Releases: cisagov/Malcolm
Malcolm v24.05.0
Malcolm v24.05.0 contains new features, improvements, bug fixes and component version updates.
- Features and enhancements
- Added ARM64/AArch64 support. Malcolm can now run natively on ARM64 hardware. The
./scripts/configure
script should detect the architecture and automatically adjust theimage:
names in thedocker-compose.yml
files in Docker deployments, or this can be changed manually by appending-arm64
to the tag for Malcolm's Docker images, e.g.,ghcr.io/idaholab/malcolm/zeek:24.05.0-arm64
. (idaholab#369) - Support for new environment variables added to Hedgehog Linux's
control_vars.conf
for tuning capture-related settings for Arkime on the sensor, bringing them into parity with those that were available in thearkime-live
container in Malcolm. (idaholab#476) - Tweaked some of the default resource-related live capture settings for Suricata and Arkime.
- Reworked the environment variables used for tuning Zeek live capture resource and performance on both Malcolm and Hedgehog Linux. An in-depth discussion of these tuning parameters can be found in the documentation. (idaholab#475)
- Allow setting the spiDataMaxIndexes variable for Arkime's
config.ini
file via theARKIME_SPI_DATA_MAX_INDICES
environment variable. (idaholab#471) - Allow custom tags to be specified at the point of log file ingestion (i.e., FileBeat) on Malcolm and Hedgehog Linux. This makes it easier to specify custom tags used to group network traffic by sensor. (idaholab#463)
- Handle invalid URLs made to the Malcolm web-based UIs better (with a custom 404/502 page). (idaholab#461)
- Switched to official .deb packages for Arkime rather than building from source, reducing build times significantly. (Thanks @awick.)
- Added ARM64/AArch64 support. Malcolm can now run natively on ARM64 hardware. The
- Component version updates
- Suricata to v7.0.5
- Also, going forward Malcolm will track the latest Suricata release (from the Debian Stable Backports APT repository) rather than what's in the Debian Stable APT repository. (idaholab#462)
- Arkime to v5.2.0
- OpenSearch and OpenSearch Dashboards to v2.14.0
- YARA to v4.5.1
- Beats to v8.13.4
- Logstash to v8.13.4
- YQ to v4.44.1
- Zeek to v6.2.1
- Fluent Bit to v3.0.6
requests
Python library to v2.32.0 for CVE-2024-35195flask-cors
Python library on Hedgehog Linux to v4.0.1 for CVE-2024-1681Jinja
Python library on Hedgehog Linux to v3.1.4 for CVE-2024-34064Werkzeug
Python library on Hedgehog linux to v3.0.3 for CVE-2024-34069
- Suricata to v7.0.5
- Bug fixes
- The code that cleans up already-processed Zeek and Suricata logs after a defined period of time was out of date for the current FileBeat registry behavior and would potentially leave log files around longer than they needed to be. This has been remedied. (idaholab#479)
- Fixed issue where the BPF capture filter was not passed to Zeek correctly. (idaholab#474)
- The process which queries threat intelligence feeds and generates the corresponding Zeek intel files will no longer relpace existing intel definitions unless it succeeds in pulling definitions from at least one of the specified feeds. (idaholab#472)
- Fixed calculation of memory and CPU resources used in
./scripts/status
for Kubernetes deployment. (idaholab#467)
- Configuration changes (in environment variables in
./config/
) for Malcolm and incontrol_vars.conf
for Hedgehog Linux- Malcolm
- Added
ARKIME_SPI_DATA_MAX_INDICES
toarkime.env
with a default value of7
, which manifests asspiDataMaxIndexes
in Arkime's config.ini. If you are changing the Arkime index period from daily to weekly, hourly, etc., you may wish to adjust this value. (idaholab#471) - Added
EXTRA_TAGS
toupload-common.env
for specifying custom tags to be associated with logs forwarded to Logstash by FileBeat. (idaholab#463) - A number of new and modified environment variables are available and can be added to
zeek-live.env
for tuning the resource utilization and performance of Zeek's live capture, see the documentation for details. (idaholab#475)
- Added
- Hedgehog Linux
- A number of new and modified environment variables are available for
control_vars.conf
for tuning the resource utilization and performance of Zeek's live capture, see the documentation for details. (idaholab#475) - Added support for new environment variables added to Hedgehog Linux's
control_vars.conf
for tuning capture-related settings for Arkime on the sensor, bringing them into parity with those that were available in thearkime-live
container in Malcolm. (idaholab#476)
- A number of new and modified environment variables are available for
- Malcolm
Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
Malcolm v24.04.0
Malcolm v24.04.0 contains new features, improvements, bug fixes and component version updates.
