lidless-labs

zeek-mcp

Community lidless-labs
Updated

MCP server for Zeek + Suricata network security monitoring logs. Query, hunt, and correlate NSM telemetry from an AI client.

zeek-mcp

Analyze Zeek and Suricata network logs from your AI client.

Website  ·  npm  ·  Tools  ·  Quickstart

zeek-mcp is a Model Context Protocol (MCP) server that lets an AI client read, query, and correlate Zeek and Suricata network security monitoring logs. It exists because network telemetry lives in dense per-protocol log files (conn, dns, http, ssl, files, notice, plus Suricata eve.json) that are tedious to grep by hand during an investigation, and an LLM is good at pivoting across them if you give it structured access. It differs from a generic log-reader MCP by speaking Zeek and Suricata natively: it parses both JSON and TSV, understands CIDR and wildcard matching, walks date-rotated and gzipped archives, and ships purpose-built detections (beaconing, DNS tunneling, JA3 hunting, anomaly and baseline analysis) rather than handing the model raw text.

What it does

zeek-mcp turns a Zeek and Suricata sensor into a queryable surface for an AI agent doing network security monitoring (NSM). Point it at your Zeek log directory and Suricata eve.json, register it with any MCP client, and the model can search connection logs, follow a connection UID across every log type, profile DNS for DGA and tunneling, inspect SSL/TLS certificates and JA3 fingerprints, find executable downloads on the wire, cross-reference Suricata alerts against Zeek context, and escalate findings into TheHive or MISP. Detection logic that would otherwise be a pile of ad-hoc queries (C2 beaconing by interval regularity, statistical anomaly detection, network baselining) is exposed as first-class tools, so the agent asks one question instead of reconstructing the analysis from raw logs every time.

It reads logs; it does not run the sensor, mutate capture, or replace your SIEM. Everything is read-only against Zeek and Suricata data, with the single exception of the optional TheHive and MISP tools that create alerts, cases, and events when you provide credentials.

Installation

git clone https://github.com/lidless-labs/zeek-mcp.git
cd zeek-mcp
npm install
npm run build

Prerequisites

  • Node.js 20+
  • Zeek sensor generating logs (JSON or TSV format)
  • Suricata (optional, for IDS alert correlation)

Quickstart

zeek-mcp is published on npm and runs over stdio, so any MCP client can launch it with npx. Add this to your client's MCP config (the example below is for Claude Desktop / Claude Code, adjust env paths to your sensor):

{
  "mcpServers": {
    "zeek": {
      "command": "npx",
      "args": ["-y", "zeek-mcp"],
      "env": {
        "ZEEK_LOG_DIR": "/opt/zeek/logs/current",
        "ZEEK_LOG_FORMAT": "tsv",
        "SURICATA_EVE_LOG": "/opt/suricata/logs/eve.json"
      }
    }
  }
}

Then ask your agent something like "summarize the top talkers in the last connection log and flag any beaconing" and it will call the relevant tools.

To try it locally against the bundled sample data:

npx -y zeek-mcp   # or: git clone, npm install, npm run build, then node dist/index.js

Set ZEEK_LOG_DIR to the included test-data/ directory to explore without a live sensor (see Development).

Usage

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "zeek": {
      "command": "npx",
      "args": ["-y", "zeek-mcp"],
      "env": {
        "ZEEK_LOG_DIR": "/opt/zeek/logs/current",
        "ZEEK_LOG_FORMAT": "tsv",
        "SURICATA_EVE_LOG": "/opt/suricata/logs/eve.json"
      }
    }
  }
}

Claude Code

claude mcp add zeek \
  --env ZEEK_LOG_DIR=/opt/zeek/logs/current \
  --env ZEEK_LOG_FORMAT=tsv \
  --env SURICATA_EVE_LOG=/opt/suricata/logs/eve.json \
  -- npx -y zeek-mcp

Add --scope user to make it available from any directory instead of only the current project.

OpenClaw

With the published package:

openclaw mcp set zeek '{
  "command": "npx",
  "args": ["-y", "zeek-mcp"],
  "env": {
    "ZEEK_LOG_DIR": "/opt/zeek/logs/current",
    "ZEEK_LOG_FORMAT": "tsv",
    "SURICATA_EVE_LOG": "/opt/suricata/logs/eve.json"
  }
}'

Or, when running from a source checkout instead of the npm package, point command/args at the built dist/index.js:

openclaw mcp set zeek '{
  "command": "node",
  "args": ["/absolute/path/to/zeek-mcp/dist/index.js"],
  "env": {
    "ZEEK_LOG_DIR": "/opt/zeek/logs/current",
    "ZEEK_LOG_FORMAT": "tsv",
    "SURICATA_EVE_LOG": "/opt/suricata/logs/eve.json"
  }
}'

