cisagov/Malcolm v5.2.0

Malcolm v5.2.0

on GitHub

Malcolm v5.2.0 is a feature release with a several new features and improvements, version bumps and bug fixes.

EDIT: As of this morning (1/21/2022) I'm tracking a regression in Arkime v3.3.0 with viewing the packet payload of some large sessions. It's likely a patch release will be put out later today to address this. Apologies.

v5.1.0...v5.2.0

• New features

  • Zeek Intelligence Framework (see idaholab#20)
    • To quote Zeek's Intelligence Framework documentation, "The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item." Zeek intelligence indicator types include IP addresses, URLs, file names, hashes, email addresses, and more.
    • Malcolm doesn't come bundled with intelligence files from any particular feed, but they can be easily included into your local instance. On startup, Malcolm's malcolmnetsec/zeek docker container enumerates the subdirectories under ./zeek/intel (which is bind mounted into the container's runtime) and configures Zeek so that those intelligence files will be automatically included in its local policy. Subdirectories under ./zeek/intel which contain their own __load__.zeek file will be @load-ed as-is, while subdirectories containing "loose" intelligence files will be loaded automatically with a redef Intel::read_files directive.
  • New OPCUA Binary protocol parser for Zeek and corresponding dashboard.

• Improvements

  • set ecs.provider to arkime for logs from Arkime's capture to make categorizing logs by source easier
  • API
    • allow bucketing multiple fields from /agg/ API
    • added /fields/ API to list fields
      added documentation
  • ECS normalization to related.hosts field for all applicable protocols
  • updated documentation, screenshots and slides
  • spreadsheet mapping STIX v1.2 fields to Zeek fields and Malcolm normalized fields
  • updated MITRE ATT&CK mappings for Capa hits
  • added a pseudo-read-only NGINX configuration

• Version bumps

  • Arkime to v3.3.0
  • OpenSearch to v1.2.4
  • Capa to v3.1.0
  • cve-2021-44228 Log4Shell detector plugin for Zeek to v0.5.3 (see corelight/cve-2021-44228#46)

• Bug Fixes

  • fix idaholab#71 (type mismatch for network.vlan.id between Malcolm and Arkime definitions) which prevented vlan traffic from indexing correctly from Arkime's capture with Malcolm's field template
  • fix for ethernet/IP traffic which could lead to Zeek runaway memory allocation until crash: "Fixed bug with Request Paths containing Port Segments" (cisagov/icsnpp-enip@4696a43)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.