Because some of the environment variables used for configuring Malcolm have been reorganized in the .env
files found in the ./config
directory, it is recommended you re-run ./scripts/configure
for this release.
- Features and enhancements
- Zeek-extracted files scanned and preserved on a Hedgehog Linux sensor can now be accessed via the extracted files download user interface (idaholab#331).
- Improvements to creation of index templates, dashboards, and other saved objects on startup (idaholab#208) to ensure that saved objects get created correctly upon upgrade (see this comment for more details on this feature).
- Populating the NetBox inventory via passively-gathered network traffic metadata now uses network traffic logs for DNS, NTLM, and DHCP to identify assets' host names when possible for use when populating device and VM names (idaholab#415). Autopopulated devices now have their status field set to
Active
rather thanStage
, and uses tags instead to indicated that they were created through autopopulation. - Users can now specify pruning thresholds for carved files so that old files are deleted in order to avoid filling available storage (idaholab#453). See a new section of documentation on Managing disk usage for more information about this and similar settings.
- Users can now specify a prefix that will be prepended to dashboards as they are imported into OpenSearch Dashboards or Kibana, allowing users who have dashboards from other sources to differentiate between those and Malcolm's (idaholab#455).
- The default anomaly detectors created for the OpenSearch Anomaly Detection plugin are now created with category fields for high cardinality to allow for better breakdown of contributing values to anomalies discovered (idaholab#464).
- Include JA4+ plugin in Arkime. See idaholab#419 for status on upcoming full JA4+ support in Malcolm.
- Hedgehog Linux sensors can now periodically refresh their Zeek inteligence files.
- NOTE: Due to an oversight, a value is missing from the default Hedgehog Linux configuration in this release, preventing the intel refresh cron job from executing. As a workaround, appending the line
export INTEL_DIR=/opt/sensor/sensor_ctl/zeek/intel
to/opt/sensor/sensor_ctl/control_vars.conf
and restarting the sensor services will remedy the situation. This will be corrected in the next Malcolm release.
- NOTE: Due to an oversight, a value is missing from the default Hedgehog Linux configuration in this release, preventing the intel refresh cron job from executing. As a workaround, appending the line
- Assorted documentation improvements.
- Component version updates
- Arkime to v5.1.2
- OpenSearch and OpenSearch Dashboards to v2.13.0
- Beats to v8.13.2
- Logstash to v8.13.2
- gunicorn to v22.0.0 to address CVE-2024-1135.
- elasticsearch-dsl to v8.13.0
- elasticsearch-py to v8.13.0
- idna to v3.7 to address CVE-2024-3651
- Fluent Bit to v3.0.3
- Bug fixes
- The documentation for Windows host system configuration was out of date and has been updated for the latest version of Microsoft Windows Subsystem for Linux (idaholab#421).
- An issue was fixed in which Malcolm's list of users and their password hashes could become corrupted if the file did not initially end with a newline character (idaholab#426).
- The manner in which Zeek intel files are generated has been changed to avoid problems found in Kubernetes deployments when scaling out the number of
zeek-live
containers (idaholab#456). See this comment for more details. - Removed the version top-level element from
docker-compose.yml
files as it is now obsolete and caused a warning message that sometimes was not handled correctly. - Fix Malcolm ISO not correctly detecting if it's in a live boot ISO environment or installed mode.
- Restart live Zeek instances with
zeekctl deploy
instead ofzeekctl restart
.