Then restart the OpenClaw gateway so the new server is picked up:

systemctl --user restart openclaw-gateway
openclaw mcp list   # confirm "zeek" is registered

Codex CLI

Codex CLI registers MCP servers via codex mcp add:

codex mcp add zeek \
  --env ZEEK_LOG_DIR=/opt/zeek/logs/current \
  --env ZEEK_LOG_FORMAT=tsv \
  --env SURICATA_EVE_LOG=/opt/suricata/logs/eve.json \
  -- npx -y zeek-mcp

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.zeek]. Verify with codex mcp list.

Standalone

ZEEK_LOG_DIR=/opt/zeek/logs/current ZEEK_LOG_FORMAT=tsv node dist/index.js

Development

ZEEK_LOG_DIR=./test-data npm run dev

Tools

zeek-mcp registers 39 tools. Read-only Zeek/Suricata query and analysis tools make up most of the set; the TheHive and MISP tools are the only ones that write, and only when you supply credentials.

Connection Analysis

Tool Description
zeek_query_connections Search connection logs with flexible filters (CIDR, protocol, duration, bytes)
zeek_connection_summary Statistical summary: top talkers, services, bytes, connection counts
zeek_long_connections Find long-lived connections (potential C2 beacons, tunnels)

DNS Analysis

Tool Description
zeek_query_dns Search DNS queries with domain wildcards and response code filtering
zeek_dns_summary Top domains, NXDOMAIN counts (DGA detection), query type distribution
zeek_dns_tunneling_check Detect DNS tunneling via entropy analysis and encoding detection

HTTP Analysis

Tool Description
zeek_query_http Search HTTP requests by host, URI, method, user agent, status code
zeek_suspicious_http Find suspicious HTTP: POSTs to IPs, unusual agents, large bodies, base64 in URLs

SSL/TLS Analysis

Tool Description
zeek_query_ssl Search SSL/TLS by SNI, version, validation status, certificate fields
zeek_expired_certs Find expired, self-signed, or invalid certificates

File Analysis

Tool Description
zeek_query_files Search file extractions by MIME type, hash, filename, size
zeek_executable_downloads Find executable transfers (PE, ELF, scripts) on the wire

Security Notices

Tool Description
zeek_query_notices Search Zeek security notices (port scans, invalid certs, custom alerts)

SSH Analysis

Tool Description
zeek_query_ssh Search SSH connections by auth status, direction, client/server
zeek_ssh_bruteforce Detect SSH brute force attempts exceeding a failure threshold

DHCP & Asset Discovery

Tool Description
zeek_query_dhcp Search DHCP logs for lease assignments and device discovery
zeek_dhcp_asset_map Build MAC-to-IP/hostname asset map for network inventory

Cross-Log Investigation

Tool Description
zeek_investigate_host Full host investigation across all log types
zeek_investigate_uid Follow a connection UID across all log types

Software Discovery

Tool Description
zeek_software_inventory List detected software and versions on the network

Analytics

Tool Description
zeek_detect_beaconing Detect C2 beaconing by analyzing connection interval regularity and jitter
zeek_detect_anomalies Statistical anomaly detection: port scans, data exfiltration, unusual ports
zeek_ja3_fingerprints Extract and analyze JA3/JA3S TLS fingerprints from SSL logs
zeek_ja3_hunt Hunt known-malicious JA3 fingerprints (CobaltStrike, Emotet, TrickBot, etc.) across SSL logs
zeek_network_baseline Generate a statistical baseline of normal network activity as a reference point
zeek_detect_outliers Compare current activity against a baseline and flag statistical outliers

Suricata IDS

Tool Description
suricata_query_alerts Search Suricata alerts by signature, severity, IP, protocol, time
suricata_alert_summary High-level alert summary: top signatures, categories, IPs, severity distribution
suricata_correlate_zeek Cross-reference Suricata alerts with Zeek logs for full context
suricata_eve_stats Suricata engine statistics: packets, flows, detection performance

PCAP Analysis

Tool Description
pcap_list List available PCAP files in the capture directory with sizes and timestamps
pcap_analyze Replay a PCAP file through Zeek and return the generated log summary

Incident Response

Tool Description
thehive_create_alert Create a TheHive alert from NIDS findings (observables, severity, TLP)
thehive_create_case Create a TheHive case for in-depth, collaborative investigation
thehive_search_cases Search existing TheHive cases and alerts for related work or duplicates
misp_search_iocs Search MISP for IOCs (IPs, domains, hashes, URLs) and return matching events
misp_bulk_lookup Check multiple IOCs against MISP in a single call
misp_add_event Create a MISP event from NIDS findings to share threat intelligence

