Network Security

Purpose

Analyses network traffic for DDoS, intrusion attempts, DNS tunnelling, protocol anomalies, reconnaissance, exfiltration, and VPN/remote-access anomalies. Read+act posture (firewall rules, blocking).

MCP Domains

Domain	Description
`network`	Flow analysis, firewall rule management
`siem`	Log search, event correlation
`network_capture`	PCAP analysis, stream extraction, protocol decoding

Tools

Tool	Description
`analyze_flows`	NetFlow/sFlow statistical analysis
`detect_dns_tunneling`	DNS anomaly detection
`block_ip`	Firewall IP blocking
`capture_traffic`	Start packet capture
`analyze_pcap`	Deep packet inspection
`extract_streams`	Extract TCP/UDP streams from PCAP
`protocol_decode`	Decode application-layer protocols

Input schema

{
  "query": "string",
  "time_range": {"start": "ISO8601", "end": "ISO8601"},
  "analysis_type": "flow | dns | intrusion | exfiltration | all",
  "target_segment": "string"
}

Output schema

{
  "severity": "Critical | High | Medium | Low | Info",
  "confidence": "float",
  "threat_type": "string",
  "affected_networks": ["string"],
  "flow_analysis": "string",
  "dns_analysis": "string",
  "mitre_techniques": ["string"],
  "iocs": [
    {"type": "string", "value": "string", "confidence": "float"}
  ],
  "recommended_firewall_rules": [
    {
      "rule_logic": "string",
      "rationale": "string",
      "revert_guidance": "string"
    }
  ],
  "sigma_rules": [
    {
      "title": "string",
      "description": "string",
      "level": "string",
      "logsource": {"category": "string", "product": "string"},
      "detection": {"selection": {}, "condition": "string"}
    }
  ]
}

Memory config

Parameter	Value
`sliding_window`	30
`enable_episodic`	true
`enable_threat_intel`	false
`auto_persist_interval`	20

Allow-list

network, siem, network_capture

Purpose​

MCP Domains​

Tools​

Input schema​

Output schema​

Memory config​

Allow-list​