- Configuration changes (in environment variables in
./config/
)ARKIME_QUERY_ALL_INDICES
inarkime.env
can be set to control thequeryAllIndices
setting in Arkime'sconfig.ini
.DASHBOARDS_PREFIX
indashboards-helper.env
has been added for idaholab#455 (see above in Features and Enhancements).LOGSTASH_NETBOX_ENRICHMENT_DATASETS
inlogstash.env
has been changed to includezeek.dhcp
,zeek.dns
, andzeek.ntlm
to support idaholab#415 (see above in Features and Enhancements).LOGSTASH_ZEEK_IGNORED_LOGS
inlogstash.env
has been changed to removecapture_loss
andstats
so that those diagnostic Zeek logs can be parsed without the user having to manually change this variable.ZEEK_CRON
has been removed fromzeek-live.env
andZEEK_INTEL_REFRESH_CRON_EXPRESSION
was removed fromzeek.env
and moved to the "offline" version of the container inzeek-offline.env
for idaholab#456.EXTRACTED_FILE_PRUNE_THRESHOLD_MAX_SIZE
,EXTRACTED_FILE_PRUNE_THRESHOLD_TOTAL_DISK_USAGE_PERCENT
, andEXTRACTED_FILE_PRUNE_INTERVAL_SECONDS
were added tozeek.env
for idaholab#453. See a new section of documentation on Managing disk usage for more information about these and similar settings.
Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
Malcolm v24.03.1
Malcolm v24.03.1 contains new features, improvements, bug fixes and component version updates.
Because some of the environment variables used for configuring Malcolm have been reorganized in the .env
files found in the ./config
directory, it is strongly recommended you re-run ./scripts/configure
for this release.
- Features and enhancements
- Malcolm instances created using the installer ISO will now detect and format any large (>100GB) storage devices and automatically set them up for use for storing the OpenSearch data store, PCAP files, and/or log storage, similar to what Hedgehog Linux does. (idaholab#266)
- Since v24.01.0, Malcolm has allowed users to specify custom index patterns for Zeek and Suricata logs (see issue 313). This release now also provides the capability for Arkime to know about those indexes so that those documents also appear in Arkime search results. (idaholab#313, arkime/arkime#2705) As this is not released in Arkime yet, Malcolm is using a local patch with these changes, to be released upstream in Arkime v5.0.2.
- A new setting for Logstash has been added to allow autocreation and assignment of NetBox subnets during enrichment. If "Should Malcolm automatically create missing NetBox subnet prefixes based on observed network traffic?" is answered to the affirmative during configuration, observed traffic that does not fall into any existing NetBox prefix will cause one to automatically be created, creating them one level down (e.g., 8 additional masked bits) from the RFC1918 address space definitions. This replaces an earlier feature (controlled by the
NETBOX_PRELOAD_PREFIXES
variable, which no longer has any effect) in which three giant buckets (one for each block in the RFC1918 private address definitions) could be created once at startup. (idaholab#436). So, for example:10./16
(255.255.0.0
)- the IP address
10.9.0.215
would cause us to create and assign it to a10.9.0.0/16
subnet
- the IP address
192.168./24
(255.255.255.0
)- the IP address
192.168.100.123
would cause us to create and assign it to a192.168.100.0/24
subnet
- the IP address
172.16./20
(255.255.240.0
)- the IP address
172.16.29.10
would cause us to create and assign it to a172.16.29.10/20
subnet
- the IP address
- New configuration settings have been added to specify creation and rotation of Suricata's EVE JSON log files, including controls for threaded file output and file rotation. See this comment for a full description of the changes (idaholab#445). Most noteworthy are:
SURICATA_EVE_THREADED
- controls threaded file output (defaultfalse
)SURICATA_EVE_ROTATE_INTERVAL
- controls eve.json file rotation (default1h
)
- Table visualizations in Malcolm's prebuilt OpenSearch Dashboards were not consistent in the number of rows returned. This has been standardized to
100
andotherBucket: true
has been set for all of these table visualizations to ensure that the end user knows thatOther
rows may also exist outside of the rows shown. (idaholab#447) - Some some field mappings were moved from malcolm_template.json to the composable template malcolm_common.json
- Documentation improvements
- Minor update to slides
- Some directories named like
bro_logs
were renamed tozeek_logs
