expand action/result meaning in DNP3 (and other?) dashboards #107
Assignees
Labels
dashboards
Relating to Malcolm's OpenSearch Dashboards interface
enhancement
New feature or request
ics
Relating to ICS (Industrial Control Systems) devices
Comments
mmguero
added
enhancement
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
…ces in dashboards, and improve normalization for dnp3 objects
|
fixed for next release (at least for dnp3 and enip dashboards). will fix others as I find them. |
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 28, 2022
…ces in dashboards, and improve normalization for dnp3 objects
This was referenced Aug 3, 2022
Merged
mmguero
added a commit
that referenced
this issue
Aug 3, 2022
merge v6.2.0 development into main
* Improvements
- #109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
+ give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
+ Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
+ include headers needed to build Zeek af_packet plugin in Zeek docker container
+ updated README to describe methods for capturing local traffic with standalone Malcolm
+ same images will be used for `zeek` and `zeek-live` containers, as well as for `suricata` and `suricata-live` containers, respectively
+ use the same scripts `zeekdeploy.sh` to configure and run Zeek on both Hedgehog and in the Malcolm `zeek` docker images
+ prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
- Speed up build time by getting official Debian suricata packages from backports rather than building from source
- Added Suricata rule update cron jobs
- Added documentation (in the form of comments) to all docker-compose file variables
* Bugs
- Fix #107: expand action/result meaning in DNP3 (and other?) dashboards
- Clean up some `Nul` values that could appear in Zeek logs
- improve mapping of BACnet actions
- Fix #108: export PCAP not working from Arkime sessions without "Arkime Sessions"
- Fix #110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
+ prompt in `install.py --configure` whether or not to expose this port to external hosts
- Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
Aug 3, 2022
merge v6.2.0 into main
* Improvements
- idaholab#109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
+ give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
+ Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
+ include headers needed to build Zeek af_packet plugin in Zeek docker container
+ updated README to describe methods for capturing local traffic with standalone Malcolm
+ same images will be used for `zeek` and `zeek-live` containers, as well as for `suricata` and `suricata-live` containers, respectively
+ use the same scripts `zeekdeploy.sh` to configure and run Zeek on both Hedgehog and in the Malcolm `zeek` docker images
+ prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
- Speed up build time by getting official Debian suricata packages from backports rather than building from source
- Added Suricata rule update cron jobs
- Added documentation (in the form of comments) to all docker-compose file variables
* Bugs
- Fix idaholab#107: expand action/result meaning in DNP3 (and other?) dashboards
- Clean up some `Nul` values that could appear in Zeek logs
- improve mapping of BACnet actions
- Fix idaholab#108: export PCAP not working from Arkime sessions without "Arkime Sessions"
- Fix idaholab#110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
+ prompt in `install.py --configure` whether or not to expose this port to external hosts
- Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've noticed that on the DNP3 dashboards I've got a pair of action/result tables near the top, but they only include the function/response codes from dnp3.log (not dnp3_control, dnp3_objects, etc.) I am already normalizing these fields (or I should be) to event.action and event.result, but I should expand the scope of these tables to include all of the actions/results from these protocols rather than making people scroll down the page further.
The text was updated successfully, but these errors were encountered: