ThreatFlux/YaraFlux

scan_url

Scan a file from a URL with YARA rules.

This function downloads and scans a file from the provided URL using YARA rules. It's particularly useful for scanning potentially malicious files without storing them locally on the user's machine.

For LLM users connecting through MCP, this can be invoked with natural language like: "Can you scan this URL for malware: https://example.com/suspicious-file.exe" "Analyze https://example.com/document.pdf for malicious patterns" "Check if the file at this URL contains known threats: https://example.com/sample.exe"

Args: url: URL of the file to scan rule_names: Optional list of rule names to match (if None, match all) sources: Optional list of sources to match rules from (if None, match all) timeout: Optional timeout in seconds (if None, use default)

Returns: Scan result containing file details, scan status, and any matches found

scan_data

Scan in-memory data with YARA rules.

This function scans provided binary or text data using YARA rules. It supports both base64-encoded data and plain text, making it versatile for various sources of potentially malicious content.

For LLM users connecting through MCP, this can be invoked with natural language like: "Scan this base64 data: SGVsbG8gV29ybGQ=" "Can you check if this text contains malicious patterns: eval(atob('ZXZhbChwcm9tcHQoKSk7'))" "Analyze this string for malware signatures: document.write(unescape('%3C%73%63%72%69%70%74%3E'))"

Args: data: Data to scan (base64-encoded by default) filename: Name of the file for reference encoding: Encoding of the data ("base64" or "text") rule_names: Optional list of rule names to match (if None, match all) sources: Optional list of sources to match rules from (if None, match all) timeout: Optional timeout in seconds (if None, use default)

Returns: Scan result containing match details and file metadata

get_scan_result

Get a scan result by ID.

This function retrieves previously saved scan results using their unique ID. It allows users to access historical scan data and analyze matches without rescanning the content.

For LLM users connecting through MCP, this can be invoked with natural language like: "Show me the results from scan abc123" "Retrieve the details for scan ID xyz789" "What were the findings from my previous scan?"

Args: scan_id: ID of the scan result

Returns: Complete scan result including file metadata and any matches found

list_yara_rules

List available YARA rules.

For LLM users connecting through MCP, this can be invoked with natural language like: "Show me all YARA rules" "List custom YARA rules only" "What community rules are available?"

Args: source: Optional source filter ("custom" or "community")

Returns: List of YARA rule metadata objects

get_yara_rule

Get a YARA rule's content.

For LLM users connecting through MCP, this can be invoked with natural language like: "Show me the code for rule suspicious_strings" "Get the content of the ransomware detection rule" "What does the CVE-2023-1234 rule look like?"

Args: rule_name: Name of the rule to get source: Source of the rule ("custom" or "community")

Returns: Rule content and metadata

validate_yara_rule

Validate a YARA rule.

For LLM users connecting through MCP, this can be invoked with natural language like: "Check if this YARA rule syntax is valid" "Validate this detection rule for me" "Is this YARA code correctly formatted?"

Args: content: YARA rule content to validate

Returns: Validation result with detailed error information if invalid

add_yara_rule

Add a new YARA rule.

For LLM users connecting through MCP, this can be invoked with natural language like: "Create a new YARA rule named suspicious_urls" "Add this detection rule for PowerShell obfuscation" "Save this YARA rule to detect malicious macros"

Args: name: Name of the rule content: YARA rule content source: Source of the rule ("custom" or "community")

Returns: Result of the operation

update_yara_rule

Update an existing YARA rule.

For LLM users connecting through MCP, this can be invoked with natural language like: "Update the ransomware detection rule" "Modify the suspicious_urls rule to include these new patterns" "Fix the syntax error in the malicious_macros rule"

Args: name: Name of the rule content: Updated YARA rule content source: Source of the rule ("custom" or "community")

Returns: Result of the operation

delete_yara_rule

Delete a YARA rule.

For LLM users connecting through MCP, this can be invoked with natural language like: "Delete the ransomware detection rule" "Remove the rule named suspicious_urls" "Get rid of the outdated CVE-2020-1234 rule"

Args: name: Name of the rule source: Source of the rule ("custom" or "community")

Returns: Result of the operation

import_threatflux_rules

Import ThreatFlux YARA rules from GitHub.

For LLM users connecting through MCP, this can be invoked with natural language like: "Import YARA rules from ThreatFlux" "Get the latest detection rules from the ThreatFlux repository" "Import YARA rules from a custom GitHub repo"

Args: url: URL to the GitHub repository (if None, use default ThreatFlux repository) branch: Branch name to import from

Returns: Import result

upload_file

Upload a file to the storage system.

This tool allows you to upload files with metadata for later retrieval and analysis. Files can be uploaded as base64-encoded data or plain text.

For LLM users connecting through MCP, this can be invoked with natural language like: "Upload this file with base64 data: SGVsbG8gV29ybGQ=" "Save this text as a file named example.txt: This is the content" "Store this code snippet as script.py with metadata indicating it's executable"

Args: data: File content encoded as specified by the encoding parameter file_name: Name of the file encoding: Encoding of the data ("base64" or "text") metadata: Optional metadata to associate with the file

Returns: File information including ID, size, and metadata

get_file_info

Get detailed information about a file.

For LLM users connecting through MCP, this can be invoked with natural language like: "Get details about file abc123" "Show me the metadata for file xyz789" "What's the size and upload date of file 456def?"

Args: file_id: ID of the file

Returns: File information including metadata

list_files

List files with pagination and sorting.

For LLM users connecting through MCP, this can be invoked with natural language like: "Show me all the uploaded files" "List the most recently uploaded files first" "Show files sorted by name in alphabetical order" "List the largest files first"

Args: page: Page number (1-based) page_size: Number of items per page sort_by: Field to sort by (uploaded_at, file_name, file_size) sort_desc: Sort in descending order if True

Returns: List of files with pagination info

delete_file

Delete a file from storage.

For LLM users connecting through MCP, this can be invoked with natural language like: "Delete file abc123" "Remove the file with ID xyz789" "Please get rid of file 456def"

Args: file_id: ID of the file to delete

Returns: Deletion result

extract_strings

Extract strings from a file.

This tool extracts ASCII and/or Unicode strings from a file with a specified minimum length. It's useful for analyzing binary files or looking for embedded text in files.

For LLM users connecting through MCP, this can be invoked with natural language like: "Extract strings from file abc123" "Find all text strings in the file with ID xyz789" "Show me any readable text in file 456def with at least 8 characters"

Args: file_id: ID of the file min_length: Minimum string length include_unicode: Include Unicode strings include_ascii: Include ASCII strings limit: Maximum number of strings to return

Returns: Extracted strings and metadata

get_hex_view

Get hexadecimal view of file content.

This tool provides a hexadecimal representation of file content with optional ASCII view. It's useful for examining binary files or seeing the raw content of text files.

For LLM users connecting through MCP, this can be invoked with natural language like: "Show me a hex dump of file abc123" "Display the hex representation of file xyz789" "I need to see the raw bytes of file 456def"

Args: file_id: ID of the file offset: Starting offset in bytes length: Number of bytes to return (if None, a reasonable default is used) bytes_per_line: Number of bytes per line in output

Returns: Hexadecimal representation of file content

download_file

Download a file's content.

This tool retrieves the content of a file, returning it in the specified encoding.

For LLM users connecting through MCP, this can be invoked with natural language like: "Download file abc123 and show me its contents" "Get the content of file xyz789 as text if possible" "Retrieve file 456def for me"

Args: file_id: ID of the file to download encoding: Encoding for the returned data ("base64" or "text")

Returns: File content and metadata

get_storage_info

Get information about the storage system.

This tool provides detailed information about storage usage, including:

• Storage type (local or remote)
• Directory locations
• File counts and sizes by storage type

For LLM users connecting through MCP, this can be invoked with natural language like: "Show me storage usage information" "How much space is being used by the system?" "What files are stored and how much space do they take up?"

Returns: Information about storage usage and configuration

clean_storage

Clean up storage by removing old files.

This tool removes old files from storage to free up space. It can target specific storage types and age thresholds.

For LLM users connecting through MCP, this can be invoked with natural language like: "Clean up old scan results" "Remove files older than 30 days" "Free up space by deleting old samples"

Args: storage_type: Type of storage to clean ('results', 'samples', or 'all') older_than_days: Remove files older than X days (if None, use default)

Returns: Cleanup result with count of removed files and freed space