on Hedgehog Linux - The Community ID field is now being added to Zeek's
notice.log
- Attempt to install necessary Python 3 packages at the beginning of
install.py
instead of just failing
- Component version updates
- Zeek to v6.2.0
- opensearch-py to v2.5.0
- Fluent Bit to v3.0.0
- Moved from the no-longer-maintained Salesforce repo for HASSH to Corelight's
- Bug fixes
- AF_PACKET was not being utilized for capturing traffic on Malcolm in the
zeek-live
container. This did not affect Suricata, Arkime capture, or any of the Hedgehog Linux processes. (idaholab#437) - The Packet Capture Statistics dashboard was not correctly computing seen and dropped packets for Suricata. (idaholab#442)
- A STDERR warning from the new Docker Compose v2.25 was messing up the creation of the OpenSearch keystore file. (idaholab#452)
- Fixed an issue in which the Dashboards for non-network data (e.g., temperatures, resource usage, etc.) would not see the correct data if the
MALCOLM_OTHER_INDEX_PATTERN
variable had been set to something other than the default. - Ensure that index names created for use by Logstash sending to OpenSearch/Elasticsearch are lowercase
- Major cleanup and refactoring of the NetBox enrichment code used by Logstash
- AF_PACKET was not being utilized for capturing traffic on Malcolm in the
- Configuration changes (in environment variables in
./config/
)ARKIME_DEBUG_LEVEL=0
has been added toarkime.env
to control thedebug
level for Arkime'sconfig.ini
.- Additions/deletions in
netbox-common.env
(also, see below for some existing variables that were moved fromlogstash.env
):NETBOX_PRELOAD_PREFIXES
has been removed and replaced withNETBOX_AUTO_CREATE_PREFIX
for idaholab#436NETBOX_ENRICHMENT_LOOKUP_SERVICE=true
has been added to indicate whether or not services (i.e., destination IP/port) should be looked up during NetBox enrichment
- Comments were added to
opensearch.env
to give examples of how to set the time bucketing for OpenSearch/Elasticsearch indexes - In addition to the new variables mentioned above, some cleanup and organization was done in the environment variable files used for configuring Malcolm:
LOG_CLEANUP_MINUTES
andZIP_CLEANUP_MINUTES
are now infilebeat.env
, moved fromupload-common.env
- Some NetBox related variables have been moved from
logstash.env
tonetbox-common.env
and renamed:LOGSTASH_NETBOX_ENRICHMENT
is nowNETBOX_ENRICHMENT
LOGSTASH_NETBOX_AUTO_POPULATE
is nowNETBOX_AUTO_POPULATE
LOGSTASH_NETBOX_CACHE_SIZE
is nowNETBOX_CACHE_SIZE
LOGSTASH_NETBOX_CACHE_TTL
is nowNETBOX_CACHE_TTL
Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
Malcolm v24.03.0
Malcolm v24.03.0 contains new features, improvements, bug fixes and component version updates.
- Features and enhancements
- support json-delimited import for Zeek logs (idaholab#65)
- go through list of Trivy security findings (idaholab#236)
- support /attributes and /events enpoints from MISP feed for Zeek intel generation (idaholab#336)
- KEV detections for Unitronics VisiLogic CVE-2023-6448 (idaholab#394)
- create dashboards for other non-network log data (idaholab#414)
- links on landing page should open in a new tab (idaholab#427)
- incorporate ICSNPP Profinet IO CM parser (idaholab#429)
- Component version updates
- Arkime to v5.0.1
- OpenSearch and OpenSearch Dashboards to v2.12.0
- Bug fixes
- fix the way we do environment variables in local.zeek (idaholab#413)
- a few issues with the install.py script when installing from GitHub releases (idaholab#416)
- htadmin creating entries without a newline between them in the htpasswd file (idaholab#426)
- hard-coded date value in Kibana pivot links (idaholab#428)
- unencrypted, unzipped extracted file download not working (idaholab#431)
- Configuration changes (in environment variables in
./config/
)- these variables in
zeek.env
# Set to true to indicate that Zeek should output logs in JSON format ZEEK_JSON= # Whether or not to require SSL certificate verification when querying a TAXII or MISP feed ZEEK_INTEL_FEED_SSL_CERTIFICATE_VERIFICATION=false # Whether or not to disable the ICSNPP Profinet IO CM parser ZEEK_DISABLE_ICS_PROFINET_IO_CM=
- these variables in
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.
Malcolm v24.02.1
Malcolm v24.02.1 is identical to v24.02.0 except for a minor fix to the code that builds the Hedgehog Linux Raspberry Pi image.
The usual build artifacts are not included in this release, and new docker images for Malcolm have not been published.
