Malcolm v2.2.0 is a minor feature release.
- Zeek:
- Update Zeek to 3.0.8
- Include Spicy
- Added ability to disable certain zeek features/parsers using environment variables
- Added Wireguard parser
- Added a few Corelight plugins:
- Corelight's callstranger-detector plugin
- Corelight's ripple20 plugin
- Corelight's SIGred plugin
- Logstash:
- Added parsing for Zeek Wireguard (noise.log)
- Initial work towards mapping Zeek log fields to Elastic Common Schema (see issue #79)
- Disabled by default, can be enabled with
LOGSTASH_TO_ECS : 'true'inx-logstash-variablesindocker-compose.yml - not 100% complete. Good first effort, more will be done in the future
- Disabled by default, can be enabled with
- Some fixes to the JA3 signature mapping generation
- ISOs
- Updated Hedgehog and Malcolm ISOs to use 5.6 kernel
- Get virtualbox guest VM debs from unofficial backport rather than building for VM installs
- Documentation
- Documentation, scripts, Vagrantfiles and sample configurations for using Beats to forward host logs to Malcolm
idaholab/Malcolm@v2.1.1...v2.2.0
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on Github, but may be downloaded from https://malcolm.fyi/download/.