A collection of scripts to simplify the install of Malcolm for incident response (IR). The goal of this project is to have an installation of Malcolm with most tools installed, not a small and minimal installation.
Scripts are only tested on Ubuntu 22.04 LTS and Debian 12.1. The scripts should work on amd64 as well as on arm64 (Apple M1 and later).Its recommended running the script in a virtual machine.
Start by cloning the repository and entering it. If you don't have git installed start with sudo apt install -y git. It is recommended that you check out the repository in your home directory.
cd
git clone https://github.com/reuteras/malir.git
cd malir
Before the installation is finished you will have to logout one time (update group membership for Docker) and reboot the computer one time (updated settings). You have to rerun the install.sh script after logging out and rebooting the computer. The install.sh script will tell you when to logout and reboot. To start the process run the following command in the malir directory.
./install.sh
After the installation is finished you can optionally run the following command to install some additional tools. See the script for more information.
./tools.sh
Other scripts:
- clean.sh - Clean apt and run docker system prune
- download-test-pcaps.sh - Downloads some sample pcaps from Malware-Traffic-Analysis.net.
- update.sh - Updates Zeek feeds. Must restart Malcolm afterwards.
The script will set the username to admin and the password will be password.
Start Malcolm:
cd ~/Malcolm
./script/start
To check when Logstash is up and running you can run the following command in a separate terminal.
cd ~/Malcolm; clear; ./scripts/logs | grep "Pipelines running"
Some useful Malcolm links on 127.0.0.1:
- Capture File and Log Archive Upload
- Arkime sessions
- Dashboards
- Extracted files
- User admin
- Host and Network Segment Name Mapping
To upload files via command line connect to sftp://USERNAME@localhost:8022/files/.
The easiest solution is to just to rerun install.sh and chose N when asked about building.
Containers are built with docker-compose-dev.yml as the argument to ~/Malcolm/scripts/build.py. The following scripts are run that can change files in Malcolm:
- ~/Malcolm/scripts/install.py
- ~/Malcolm/scripts/control.py
Changed files:
- ~/Malcolm/config/arkime-secret.env - Add password for MaxMind
- ~/Malcolm/zeek/intel/Zeek-Intelligence-Feeds/main.zeek - Add feeds from Critical Path Security
- ~/Malcolm/nginx/nginx.conf - Add
nfato the proxy - ~/Malcolm/arkime/etc/config.ini - Modify settings for Arkime
- ~/Malcolm/arkime/etc/config-local.ini - Add this file
- Add support to tag TOR exit nodes.
- Try and see if nfa is useful.
- Add more right-click functionality to Arkime
- More plugins to Zeek?
- Look at the Malcolm api and the examples searching for user-agent and more.
- Read Ingesting Third-Party Logs and Forwarding Third-Party Logs to Malcolm
- Read more about freq and how it is used in Malcolm.
- Add support for Rita.
- cidr-map.txt - should always be set
- Look at malcolm_severity.yaml and if I should tune the values for my use cases.
- STIX and TAXII in Malcolm
- MISP feeds in Malcolm
- Look at alerting
event.datasetset toalerting - Look at smtpIpHeaders in Arkime settings