Malcolm v24.02.0
Malcolm v24.02.0 contains new features, improvements, bug fixes and component version updates.
- Features and enhancements
- Hedgehog Linux SD card image for Raspberry Pi (idaholab#250; special thanks to @aut0exec for his work on this)
- allow configuration of Arkime's ILM/ISM settings (idaholab#300)
- add option for customizing which log types get NetBox enrichment (idaholab#316)
- improve the extracted_files download page (idaholab#329)
- include missing aggregations in API bucket queries (idaholab#386)
- more intelligent .env file checking on startup (idaholab#387)
- Malcolm report to itself on capture statistics (idaholab#395)
- link to Dashboards/Arkime from NetBox devices view (idaholab#410)
- changed default PCAP storage format to zstd(3) for new installations
- various documentation updates and improvements
- changed back to using official Zeek .deb files rather than building from source to reduce build times
- Component version updates
- Bug fixes
- pivot links from Arkime to Kibana in external elasticsearch are not working (idaholab#335)
- redirect /dashboards/ link to Kibana in NGINX proxy in elasticsearch/kibana-based deployment (idaholab#403)
- allow netbox-restore and netbox-backup to specify container name (idaholab#337)
- fuzzy matching for manufacturers based on OUI to NetBox list is not very good (idaholab#393) (and updated documentation)
- source.ip and destination.ip not set for parsed files.log entries for uploaded PCAP (idaholab#401)
- event.severity_tags is not being assigned correctly based on rule.category (idaholab#402)
- basic authentication breaks with special characters (idaholab#404)
- changed some Logstash Ruby variables from global (
$
) to instance (@
) (see "avoiding concurrency issues")
- Configuration changes (in environment variables in
./config/
)- these variables in
arkime.env
to allow configuration of Arkime's ILM/ISM settings (idaholab#300)
# These variables manage setting for Arkime's ILM/ISM features (https://arkime.com/faq#ilm) # Whether or not Arkime should perform index management INDEX_MANAGEMENT_ENABLED=false # Time in hours/days before moving to warm and force merge (number followed by h or d) INDEX_MANAGEMENT_OPTIMIZATION_PERIOD=30d # Time in hours/days before deleting index (number followed by h or d) INDEX_MANAGEMENT_RETENTION_TIME=90d # Number of replicas for older sessions indices INDEX_MANAGEMENT_OLDER_SESSION_REPLICAS=0 # Number of weeks of history to retain INDEX_MANAGEMENT_HISTORY_RETENTION_WEEKS=13 # Number of segments to optimize sessions for INDEX_MANAGEMENT_SEGMENTS=1 # Whether or not Arkime should use a hot/warm design (storing non-session data in a warm index) INDEX_MANAGEMENT_HOT_WARM_ENABLED=false
- these variables in
dashboards.env
to override the values automatically configured for pivot links (idaholab#335) and/dashboard/
redirect (idaholab#403) for Elasticsearch backend
# These values are used to handle the Arkime value actions to pivot from Arkime # to Dashboards. The nginx-proxy container's entrypoint will try to formulate # them automatically, but they may be specified explicitly here. NGINX_DASHBOARDS_PREFIX= NGINX_DASHBOARDS_PROXY_PASS=
- these variables in
logstash.env
for customizing which log types get NetBox enrichment (idaholab#316) and customizing which types of Zeek logs will be ignored (dropped) by LogStash
# Which types of logs will be enriched via NetBox (comma-separated list of provider.dataset, or the string all to enrich all logs) LOGSTASH_NETBOX_ENRICHMENT_DATASETS=suricata.alert,zeek.conn,zeek.known_hosts,zeek.known_services,zeek.notice,zeek.signatures,zeek.software,zeek.weird
# Zeek log types that will be ignored (dropped) by LogStash LOGSTASH_ZEEK_IGNORED_LOGS=analyzer,broker,bsap_ip_unknown,bsap_serial_unknown,capture_loss,cluster,config,ecat_arp_info,loaded_scripts,packet_filter,png,print,prof,reporter,stats,stderr,stdout
- these variables in
netbox-common.env
for adjusting matching device manufacturers to OUIs in NetBox autopopulation
# Customize manufacturer matching/creation with LOGSTASH_NETBOX_AUTO_POPULATE (see logstash.env) NETBOX_DEFAULT_AUTOCREATE_MANUFACTURER=true NETBOX_DEFAULT_FUZZY_THRESHOLD=0.95
- these variables in suricata-live.env and zeek-live.env that can be used to configure Malcolm reporting to itself on its Zeek and Suricata live capture statistics (idaholab#395)
# Whether or not enable capture statistics and include them in eve.json SURICATA_STATS_ENABLED=false SURICATA_STATS_EVE_ENABLED=false SURICATA_STATS_INTERVAL=30 SURICATA_STATS_DECODER_EVENTS=false
# Set ZEEK_DISABLE_STATS to blank to generate stats.log and capture_loss.log ZEEK_DISABLE_STATS=true
- this variable in zeek.env related to the improvements to the extracted_files download page (idaholab#329)
# Whether or not to use libmagic to show MIME types for Zeek-extracted files served EXTRACTED_FILE_HTTP_SERVER_MAGIC=false
- these variables in
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.
