Zeek

39 tools. 5 can modify or destroy data without limits.

5 write tools that can modify data. Rate limits recommended.

Last updated:

5 can modify or destroy data
34 read-only
39 tools total

Community server · catalogue entry verified 03/07/2026

How to control Zeek ↓

What Zeek exposes to your agents

Read (34) Write / Execute (5) Destructive / Financial (0)
High Risk

The most dangerous Zeek tools

5 of Zeek's 39 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

How to control Zeek

PolicyLayer is an MCP gateway — it sits between your AI agents and Zeek, and nothing reaches the server without passing your rules. These are the rules we recommend:

Rate limit write operations
{
  "misp_add_event": {
    "limits": [
      {
        "counter": "misp_add_event_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "misp_bulk_lookup": {
    "limits": [
      {
        "counter": "misp_bulk_lookup_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Zeek — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON ZEEK →

Instant setup, no code required.

All 39 Zeek tools

READ 34 tools
Read misp_bulk_lookup Check multiple IOCs against MISP in a single call. Useful for batch-checking IPs, domains, or hashes found dur Read misp_search_iocs Search MISP for indicators of compromise (IOCs). Look up IPs, domains, hashes, URLs, and other observables aga Read nids_sensor_status Get the current status of the NIDS sensor: available Zeek log files with sizes, record counts, and freshness. Read pcap_list List available PCAP files in the capture directory with file sizes and timestamps. Read suricata_alert_summary Get a high-level summary of Suricata alerts: top signatures, categories, severity distribution, top source/des Read suricata_correlate_zeek Cross-reference a Suricata alert with Zeek logs using community_id or IP/port/time matching. Returns the Suric Read suricata_eve_stats Get Suricata engine statistics from eve.json stats events: packet counts, decoder stats, flow metrics, and det Read suricata_query_alerts Search Suricata IDS/IPS alerts from eve.json. Filter by signature, severity, source/destination IP, protocol, Read thehive_search_cases Search existing TheHive cases and alerts. Find related investigations, check for duplicates, or review open ca Read zeek_connection_summary Get statistical summary of connections over a time period - top talkers, services, bytes, and connection count Read zeek_detect_beaconing Detect potential C2 beaconing by analyzing connection interval regularity. Finds source-destination pairs with Read zeek_detect_outliers Compare current network activity against a baseline and identify statistical outliers. Flags hosts with unusua Read zeek_dhcp_asset_map Build an asset map from DHCP logs: MAC address to IP/hostname mappings. Useful for identifying all devices on Read zeek_dns_summary DNS query statistics - top queried domains, NXDOMAIN counts (potential DGA detection), query type distribution Read zeek_dns_tunneling_check Detect potential DNS tunneling by analyzing query entropy, subdomain lengths, and TXT/NULL query volumes. Read zeek_executable_downloads Find executable file transfers on the network - PE, ELF, Mach-O binaries and scripts that may indicate malware Read zeek_expired_certs Find connections using expired or self-signed certificates - potential indicators of man-in-the-middle or mali Read zeek_investigate_host Comprehensive investigation of all activity for a specific host across all Zeek log types - connections, DNS, Read zeek_investigate_uid Follow a specific connection UID across all Zeek log types to reconstruct the complete session lifecycle. Read zeek_ja3_fingerprints Extract and analyze JA3/JA3S TLS fingerprints from SSL logs. Identifies client TLS implementations and can det Read zeek_ja3_hunt Hunt for known malicious JA3 fingerprints across SSL logs. Compares all observed JA3 hashes against a built-in Read zeek_long_connections Find unusually long-lived connections that may indicate C2 beacons, tunnels, or persistent backdoors. Read zeek_network_baseline Generate a statistical baseline of normal network activity. Calculates averages, standard deviations, and dist Read zeek_query_connections Search Zeek connection logs with flexible filters. Supports CIDR notation for IPs, connection state filtering, Read zeek_query_dhcp Search Zeek DHCP logs for lease assignments, device discovery, and hostname-to-IP mapping. Useful for asset in Read zeek_query_dns Search Zeek DNS query logs. Supports wildcard domain matching, query type filtering, and response code filteri Read zeek_query_files Search Zeek file extraction logs. Filter by MIME type, filename, hash values, source IP, and file size. Read zeek_query_http Search Zeek HTTP request logs. Supports wildcard matching on host and URI, user agent filtering, and status co Read zeek_query_notices Search Zeek security notices (built-in and custom detections). Notices include port scans, invalid certificate Read zeek_query_ssh Search Zeek SSH connection logs. Filter by source/destination IP, authentication status, and connection direct Read zeek_query_ssl Search Zeek SSL/TLS connection logs. Filter by SNI hostname, TLS version, certificate validation status, subje Read zeek_software_inventory List detected software and versions on the network from Zeek Read zeek_ssh_bruteforce Detect SSH brute force attempts by identifying sources with multiple failed authentication attempts exceeding Read zeek_suspicious_http Find suspicious HTTP activity including POSTs to raw IPs, unusual user agents, large POST bodies, requests to

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Questions about Zeek

How do I prevent bulk modifications through Zeek? +

The Zeek server has 3 write tools including misp_add_event, thehive_create_alert, thehive_create_case. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Zeek.

How many tools does the Zeek MCP server expose? +

39 tools across 3 categories: Execute, Read, Write. 34 are read-only. 5 can modify, create, or delete data.

How do I enforce a policy on Zeek? +

Register the Zeek MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Zeek tool call.

Deterministic rules across all 39 Zeek tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

Instant setup, no code required.

39 Zeek tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.