MCP HubMCP Hub
ThreatFlux

YaraFlux

by: ThreatFlux

A yara based MCP Server

11created 06/03/2025
Visit
yara

πŸ“ŒOverview

Purpose: To provide a Model Context Protocol (MCP) server that enables AI assistants to perform YARA rule-based threat analysis.

Overview: YaraFlux MCP Server seamlessly integrates YARA scanning capabilities with modern AI assistants, leveraging a modular architecture for effective rule management, secure scanning, and in-depth result analysis.

Key Features:

  • Modular Architecture: Facilitates a clean separation between MCP integration, tool implementation, and storage, enhancing maintainability and scalability.

  • MCP Integration: Supports 19 integrated tools optimized for AI assistant interactions, allowing direct file analysis within conversations.

  • YARA Scanning: Provides high-performance scanning of URLs and file content, delivering detailed match information and storing scan results for retrieval.

  • Rule Management: Enables full CRUD operations on YARA rules, including validation and import from community sources.

  • File Analysis: Offers features like hexadecimal viewing, string extraction, and secure file uploads, which aid in binary analysis.

  • Security Features: Implements robust security measures like JWT authentication, ensuring safe API access and storage isolation.

YaraFlux MCP Server

A Model Context Protocol (MCP) server for YARA scanning, enabling AI assistants to analyze files with YARA rules.

Overview

YaraFlux MCP Server allows AI assistants to perform YARA rule-based threat analysis through a standardized Model Context Protocol interface. It integrates YARA scanning with modern AI assistants, supporting comprehensive rule management, secure scanning, and detailed result analysis.

Architecture Overview

YaraFlux follows a modular architecture that separates concerns:

  • MCP Integration Layer: Facilitates communication with AI assistants.
  • Tool Implementation Layer: Implements YARA scanning and management functionality.
  • Storage Abstraction Layer: Offers flexible storage options.
  • YARA Engine Integration: Utilizes YARA for scanning and rule management.

Features

  • Modular Architecture

    • Clean separation of components
    • Flexible storage backend with local and S3/MinIO options

  • MCP Integration

    • Integrated MCP tools for comprehensive functionality
    • Direct file analysis within conversations

  • YARA Scanning

    • URL and file content scanning
    • Performance-optimized scanning engine

  • Rule Management

    • CRUD operations for YARA rules
    • Import rules from ThreatFlux repository

  • File Analysis

    • Metadata and hash information
    • Secure file upload and storage

  • Security Features

    • JWT authentication for API access
    • Secure storage isolation

Quick Start

Using Docker Image

# Pull the latest Docker image
docker pull threatflux/yaraflux-mcp-server:latest
# Run the container
docker run -p 8000:8000 \
  -e JWT_SECRET_KEY=your-secret-key \
  -e ADMIN_PASSWORD=your-admin-password \
  -e DEBUG=true \
  threatflux/yaraflux-mcp-server:latest

Installation from Source

# Clone the repository
git clone https://github.com/ThreatFlux/YaraFlux.git
cd YaraFlux/

# Install dependencies
make install

# Run the server
make run

Available MCP Tools

YaraFlux exposes integrated MCP tools for managing YARA rules and performing scans, including:

Rule Management Tools

  • list_yara_rules: List available YARA rules.
  • get_yara_rule: Retrieve a specific rule's content.
  • validate_yara_rule: Validate YARA rule syntax.
  • add_yara_rule: Create a new rule.
  • delete_yara_rule: Remove a rule.

Scanning Tools

  • scan_url: Scan content from a URL.
  • scan_data: Scan provided data with specified rules.

File Management Tools

  • upload_file: Upload a file for analysis.
  • delete_file: Remove an uploaded file.

Documentation

Comprehensive documentation is available in the docs/ directory, including installation guides and API references.

Project Structure

yaraflux_mcp_server/
β”œβ”€β”€ src/                          # Application source code
β”œβ”€β”€ docs/                         # Documentation
β”œβ”€β”€ tests/                        # Test suite
β”œβ”€β”€ Dockerfile                    # Docker configuration
└── requirements.txt              # Core dependencies

Development

Local Development

# Set up development environment
make dev-setup

# Run tests
make test

# Run development server
make run

API Documentation

Interactive API documentation is available at:

Contributing

Contributions are welcome! To contribute:

  1. Fork the repository
  2. Create your feature branch
  3. Commit your changes
  4. Push to the branch
  5. Open a Pull Request

License

This project is licensed under the MIT License.