Zeek-MCP

  1. ALMC
  2. MCP
  3. development
  4. zeek-mcp
Zeek-MCP - Secure MCP Server by ALMC Security 2025

Zeek-MCP

View on GitHub

LicenseGitHub release (latest by date)Linkedin

Logo

Zeek-MCP

This repository provides a set of utilities to build an MCP server (Model Context Protocol) that you can integrate with your conversational AI client.

Table of Contents

Prerequisites

  • Python 3.7+
  • Zeek installed and available in your PATH (for the execzeek tool)
  • pip (for installing Python dependencies)

Installation

1. Clone the repository

git clone https://github.com/Gabbo01/Zeek-MCP
cd Zeek-MCP

2. Install dependencies

It's recommended to use a virtual environment:

python -m venv venv
source venv/bin/activate    # Linux/macOS
venv\Scripts\activate     # Windows
pip install -r requirements.txt

Note: If you don’t have a requirements.txt, install directly:

pip install pandas mcp

Usage

The repository exposes two main MCP tools and a command-line entry point:

3. Run the MCP server

python Bridge_Zeek_MCP.py --mcp-host 127.0.0.1 --mcp-port 8081 --transport sse
  • --mcp-host: Host for the MCP server (default: 127.0.0.1).
  • --mcp-port: Port for the MCP server (default: 8081).
  • --transport: Transport protocol, either sse (Server-Sent Events) or stdio.

start

4. Use the MCP tools

You need to use an LLM that can support the MCP tools usage by calling the following tools:

  1. execzeek(pcap_path: str) -> str

    • Description: Runs Zeek on the given PCAP file after deleting existing .log files in the working directory.
    • Returns: A string listing generated .log filenames or "1" on error.

  2. parselogs(logfile: str) -> DataFrame

    • Description: Parses a single Zeek .log file and returns the parsed content.

You can interact with these endpoints via HTTP (if using SSE transport) or by embedding in LLM client (eg: Claude Desktop):

Claude Desktop integration:

To set up Claude Desktop as a Zeek MCP client, go to Claude -> Settings -> Developer -> Edit Config -> claude_desktop_config.json and add the following:

{
  "mcpServers": {
    "Zeek-mcp": {
      "command": "python",
      "args": [
        "/ABSOLUTE_PATH_TO/Bridge_Zeek_MCP.py",
      ]
    }
  }
}

Alternatively, edit this file directly:

/Users/YOUR_USER/Library/Application Support/Claude/claude_desktop_config.json

5ire Integration:

Another MCP client that supports multiple models on the backend is 5ire. To set up Zeek-MCP, open 5ire and go to Tools -> New and set the following configurations:

  1. Tool Key: ZeekMCP
  2. Name: Zeek-MCP
  3. Command: python /ABSOLUTE_PATH_TO/Bridge_Zeek_MCP.py
Alternatively you can use Chainlit framework and follow the documentation to integrate the MCP server.

Examples

An example of MCP tools usage from a chainlit chatbot client, it was used an example pcap file (you can find fews in pcaps folder)

In that case the used model was claude-3.7-sonnet-reasoning-gemma3-12b

example1

example2

example3

License

See LICENSE for more information.

Related in Development - Secure MCP Servers

ServerSummaryActions
MCP SBOM ServerView
MCP ReasonerA reasoning implementation for Claude Desktop that lets you use both Beam Search and Monte Carlo Tre...View
Lean LSPMCP server that allows agentic interaction with the Lean theorem prover via the Language Server Prot...View
JinniJinni is a tool to efficiently provide Large Language Models the context of your projects. It gives...View
Laravel Codebase IntrospectionView
FileScopeMCP✨ Instantly understand and visualize your codebase structure & dependencies! ✨View