Sensor Management

Tool Description
nids_sensor_status Live sensor status: log inventory, sizes, freshness, health checks

Resources

Resource URI Description
Log Types zeek://log-types All Zeek log types with field descriptions
Stats zeek://stats Sensor statistics and available log types

Prompts

Prompt Description
triage-alert Triage a Suricata alert by cross-referencing with Zeek logs
investigate-host Guided host investigation workflow across all logs
hunt-for-c2 Threat hunting for C2 communication patterns
network-baseline Generate a network activity baseline

Supported Log Types

conn, dns, http, ssl, files, notice, weird, x509, smtp, ssh, dpd, software, dhcp, ntp, ocsp, websocket

Configuration

Zeek

Variable Default Description
ZEEK_LOG_DIR /opt/zeek/logs/current Path to current Zeek logs
ZEEK_LOG_ARCHIVE /opt/zeek/logs Path to archived/rotated logs
ZEEK_LOG_FORMAT json Log format: json or tsv
ZEEK_MAX_RESULTS 1000 Maximum results per query

Suricata

Variable Default Description
SURICATA_EVE_LOG /opt/suricata/logs/eve.json Path to Suricata eve.json
SURICATA_FAST_LOG /opt/suricata/logs/fast.log Path to Suricata fast.log
SURICATA_RULES_DIR /opt/suricata/rules Path to Suricata rules directory

PCAP Analysis

Variable Default Description
PCAP_DIR /opt/pcaps Directory of PCAP files. pcap_analyze confines all filenames (relative and absolute) to this directory; anything resolving outside it is rejected.
ZEEK_BINARY /usr/local/zeek/bin/zeek Path to the Zeek binary.
ZEEK_CONTAINER zeek Docker container to run Zeek in. Set to empty to run Zeek directly on the host.
PCAP_OUTPUT_DIR /tmp/zeek-pcap-analysis Working directory for generated logs.

MISP

Variable Default Description
MISP_URL https://localhost MISP base URL.
MISP_API_KEY (none) MISP API key. Required for MISP tools.
MISP_VERIFY_SSL true Set to false to disable TLS certificate verification for MISP requests only (useful for self-signed MISP certs). Scoped to the MISP connection via a dedicated dispatcher; it does not affect any other connection or set global TLS options.

TheHive

Variable Default Description
THEHIVE_URL http://localhost:9000 TheHive base URL.
THEHIVE_API_KEY (none) TheHive API key. Required for TheHive tools.
THEHIVE_VERIFY_SSL true Set to false to disable TLS certificate verification for TheHive requests only (useful for self-signed certs). Scoped to the TheHive connection; it does not affect any other connection or set global TLS options.

Features

  • 39 tools for querying and analyzing Zeek + Suricata logs
  • 2 resources for log type metadata and sensor stats
  • 4 prompts for guided investigation workflows
  • Dual format support - JSON and TSV (Zeek's native tab-separated format)
  • Suricata integration - Query eve.json alerts, cross-correlate with Zeek, engine stats
  • CIDR matching - Filter by IP ranges (10.0.0.0/8, 192.168.1.0/24) with full IPv6 support
  • Wildcard matching - Search domains and URIs with patterns (*.example.com)
  • Beaconing detection - Statistical C2 beacon analysis with jitter scoring
  • Anomaly + baseline detection - Port scan, data exfiltration, unusual ports, statistical outliers vs a baseline
  • DNS tunneling detection - Shannon entropy analysis with encoding detection
  • JA3/JA3S fingerprinting - Track TLS clients and hunt known-malicious fingerprints across SSL logs
  • PCAP replay - Run a packet capture through Zeek and analyze the generated logs
  • Incident response - Escalate findings into TheHive (alerts/cases) and MISP (IOC lookups/events)
  • DHCP asset mapping - MAC-to-IP/hostname device inventory
  • Compressed + rotated logs - Reads .gz archives and navigates Zeek's date-based log directories

Why not something else?

  • Grepping the logs by hand. Zeek and Suricata logs are precise but verbose, and a real investigation means pivoting from one connection UID into dns, http, ssl, and files. zeek-mcp gives the agent a zeek_investigate_uid / zeek_investigate_host pivot and structured filters instead of you reconstructing awk one-liners under pressure.
  • A generic file/log MCP. A plain log-reader hands the model raw lines and hopes it parses them. zeek-mcp understands Zeek's TSV header format and Suricata's eve.json schema, does CIDR and IPv6 matching, reads gzipped and date-rotated archives, and ships detections (beaconing, DNS tunneling, JA3 hunting) that a generic reader cannot.
  • Your SIEM's query language. A SIEM is the system of record. zeek-mcp is the lightweight, local, stdio path for an AI agent to read the same telemetry directly off the sensor during triage or homelab work, with no indexing tier or query DSL to learn. Use both: investigate quickly here, escalate to TheHive/MISP from the same session.

