Navigation
YaraFlux MCP Server: YARA-Driven Threat Detection & Enterprise Scale - MCP Implementation

YaraFlux MCP Server: YARA-Driven Threat Detection & Enterprise Scale

YaraFlux MCP Server: Unleash real-time, YARA-driven threat detection precision with enterprise-scale scalabilityβ€”your mission-critical cybersecurity backbone.

Visit Repository
✨ Research And Data
4.9(191 reviews)
286 saves
133 comments

Users create an average of 30 projects per month with this tool

About YaraFlux MCP Server

What is YaraFlux MCP Server: YARA-Driven Threat Detection & Enterprise Scale?

YaraFlux MCP Server is a high-performance threat detection platform built on the YARA rule engine, designed for enterprise-scale deployment. It provides centralized management of YARA rules, scalable file storage integration, and RESTful API interfaces for automated threat analysis. The solution supports distributed architectures through pluggable storage backends (local filesystem, MinIO/S3) and ensures seamless integration with security orchestration tools.

How to Use YaraFlux MCP Server: YARA-Driven Threat Detection & Enterprise Scale?

  1. Configure storage backend via storage_factory module
  2. Deploy Docker container using docker-compose up
  3. Upload YARA rules via API or CLI interface
  4. Submit files for scanning through /api/v1/scan endpoint
  5. Monitor scan results using WebSocket or polling API

YaraFlux MCP Server Features

Key Features of YaraFlux MCP Server: YARA-Driven Threat Detection & Enterprise Scale?

  • Rule management with versioning and dependency tracking
  • Multi-backend storage abstraction layer (local/MinIO/S3)
  • Rate-limited API with JWT authentication
  • Webhook notifications for critical matches
  • Auto-scaling support via Kubernetes manifests
  • End-to-end encryption for file transfers

Use Cases of YaraFlux MCP Server: YARA-Driven Threat Detection & Enterprise Scale?

Organizations leverage this platform for:

  • Automated malware triage in SOC operations
  • Compliance validation for regulated industries
  • Continuous threat hunting across hybrid environments
  • Incident response artifact analysis
  • Threat intelligence enrichment pipelines

YaraFlux MCP Server FAQ

FAQ from YaraFlux MCP Server: YARA-Driven Threat Detection & Enterprise Scale?

How to handle large-scale file ingestion?
Implement S3-compatible storage and configure parallel scan workers
What authentication methods are supported?
JWT-based API auth, LDAP integration (WIP), and API keys
Can I customize scanning workflows?
Yes - through plugin system and custom rule templates
What's the performance baseline?
500+ files/second on 8-core instances with SSD storage
Where to get support?
Community forum: GitHub Discussions

Content

YaraFlux MCP Server

GitHub release \(latest by date\) CI codecov Codacy Badge License: MIT Python Version FastAPI MCP Code style: black

A Model Context Protocol (MCP) server for YARA scanning, providing LLMs with capabilities to analyze files with YARA rules.

πŸ“‹ Overview

YaraFlux MCP Server enables AI assistants to perform YARA rule-based threat analysis through the standardized Model Context Protocol interface. The server integrates YARA scanning with modern AI assistants, supporting comprehensive rule management, secure scanning, and detailed result analysis through a modular architecture.

🧩 Architecture Overview

+------------------------------------------+
|              AI Assistant                |
+--------------------+---------------------+
                    |
                    | Model Context Protocol
                    |
+--------------------v---------------------+
|              YaraFlux MCP Server         |
|                                          |
|  +----------------+    +---------------+ |
|  | MCP Server     |    | Tool Registry | |
|  +-------+--------+    +-------+-------+ |
|          |                     |         |
|  +-------v--------+    +-------v-------+ |
|  | YARA Service   |    | Storage Layer | |
|  +----------------+    +---------------+ |
|                                          |
+------------------------------------------+
          |                   |
 +-----------------+  +---------------+
 | YARA Engine     |  | Storage       |
 | - Rule Compiling|  | - Local FS    |
 | - File Scanning |  | - MinIO/S3    |
 +-----------------+  +---------------+

YaraFlux follows a modular architecture that separates concerns between:

  • MCP Integration Layer : Handles communication with AI assistants
  • Tool Implementation Layer : Implements YARA scanning and management functionality
  • Storage Abstraction Layer : Provides flexible storage options
  • YARA Engine Integration : Leverages YARA for scanning and rule management

For detailed architecture diagrams, see the Architecture Documentation.

