com/medinios/SuricataMCP.git
cd SuricataMCP
  1. Edit the configuration to point to your Suricata installation. In the configuration file, set the path to Suricata as shown:
SURICATA_DIR = "/path/to/suricata"
SURICATA_EXE_FILE = "suricata"  # or "suricata.exe" on Windows

Additional sections

  1. Add SuricataMCP to your MCP host or AI platform by providing the MCP server configuration. The following stdio-based command starts the SuricataMCP server via the command interpreter:
{
  "mcpServers": {
    "SuricataMcp": {
      "command": "cmd",
      "args": ["/c", "mcp", "run", "[YourPath]\\SuricataMcp\\suricata-mcp.py"]
    }
  }
}

Use this MCP runner to serve the SuricataMCP endpoints within your toolchain. The server exposes these tools you can call from your MCP client: get_suricata_version, get_suricata_help, and get_alerts_from_pcap_file.

To integrate SuricataMCP with your environment, ensure Suricata is in your system path and that the MCP runner can locate suricata-mcp.py as shown above. If you need to customize paths, adjust SURICATA_DIR and SURICATA_EXE_FILE accordingly in your local config.

  1. Optional: add custom Suricata rules to extend detection capabilities. Place your custom rule files (for example, custom.rules) into the suricata/rules directory to activate them during analysis.

Available tools

get_suricata_version

Returns Suricata's version string to verify installation and compatibility.

get_suricata_help

Returns the Suricata CLI help output to quickly reference available command-line options.

get_alerts_from_pcap_file

Runs Suricata on a provided PCAP file and returns the contents of fast.log, enabling automated alert retrieval.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational