Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* bump versions of Zeek and Moloch and Elastic/beats * added HASSH fingerprinting for SSH * added Community ID fingerprinting for flows * detect and upgrade Moloch administrative tables on startup * default to faster java execution engine * lots of bug fixes and tweaks ----------------------------------- individual commit comments: * tweaks to build of malcolm iso and log filtering * sync sensor shared script with malcolm shared script * Bump Zeek version to 2.6.3 * reduce log verbosity * tweaks to build of malcolm iso and log filtering * tweak config file for remote sensor communication * bump version to 1.4.1 * sync sensor shared script with malcolm shared script * Restore syslinux entry for ISO build * ISO/Docker build improvements: 1. Make sure the ISO is built with the right version number in the name 2. Spot check the contents of the docker images to make sure files were built/pulled correctly * ISO build tweaks * bump elastic version * added query syntax cheat sheet * bump development version to 1.5.0 * for issue #42, enable community_id for zeek plugins to populate conn.log * issue #44: cast newly inputted values for settings.json to integers before storing * Development for Malcolm v1.5 (#49) * update moloch to 2.0, issue #46 * Disable detect-MHR.bro by default in local.bro. As we don't want Zeek reaching out to the internet by default to do hash lookups, disable policy/frameworks/files/detect-MHR.bro in local.bro. See https://docs.zeek.org/en/stable/scripts/policy/frameworks/files/detect-MHR.bro.html See https://www.team-cymru.com/mhr.html#DNS In the meantime people who want this can override it with a volume mount in docker with the value uncommented. I may put it back in with an environment variable to enable it if desired. * add debugging code to zeek-carve-monitor.py * Development for Moloch v1.5 (#50) * update moloch to 2.0, issue #46 * Disable detect-MHR.bro by default in local.bro. As we don't want Zeek reaching out to the internet by default to do hash lookups, disable policy/frameworks/files/detect-MHR.bro in local.bro. See https://docs.zeek.org/en/stable/scripts/policy/frameworks/files/detect-MHR.bro.html See https://www.team-cymru.com/mhr.html#DNS In the meantime people who want this can override it with a volume mount in docker with the value uncommented. I may put it back in with an environment variable to enable it if desired. * add debugging code to zeek-carve-monitor.py * don't rely on environment variable INITIALIZEDB in docker-compose.yml to determine if Moloch has created the Elasticsearch database configuration files. Instead look and see if zeek_template has been loaded or not fixes issue 45: INITIALIZEDB environment variable and restart value in docker-compose.yml could cause moloch container to wipe elasticsearch database on every reboot * Create startup.nsh for EFI boot entry grubx64.efi; fixes issue with VirtualBox/VMWare not being able to find the EFI boot entry. Should not affect hardware boot. * Development for Malcolm v1.5 (#52) * work on issue #47, handle moloch db.pl upgrades When moloch changes its index definition, it needs to be upgraded with db.pl Upon starting Malcolm's Moloch docker container I am now comparing the list of all of the indexes against the known current versions of the administrative indices. If they don't match, I run the upgrade script before starting capture/viewer. see https://molo.ch/faq#upgrading-moloch see https://molo.ch/faq#how_do_i_upgrade_to_moloch_2 * improve tagging and views for routable (public) IPv4 addresses; issue #51 * fixed table formatting * Development: sync scripts from hedgehog (#54) * sync scripts from hedgehog sensor * sync scripts from hedgehog sensor * default LOGSTASH_JAVA_EXECUTION_ENGINE to true for better logstash performance * tweak local.bro, enable credential gathering * Issue #55, include HASSH in Zeek plugins for SSH fingerprinting * Added database of JA3 fingerprints from https://ja3er.com * fix session sort direction for new users * add documentation for community ID/zeek uid correlation * added patch to fix incorrect quoting, cherry-picked from aol/moloch:master commit 4de1686 for moloch issue 1146
- Loading branch information