Malcolm v5.2.10

Malcolm v5.2.10 is a minor release updating some of Malcolm's core components.

v5.2.9...v5.2.10

• Version bumps

  • Arkime to v3.4.2
  • OpenSearch to v1.3.0
  • OpenSearch dashboards to v1.3.0

• Bug fixes

  • #205
  • ensure timestamp fields are explicitly defined as date type in index template

• Improvements

  • restore zeek.cip_io.io_data field so that it may be reviewed in Dashboards Discover view and Arkime
  • added malcolmmonitor convenience bash function into Malcolm ISO-installed environment
  • pointed several zeek plugins' installation source back upstream now that my PRs have been accepted

• Cleanup

  • removed references related to internally-developed INL tool MALASS which is no longer under development and was never released publicly

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.9

Malcolm v5.2.9 is a release to fix a regression introduced in v5.2.9 (see idaholab#84), affecting the Malcolm REST API and generation of intelligence files for Zeek. If you don't use those features, you may choose to skip this release. My apologies for putting this out so close to the last release.

v5.2.8...v5.2.9

• Bug fixes
  • Fix idaholab#84 ("upstream incompatibility between python regex library 2022.3.15 and dateparser breaks API")

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.8

Malcolm v5.2.8 is a release to patch a major security vulnerability in OpenSSL.

v5.2.7...v5.2.8

• Version bumps

  • Arkime to v3.4.1
  • Spicy to v1.4.0
  • Update all docker images' system packages to get latest security updates, including updating OpenSSL to fix CVE-2022-0778
    • CVE-2022-0778 can already be detected in network traffic by Malcolm by 0xxon/cve-2020-0601

• Minor improvements

  • Include gvfs-backends package in ISO-installed environments to allow mounting SMB shares in the Thunar GUI

• Bug fixes

  • Fix an issue with "read-only mode" combined with "no SSL mode" (very unlikely to have affected anybody)
  • Tweak Logstash pipeline size to make it a little more conservative to avoid Logstash restarts due to running out of heap resources

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.7

Malcolm v5.2.7 is a patch release with improvements and bug fixes.

v5.2.6...v5.2.7

• Bugs fixed

  • fixed instances where spicy_ will sometimes be prepended to network.protocol fields (e.g., spicy_wireguard is now fixed to just be wireguard)

• Improvements

  • base GitHub workflow files' docker build step on moby/buildkit:master
  • added API webhook that can be used as an Alerting destionation for alerts to be indexed back into the OpenSearch database as session records
  • added example Alerting monitor and destination using API webhook
  • added ability to run Malcolm's nginx-proxy container in non-HTTPs mode (not recommended unless running behind a third-party reverse proxy like Traefik or Caddy, in which case it is very useful)
  • removed performance-analyzer plugin from OpenSearch container to free up resources
  • improvements to documentation for Anomaly Detection and Alerting
  • added example scripts and Vagrantfile for easily configuring and running Malcolm in a read-only or demo mode on Amazon Linux 2 (useful for AWS)

• Version bumps

  • Arkime to v3.4.0
  • Yara to v4.2.0
  • Capa to v3.2.0

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.6

Malcolm v5.2.6 is a patch release with improvements and bug fixes.

v5.2.5...v5.2.6

• Bugs fixed

  • Fixed Logstash failing to start idaholab#78
  • Added tuning options to address Logstash out of memory errors idaholab#79
  • Incorporated latest bugfixes in BACnet parser
  • Fixed issue with mapping some field types being incorrect for BSAP and OSPF logs

• Improvements

  • Added http-more-files-names plugin to populate files.log filenames entries for HTTP requests
  • Normalized bsap_ip_header.type_name to event.action
  • Removed unnecessary Logstash field conversions for types already defined in the template
  • Improved logs and status convenience scripts to allow filtering to a particular service
  • Improved convenience script for working with GitHub workflows during Malcolm development

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.5

Malcolm v5.2.5 is a patch release with improvements and bug fixes.

v5.2.4...v5.2.5

• Threat Intelligence

  • idaholab#77 - automatically generate Zeek intelligence indicators from MISP
  • perform autogeneration of Zeek intel files from TAXII/MISP feeds multithreaded
  • allow filtering indicators from TAXII/MISP by date (e.g., "only include those created/modified in the last n days", etc.)
  • added intelligence hits as a new severity ranked category
  • highlight intel sources more clearly in dashboard

• Hedgehog Linux (sensor appliance)

  • added sensormonitor convenience function to monitor services, disk space and logs

• Bug fixes

  • Remove CIP fields no longer supplied by the ICSNPP EtherNet/IP parser and update dashboard accordingly
  • idaholab#76 - directory creation race condition starting up zeek on sensor which may cause zeekctl to fail
  • #189 - mount destination [/opt/zeek/share/zeek/site/intel] not absolute: unknown

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.4

Malcolm v5.2.4 is a patch release with improvements and bug fixes.

v5.2.3...v5.2.4

• New features

  • idaholab#74 (automatically generate Zeek intelligence indicators from STIX/TAXII)

• Improvements

  • group MAC addresses and OUI (vendors) into related.mac and related.oui for easier searching across all fields
  • improvements to default anomaly detectors

• Bug fixes

  • Fix idaholab#75 (OpenSearch Dashboards loads slowly without network connectivity)
  • Fix idaholab#76 (directory creation race condition starting up zeek on sensor which may cause zeekctl to fail)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.3

Malcolm v5.2.3 is a patch release with component version bumps, bug fixes and improvements.

v5.2.2...v5.2.3

• Version bumps

  • Arkime v3.3.1
  • Zeek v4.2.0

• Improvements

  • Added script and better documentation for putting Malcolm in "read-only" mode
  • Improved Files dashboard

• Bug fixes

  • Fixed an issue where Logstash wasn't parsing the ftime from files.log correctly (a field added by the Spicy ZIP analyzer)
  • Fixed idaholab#73 (path for tcpdump changed) for Hedgehog Linux
  • Fixed idaholab#72 (better file directory/name parsing and normalization in Logstash)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.2

Malcolm v5.2.2 is a patch release with some improvements to the API and a fix for using Zeek intelligence files on Hedgehog Linux.

v5.2.1...v5.2.2

• Added more capabilities to the API
  • added /document/ API
  • added filter ability to /agg/ and /document/ API
  • added more documentation and examples
• For Zeek intel. files, changed location from /opt/zeek/share/zeek/site/intel to /opt/sensor/sensor_ctl/zeek/intel so that they aren't lost on reboot

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.1

Malcolm v5.2.1 is patch release identical to v5.2.0 with the addition of a fix (arkime/arkime@f13e936) for a regression bug introduced in Arkime v3.3.0 which prevented the Arkime viewer from correctly loading some large or XORed packets.

In addition, a minor change was made to the startup scripts for Hedgehog Linux's Zeek configuration to allow Zeek intelligence files to be automatically loaded the same way they are in Malcolm's Zeek container.

v5.2.0...v5.2.1

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.