Malcolm v24.01.0
Malcolm v24.01.0 contains new features, improvements, bug fixes and component version updates.
- Features and enhancements
- new Malcolm instance landing page (idaholab#252)
- file carve download with password-protected .zip file (idaholab#288)
- new "all files exept common plain text files" option for Malcolm's file carving to match Hedgehog capability (idaholab#290)
- allow customizing indexes for logs written to OpenSearch/Elasticsearch (idaholab#313)
- more consistently differentiate between uploaded and live-captured traffic (idaholab#321)
- make download extracted file context item from Arkime smarter (idaholab#330)
- improve netbox device type library import by using "official" import script (idaholab#384)
- Component version updates
- Bug fixes
- Suricata Alerts dashboard "Alerts - Tags" visualization is useless (idaholab#314)
- third party logs are not parsed correctly from fluentbit -> fluentd aggregator -> Malcolm (idaholab#318)
- update document lookup APIs to search either network or host data (idaholab#322)
- suricata rule update is broken (idaholab#323)
- time sync from hedgehog to Malcolm opensearch instance not working (idaholab#324)
- fix issue specifying database mode via command-line
- have pruning of OpenSearch indices (based on size) include "other" Malcolm indices as well (e.g., nginx logs, system resources, third-party logs, etc.)
- Configuration changes (in environment variables in
./config/
)- added the following variables with relation to idaholab#313
- added
ARKIME_ROTATE_INDEX
toarkime.env
with default value ofdaily
(see Arkime docs on rotateIndex) - added the following variables and defaults to
opensearch.env
:
# OpenSearch index patterns and timestamp fields # Index pattern for network traffic logs written via Logstash (e.g., Zeek logs, Suricata alerts) MALCOLM_NETWORK_INDEX_PATTERN=arkime_sessions3-* # Default time field to use for network traffic logs in Logstash and Dashboards MALCOLM_NETWORK_INDEX_TIME_FIELD=firstPacket # Suffix used to create index to which network traffic logs are written (supports Ruby strftime strings in %{}) MALCOLM_NETWORK_INDEX_SUFFIX=%{%y%m%d} # Index pattern for other logs written via Logstash (e.g., nginx, beats, fluent-bit, etc.) MALCOLM_OTHER_INDEX_PATTERN=malcolm_beats_* # Default time field to use for other logs in Logstash and Dashboards MALCOLM_OTHER_INDEX_TIME_FIELD=@timestamp # Suffix used to create index to which other logs are written (supports Ruby strftime strings in %{}) MALCOLM_OTHER_INDEX_SUFFIX=%{%y%m%d} # Index pattern used specifically by Arkime (will probably match MALCOLM_NETWORK_INDEX_PATTERN, should probably be arkime_sessions3-*) ARKIME_NETWORK_INDEX_PATTERN=arkime_sessions3-* # Default time field used by for sessions in Arkime viewer ARKIME_NETWORK_INDEX_TIME_FIELD=firstPacket
- added
- changed default for
EXTRACTED_FILE_HTTP_SERVER_KEY
toinfected
inzeek-secret.env
- added
EXTRACTED_FILE_HTTP_SERVER_ZIP
with default value offalse
inzeek.env
, see (idaholab#288)
- added the following variables with relation to idaholab#313
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.
