github cisagov/Malcolm v6.0.0
Malcolm v6.0.0

latest releases: v24.02.1, v24.02.0, v24.01.0...
2 years ago

Malcolm v6.0.0 is a major release which incorporates Suricata as a data source for network traffic analysis in Malcolm alongside Zeek and Arkime. A team at BYU (@piercema, @aglad-eng, @Jarscott1, @n8hacks) recently completed their work on Suricata integration for their capstone project. This release includes their changes as well as some additional work by Malcolm's developer in integrating Suricata in other ways not covered in the scope of their project. This release also includes other bug fixes and improvements.

v5.2.11...v6.0.0

As the Malcolm project uses semantic versioning when choosing version numbers. This release required some pretty extensive remapping of Zeek fields in order for Zeek and Suricata to target the same naming conventions for common fields. This backwards-compatibility breaking change is the reason for bumping the major version number from 5 to 6. It is not recommended to attempt an upgrade from a previous release; a fresh install is strongly encouraged.

  • Features

    • Incorporate Suricata as a data source for network traffic analysis in both Malcolm and Hedgehog Linux
    • Added support for the GENISYS protocol
  • Improvements

    • Minor tweaks to the GitHub workflows for building the Malcolm installer ISO
    • Better fingerprinting of events during Logstash parsing in order to create a unique but reproducible hash for events in the case that duplicate data is indexed into Malcolm
    • All data sources (Arkime, Zeek and Suricata) now specify the data source (stored as event.provider, arkime, zeek and suricata, respectively) and the log type (stored as event.dataset, e.g., session, conn, alert, etc.) in order to facilitate filtering among various types of network metadata
    • The Malcolm REST API was improved to support POST operations for all of the calls which can accept a filter argument to allow for easier representation of filters as JSON objects
    • Reworked several dashboards, including the Overview, Security Overview, Zeek Notices and Signatures dashboards
    • Leave packages in place on the ISO-installed Malcolm and Hedgehog Linux environments in order to support mounting SMB shares from the Thunar GUI
  • Bug fixes

    • Fix idaholab#94: docker-compose | "function" has no attribute "get" (ubuntu 20.04 install)
    • Fix idaholab#96: DNP3 dashboard has invalid saved search syntax
    • Fix idaholab#97: virustotal file scanning broken (AttributeError: 'Namespace' object has no attribute 'vtotReqLimit')
    • Fix idaholab#98: BSAP RDB data parsed incorrectly

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Don't miss a new Malcolm release

NewReleases is sending notifications on new releases.