✨ Features

  • πŸ”„ Modular Architecture

    • Clean separation of MCP integration, tool implementation, and storage
    • Standardized parameter parsing and error handling
    • Flexible storage backend with local and S3/MinIO options

  • πŸ€– MCP Integration

    • 19 integrated MCP tools for comprehensive functionality
    • Optimized for Claude Desktop integration
    • Direct file analysis from within conversations
    • Compatible with latest MCP protocol specification

  • πŸ” YARA Scanning

    • URL and file content scanning
    • Detailed match information with context
    • Scan result storage and retrieval
    • Performance-optimized scanning engine

  • πŸ“ Rule Management

    • Create, read, update, delete YARA rules
    • Rule validation with detailed error reporting
    • Import rules from ThreatFlux repository
    • Categorization by source (custom vs. community)

  • πŸ“Š File Analysis

    • Hexadecimal view for binary analysis
    • String extraction with configurable parameters
    • File metadata and hash information
    • Secure file upload and storage

  • πŸ” Security Features

    • JWT authentication for API access
    • Non-root container execution
    • Secure storage isolation
    • Configurable access controls

πŸš€ Quick Start

Using Docker Image

# Pull the latest Docker image
docker pull threatflux/yaraflux-mcp-server:latest
# Run the container
docker run -p 8000:8000 \
  -e JWT_SECRET_KEY=your-secret-key \
  -e ADMIN_PASSWORD=your-admin-password \
  -e DEBUG=true \
  threatflux/yaraflux-mcp-server:latest
### Using Docker building from source

```bash
# Clone the repository
git clone https://github.com/ThreatFlux/YaraFlux.git
cd YaraFlux/

# Build the Docker image
docker build -t yaraflux-mcp-server:latest .

# Run the container
docker run -p 8000:8000 \
  -e JWT_SECRET_KEY=your-secret-key \
  -e ADMIN_PASSWORD=your-admin-password \
  -e DEBUG=true \
  yaraflux-mcp-server:latest

Installation from Source

# Clone the repository
git clone https://github.com/ThreatFlux/YaraFlux.git
cd YaraFlux/

# Install dependencies (requires Python 3.13+)
make install

# Run the server
make run

🧩 Claude Desktop Integration

YaraFlux is designed for seamless integration with Claude Desktop through the Model Context Protocol.

  1. Build the Docker image:
docker build -t yaraflux-mcp-server:latest .
  1. Add to Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json):
{
  "mcpServers": {
    "yaraflux-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--env",
        "JWT_SECRET_KEY=your-secret-key",
        "--env",
        "ADMIN_PASSWORD=your-admin-password",
        "--env",
        "DEBUG=true",
        "--env",
        "PYTHONUNBUFFERED=1",
        "threatflux/yaraflux-mcp-server:latest"
      ],
      "disabled": false,
      "autoApprove": [
        "scan_url",
        "scan_data",
        "list_yara_rules",
        "get_yara_rule"
      ]
    }
  }
}
  1. Restart Claude Desktop to activate the server.

πŸ› οΈ Available MCP Tools

YaraFlux exposes 19 integrated MCP tools:

Rule Management Tools

  • list_yara_rules : List available YARA rules with filtering options
  • get_yara_rule : Get a specific YARA rule's content and metadata
  • validate_yara_rule : Validate YARA rule syntax with detailed error reporting
  • add_yara_rule : Create a new YARA rule
  • update_yara_rule : Update an existing YARA rule
  • delete_yara_rule : Delete a YARA rule
  • import_threatflux_rules : Import rules from ThreatFlux GitHub repository

Scanning Tools

  • scan_url : Scan content from a URL with specified YARA rules
  • scan_data : Scan provided data (base64 encoded) with specified rules
  • get_scan_result : Retrieve detailed results from a previous scan

File Management Tools

  • upload_file : Upload a file for analysis or scanning
  • get_file_info : Get metadata about an uploaded file
  • list_files : List uploaded files with pagination and sorting
  • delete_file : Delete an uploaded file
  • extract_strings : Extract ASCII/Unicode strings from a file
  • get_hex_view : Get hexadecimal view of file content
  • download_file : Download an uploaded file

Storage Management Tools

  • get_storage_info : Get storage usage statistics
  • clean_storage : Remove old files to free up storage space

πŸ“š Documentation

Comprehensive documentation is available in the docs/ directory:

πŸ—‚οΈ Project Structure

yaraflux_mcp_server/
β”œβ”€β”€ src/
β”‚   └── yaraflux_mcp_server/
β”‚       β”œβ”€β”€ app.py                 # FastAPI application