Malcolm v23.12.1
Malcolm v23.12.0 is a minor release with a few updates and bug fixes
- Features and enhancements
- have
install.py
offer to pull the docker images (idaholab#310) - only overwrite Arkime's
config.ini
withconfig.orig.ini
ifconfig.ini
doesn't already exist (idaholab#311) - create Suricata rules for Zyxel vulnerabilities from KEV (idaholab#312)
- provide alternate configuration for Arkime
capture
to listen on the interface directly rather than post-processing PCAPs (idaholab#281) - added
SURICATA_DISABLE_ICS_ALL
environment variable to disable OT/ICS analysis in Suricata - added
ZEEK_INTEL_REFRESH_THREADS
to allow setting the number of threads for intel feed pulls - documented the different run profiles (
hedgehog
vs.malcolm
profiles) and generally improved documentation of live capture options - route
/mapi/opensearch/
,/mapi/logstash/
and/mapi/netbox/
from the Malcolm API endpoint to their respective component APIs - minor improvements to how the user supplies custom rules/config for Suricata, Zeek, and Arkime
- have
- Component version updates
- Bug fixes
- review and fix capabilities granted to containers (idaholab#282)
- change URL for downloading manuf list to new wireshark.org URL / wireshark no longer publishes raw manuf (OUI) list (idaholab#230 and idaholab#306)
- directory hierarchies not being created as Kubernetes configmap correctly (idaholab#308)
- rsyslog no longer in Debian bookworm (idaholab#309)
- removed unused Arkime log and raw directories
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.
Malcolm v23.12.0
Malcolm v23.12.0 is a feature release with many improvements, updates and fixes
- Features and enhancements
- replace kbn_sankey_vis with vega or transform (idaholab#147)
- address issues with NetBox database and Logstash's NetBox cache (idaholab#259)
- integrate nsacyber/ELITEWOLF signatures into default rule set CISA (idaholab#275)
- improve error messages for PCAP/artifact processing beyond just icons (idaholab#276)
- option to auto-create "catch-all" NetBox IPAM prefixes for private IP space (idaholab#279)
- use prefix.description instead of VRF for identifying subnets in NetBox (idaholab#280)
- allow customizing Arkime's freeSpaceG setting (for PCAP deletion) in an environment variable (idaholab#285)
- replace master/slave with client/server when parsing modbus logs (idaholab#291)
- put netbox restore database functionality inside container (idaholab#294)
- provide way to customize zeek Site::local_nets (idaholab#295)
- allow configuration of docker's logging driver to prevent disk-exhaustion (idaholab#301)
- allow user to include other suricata config YML files (idaholab#302)
- allow user to be able to provide custom zeek config (idaholab#303)
- allow tuning Suricata's max-pending-packets via environment variable (idaholab#304)
- enable OpenSearch dashboards condensed header
- Component version updates
- Bug fixes
- Malcolm Sensor Temperature dashboard issue (idaholab#265)
- strip out broken Arkime and NetBox links from dashboards for Kibana import (idaholab#286)
- have netbox-restore script restart necessary services or set necessary permissions (idaholab#287)
- file type validation not working for upload from (some?) windows browsers (idaholab#292)
- go through list of Qualys image scan results (idaholab#299)
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.
Malcolm v23.10.0
Malcolm v23.10.0 is a feature release.
- Features and enhancements
- support both OpenSearch and Elasticsearch output (idaholab#258)
- "capture-only" Malcolm configuration (AKA "dockerized Hedgehog") (idaholab#254)
- don't run kiosk mode on Hedgehog first boot (idaholab#263)
- let Arkime check its own database to see if it needs to be upgraded
- allow specifying Arkime password hash secret for Viewer clusters
- documentation improvements
- minor updates to slide decks
- allow specifying ports for EtherNet/IP parser via environment variable
- Component version updates
- Bug fixes
- set "autorestart" to true for all started services (idaholab#267)
- changed toolchain for building Zeek and Zeek plugins to clang/libc++ to address some build issues with Spicy plugins using GCC
- ensure Arkime is started before creating OpenSearch artifacts
- ensure Arkime and OpenSearch artifacts are populated before starting LogStash
- don't log "0.0" temperatures from Fluent Bit thermal forwarders
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.