Labsco
ThreatFlux logo

YaraFlux

β˜… 23

from ThreatFlux

An MCP server for YARA scanning, enabling LLMs to analyze files using YARA rules.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeAdvanced setup

YaraFlux MCP Server

A Model Context Protocol (MCP) server for YARA scanning, providing LLMs with capabilities to analyze files with YARA rules.

πŸ“‹ Overview

YaraFlux MCP Server enables AI assistants to perform YARA rule-based threat analysis through the standardized Model Context Protocol interface. The server integrates YARA scanning with modern AI assistants, supporting comprehensive rule management, secure scanning, and detailed result analysis through a modular architecture.

🧩 Architecture Overview

Copy & paste β€” that's it
+------------------------------------------+
| AI Assistant |
+--------------------+---------------------+
 |
 | Model Context Protocol
 |
+--------------------v---------------------+
| YaraFlux MCP Server |
| |
| +----------------+ +---------------+ |
| | MCP Server | | Tool Registry | |
| +-------+--------+ +-------+-------+ |
| | | |
| +-------v--------+ +-------v-------+ |
| | YARA Service | | Storage Layer | |
| +----------------+ +---------------+ |
| |
+------------------------------------------+
 | |
 +-----------------+ +---------------+
 | YARA Engine | | Storage |
 | - Rule Compiling| | - Local FS |
 | - File Scanning | | - MinIO/S3 |
 +-----------------+ +---------------+

YaraFlux follows a modular architecture that separates concerns between:

  • MCP Integration Layer: Handles communication with AI assistants

  • Tool Implementation Layer: Implements YARA scanning and management functionality

  • Storage Abstraction Layer: Provides flexible storage options

  • YARA Engine Integration: Leverages YARA for scanning and rule management

For detailed architecture diagrams, see the Architecture Documentation.

✨ Features

πŸ”„ Modular Architecture

  • Clean separation of MCP integration, tool implementation, and storage

  • Standardized parameter parsing and error handling

  • Flexible storage backend with local and S3/MinIO options

πŸ€– MCP Integration

  • 19 integrated MCP tools for comprehensive functionality

  • Optimized for Claude Desktop integration

  • Direct file analysis from within conversations

  • Compatible with latest MCP protocol specification

πŸ” YARA Scanning

  • URL and file content scanning

  • Detailed match information with context

  • Scan result storage and retrieval

  • Performance-optimized scanning engine

πŸ“ Rule Management

  • Create, read, update, delete YARA rules

  • Rule validation with detailed error reporting

  • Import rules from ThreatFlux repository

  • Categorization by source (custom vs. community)

πŸ“Š File Analysis

  • Hexadecimal view for binary analysis

  • String extraction with configurable parameters

  • File metadata and hash information

  • Secure file upload and storage

πŸ” Security Features

  • JWT authentication for API access

  • Non-root container execution

  • Secure storage isolation

  • Configurable access controls

🧩 Claude Desktop Integration

YaraFlux is designed for seamless integration with Claude Desktop through the Model Context Protocol.

  • Build the Docker image:
Copy & paste β€” that's it
docker build -t yaraflux-mcp-server:latest .
  • Add to Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json):
Copy & paste β€” that's it
{
 "mcpServers": {
 "yaraflux-mcp-server": {
 "command": "docker",
 "args": [
 "run",
 "-i",
 "--rm",
 "--env",
 "JWT_SECRET_KEY=your-secret-key",
 "--env",
 "ADMIN_PASSWORD=your-admin-password",
 "--env",
 "DEBUG=true",
 "--env",
 "PYTHONUNBUFFERED=1",
 "threatflux/yaraflux-mcp-server:latest"
 ],
 "disabled": false,
 "autoApprove": [
 "scan_url",
 "scan_data",
 "list_yara_rules",
 "get_yara_rule"
 ]
 }
 }
}
  • Restart Claude Desktop to activate the server.

πŸ› οΈ Available MCP Tools

YaraFlux exposes 19 integrated MCP tools:

Rule Management Tools

  • list_yara_rules: List available YARA rules with filtering options

  • get_yara_rule: Get a specific YARA rule's content and metadata

  • validate_yara_rule: Validate YARA rule syntax with detailed error reporting

  • add_yara_rule: Create a new YARA rule

  • update_yara_rule: Update an existing YARA rule

  • delete_yara_rule: Delete a YARA rule

  • import_threatflux_rules: Import rules from ThreatFlux GitHub repository

Scanning Tools

  • scan_url: Scan content from a URL with specified YARA rules

  • scan_data: Scan provided data (base64 encoded) with specified rules

  • get_scan_result: Retrieve detailed results from a previous scan

File Management Tools

  • upload_file: Upload a file for analysis or scanning

  • get_file_info: Get metadata about an uploaded file

  • list_files: List uploaded files with pagination and sorting

  • delete_file: Delete an uploaded file

  • extract_strings: Extract ASCII/Unicode strings from a file

  • get_hex_view: Get hexadecimal view of file content

  • download_file: Download an uploaded file

Storage Management Tools

  • get_storage_info: Get storage usage statistics

  • clean_storage: Remove old files to free up storage space

πŸ“š Documentation

Comprehensive documentation is available in the docs/ directory:

πŸ—‚οΈ Project Structure

Copy & paste β€” that's it
yaraflux_mcp_server/
β”œβ”€β”€ src/
β”‚ └── yaraflux_mcp_server/
β”‚ β”œβ”€β”€ app.py # FastAPI application
β”‚ β”œβ”€β”€ auth.py # JWT authentication and user management
β”‚ β”œβ”€β”€ config.py # Configuration settings loader
β”‚ β”œβ”€β”€ models.py # Pydantic models for requests/responses
β”‚ β”œβ”€β”€ mcp_server.py # MCP server implementation
β”‚ β”œβ”€β”€ utils/ # Utility functions package
β”‚ β”‚ β”œβ”€β”€ __init__.py # Package initialization
β”‚ β”‚ β”œβ”€β”€ error_handling.py # Standardized error handling
β”‚ β”‚ β”œβ”€β”€ param_parsing.py # Parameter parsing utilities
β”‚ β”‚ └── wrapper_generator.py # Tool wrapper generation
β”‚ β”œβ”€β”€ mcp_tools/ # Modular MCP tools package
β”‚ β”‚ β”œβ”€β”€ __init__.py # Package initialization
β”‚ β”‚ β”œβ”€β”€ base.py # Base tool registration utilities
β”‚ β”‚ β”œβ”€β”€ file_tools.py # File management tools
β”‚ β”‚ β”œβ”€β”€ rule_tools.py # YARA rule management tools
β”‚ β”‚ β”œβ”€β”€ scan_tools.py # Scanning tools
β”‚ β”‚ └── storage_tools.py # Storage management tools
β”‚ β”œβ”€β”€ storage/ # Storage implementation package
β”‚ β”‚ β”œβ”€β”€ __init__.py # Package initialization
β”‚ β”‚ β”œβ”€β”€ base.py # Base storage interface
β”‚ β”‚ β”œβ”€β”€ factory.py # Storage client factory
β”‚ β”‚ β”œβ”€β”€ local.py # Local filesystem storage
β”‚ β”‚ └── minio.py # MinIO/S3 storage
β”‚ β”œβ”€β”€ routers/ # API route definitions
β”‚ β”‚ β”œβ”€β”€ __init__.py # Package initialization
β”‚ β”‚ β”œβ”€β”€ auth.py # Authentication API routes
β”‚ β”‚ β”œβ”€β”€ files.py # File management API routes
β”‚ β”‚ β”œβ”€β”€ rules.py # YARA rule management API routes
β”‚ β”‚ └── scan.py # YARA scanning API routes
β”‚ β”œβ”€β”€ yara_service.py # YARA rule management and scanning
β”‚ β”œβ”€β”€ __init__.py # Package initialization
β”‚ └── __main__.py # CLI entry point
β”œβ”€β”€ docs/ # Documentation
β”œβ”€β”€ tests/ # Test suite
β”œβ”€β”€ Dockerfile # Docker configuration
β”œβ”€β”€ entrypoint.sh # Container entrypoint script
β”œβ”€β”€ Makefile # Build automation
β”œβ”€β”€ pyproject.toml # Project metadata and dependencies
β”œβ”€β”€ requirements.txt # Core dependencies
└── requirements-dev.txt # Development dependencies

πŸ§ͺ Development

Local Development

Copy & paste β€” that's it
# Set up development environment
make dev-setup

# Run tests
make test

# Code quality checks
make lint
make format
make security-check

# Generate test coverage report
make coverage

# Run development server
make run

CI/CD Workflows

This project uses GitHub Actions for continuous integration and deployment:

CI Tests: Runs on every push and pull request to main and develop branches

  • Runs tests, formatting, linting, and type checking

  • Builds and tests Docker images

  • Uploads test coverage reports to Codecov

Version Auto-increment: Automatically increments version on pushes to main branch

  • Updates version in pyproject.toml, setup.py, and Dockerfile

  • Creates git tag for new version

Publish Release: Triggered after successful version auto-increment

  • Builds Docker images for multiple stages

  • Generates release notes from git commits

  • Creates GitHub release with artifacts

  • Publishes Docker images to Docker Hub

These workflows ensure code quality and automate the release process.

Status Checks

The following status checks run on pull requests:

  • βœ… Format Verification: Ensures code follows Black and isort formatting standards

  • βœ… Lint Verification: Validates code quality and compliance with coding standards

  • βœ… Test Execution: Runs the full test suite to verify functionality

  • βœ… Coverage Report: Ensures sufficient test coverage of the codebase

🌐 API Documentation

Interactive API documentation available at:

For detailed API documentation, see API Reference.

🀝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  • Fork the repository

  • Create your feature branch (git checkout -b feature/amazing-feature)

  • Commit your changes (git commit -m 'Add some amazing feature')

  • Push to the branch (git push origin feature/amazing-feature)

  • Open a Pull Request

πŸ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

πŸ’– Donate or Ask for Features