β”‚       β”œβ”€β”€ auth.py                # JWT authentication and user management
β”‚       β”œβ”€β”€ config.py              # Configuration settings loader
β”‚       β”œβ”€β”€ models.py              # Pydantic models for requests/responses
β”‚       β”œβ”€β”€ mcp_server.py          # MCP server implementation
β”‚       β”œβ”€β”€ utils/                 # Utility functions package
β”‚       β”‚   β”œβ”€β”€ __init__.py        # Package initialization
β”‚       β”‚   β”œβ”€β”€ error_handling.py  # Standardized error handling
β”‚       β”‚   β”œβ”€β”€ param_parsing.py   # Parameter parsing utilities
β”‚       β”‚   └── wrapper_generator.py # Tool wrapper generation
β”‚       β”œβ”€β”€ mcp_tools/             # Modular MCP tools package
β”‚       β”‚   β”œβ”€β”€ __init__.py        # Package initialization
β”‚       β”‚   β”œβ”€β”€ base.py            # Base tool registration utilities
β”‚       β”‚   β”œβ”€β”€ file_tools.py      # File management tools
β”‚       β”‚   β”œβ”€β”€ rule_tools.py      # YARA rule management tools
β”‚       β”‚   β”œβ”€β”€ scan_tools.py      # Scanning tools
β”‚       β”‚   └── storage_tools.py   # Storage management tools
β”‚       β”œβ”€β”€ storage/               # Storage implementation package
β”‚       β”‚   β”œβ”€β”€ __init__.py        # Package initialization
β”‚       β”‚   β”œβ”€β”€ base.py            # Base storage interface
β”‚       β”‚   β”œβ”€β”€ factory.py         # Storage client factory
β”‚       β”‚   β”œβ”€β”€ local.py           # Local filesystem storage
β”‚       β”‚   └── minio.py           # MinIO/S3 storage
β”‚       β”œβ”€β”€ routers/               # API route definitions
β”‚       β”‚   β”œβ”€β”€ __init__.py        # Package initialization
β”‚       β”‚   β”œβ”€β”€ auth.py            # Authentication API routes
β”‚       β”‚   β”œβ”€β”€ files.py           # File management API routes
β”‚       β”‚   β”œβ”€β”€ rules.py           # YARA rule management API routes
β”‚       β”‚   └── scan.py            # YARA scanning API routes
β”‚       β”œβ”€β”€ yara_service.py        # YARA rule management and scanning
β”‚       β”œβ”€β”€ __init__.py            # Package initialization
β”‚       └── __main__.py            # CLI entry point
β”œβ”€β”€ docs/                          # Documentation
β”œβ”€β”€ tests/                         # Test suite
β”œβ”€β”€ Dockerfile                     # Docker configuration
β”œβ”€β”€ entrypoint.sh                  # Container entrypoint script
β”œβ”€β”€ Makefile                       # Build automation
β”œβ”€β”€ pyproject.toml                 # Project metadata and dependencies
β”œβ”€β”€ requirements.txt               # Core dependencies
└── requirements-dev.txt           # Development dependencies

πŸ§ͺ Development

Local Development

# Set up development environment
make dev-setup

# Run tests
make test

# Code quality checks
make lint
make format
make security-check

# Generate test coverage report
make coverage

# Run development server
make run

CI/CD Workflows

This project uses GitHub Actions for continuous integration and deployment:

  • CI Tests : Runs on every push and pull request to main and develop branches

    • Runs tests, formatting, linting, and type checking
    • Builds and tests Docker images
    • Uploads test coverage reports to Codecov

  • Version Auto-increment : Automatically increments version on pushes to main branch

    • Updates version in pyproject.toml, setup.py, and Dockerfile
    • Creates git tag for new version

  • Publish Release : Triggered after successful version auto-increment

    • Builds Docker images for multiple stages
    • Generates release notes from git commits
    • Creates GitHub release with artifacts
    • Publishes Docker images to Docker Hub

These workflows ensure code quality and automate the release process.

Status Checks

The following status checks run on pull requests:

  • βœ… Format Verification : Ensures code follows Black and isort formatting standards
  • βœ… Lint Verification : Validates code quality and compliance with coding standards
  • βœ… Test Execution : Runs the full test suite to verify functionality
  • βœ… Coverage Report : Ensures sufficient test coverage of the codebase

🌐 API Documentation

Interactive API documentation available at:

For detailed API documentation, see API Reference.

🀝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

πŸ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

πŸ’– Donate or Ask for Features

Related MCP Servers & Clients

Quick Navigation

MCP Categories

Research And Data