What zeek-mcp is not

zeek-mcp is not a Zeek/Suricata replacement, a packet-capture engine, a SIEM, or a background agent.

It does not:

  • run, configure, or manage your Zeek or Suricata sensor
  • capture packets or modify traffic (it reads logs, and replays existing PCAPs only on request)
  • index, store, or retain your telemetry between calls
  • run on a schedule, open network listeners, or send notifications on its own
  • write to Zeek/Suricata data anywhere

The only writes it performs are the optional TheHive and MISP tools, which create alerts, cases, and events, and only when you provide credentials.

Testing

npm test

110 tests covering parsers (JSON + TSV), query engine, CIDR/wildcard filters, analytics (entropy, beaconing, anomaly detection), Suricata eve.json parsing, DHCP log parsing, and sensor status.

Generate Test Data

npm run generate-logs
npx tsx scripts/generate-zeek-logs.ts --output=/tmp/zeek-logs --format=json

Project Structure

zeek-mcp/
  src/
    index.ts                 # MCP server entry point + tool registration
    config.ts                # Environment config + validation
    types.ts                 # Zeek log type definitions (16 log types)
    resources.ts             # MCP resources
    prompts.ts               # MCP prompts (4 workflows)
    parser/
      index.ts               # Format-agnostic parser + log resolution
      json.ts                # JSON log parser
      tsv.ts                 # TSV log parser with header detection
    query/
      engine.ts              # Query engine with filtering/sorting
      filters.ts             # CIDR match (v4+v6), wildcard, range operators
      aggregation.ts         # Statistical aggregation functions
    tools/
      connections.ts         # Connection analysis tools
      dns.ts                 # DNS analysis tools
      http.ts                # HTTP analysis tools
      ssl.ts                 # SSL/TLS analysis tools
      files.ts               # File analysis tools
      notices.ts             # Security notice tools
      ssh.ts                 # SSH analysis tools
      investigation.ts       # Cross-log investigation tools
      software.ts            # Software/asset discovery
      dhcp.ts                # DHCP log tools + asset mapping
      beaconing.ts           # Beaconing detection tool
      anomaly.ts             # Anomaly detection tool
      ja3.ts                 # JA3/JA3S fingerprinting + hunt
      baseline.ts            # Network baseline + outlier detection
      suricata.ts            # Suricata eve.json tools
      pcap.ts                # PCAP listing + Zeek replay
      thehive.ts             # TheHive alert/case tools
      misp.ts                # MISP IOC lookup + event tools
      sensor.ts              # Sensor status + health checks
    analytics/
      entropy.ts             # Shannon entropy calculation
      beaconing.ts           # Beacon detection algorithms
      anomaly.ts             # Statistical anomaly detection
  tests/                     # Vitest unit + integration tests
  test-data/                 # Sample Zeek + Suricata logs
  scripts/
    generate-zeek-logs.ts    # Mock data generator

Contributing

Issues and pull requests are welcome. See CONTRIBUTING.md for the contribution path and SECURITY.md for how to report vulnerabilities privately. By participating you agree to the Code of Conduct.

License

MIT

MCP Server · Populars

MCP Server · New

    tsouth89

    Toolport

    Local-first MCP gateway. One port for every tool and every AI client: lazy discovery (~90% token savings), tool integrity + quarantine, secrets in the OS keychain.

    Community tsouth89
    Sendmux

    Email Inbox API + Sending by Sendmux

    Official monorepo of SDKs, CLI, and MCP servers for Sendmux email APIs across TypeScript, Python, Go, PHP, Rust, and Ruby.

    Community Sendmux
    ATH-MaaS

    🎨 Pixelle MCP - Omnimodal Agent Framework

    An Open-Source Multimodal AIGC Solution based on ComfyUI + MCP + LLM https://pixelle.ai

    Community ATH-MaaS
    cauldr0nx

    EspoCRM MCP Server

    Opensource MCP Server for EspoCRM

    Community cauldr0nx
    cisco-open

    Network Sketcher

    Network Sketcher is an AI-ready network design tool with Local MCP, Online, and Offline editions for creating network designs and exporting PowerPoint diagrams and Excel-based configuration data.

    Community cisco-open