Malcolm v6.2.0 is a feature release with a number of bug fixes and improvements. Of particular note is a major reworking of how a standalone instance of Malcolm (i.e., when not receiving traffic from a network sensor) analyzes "live" traffic. See the README for more information.
Note that the changes around idaholab#109 and idaholab#110 require changes to the files used by docker-compose. Please run ./scripts/auth_setup and ./scripts/install.py --configure to ensure the appropriate new environment variables are set.
-
Improvements
- idaholab#109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
- give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
- Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
- include headers needed to build Zeek af_packet plugin in Zeek docker container
- updated README to describe methods for capturing local traffic with standalone Malcolm
- same images will be used for
zeekandzeek-livecontainers, as well as forsuricataandsuricata-livecontainers, respectively - use the same scripts
zeekdeploy.shto configure and run Zeek on both Hedgehog and in the Malcolmzeekdocker images - prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
- Speed up build time by getting official Debian suricata packages from backports rather than building from source
- Added Suricata rule update cron jobs
- Added documentation (in the form of comments) to all docker-compose file variables
- idaholab#109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
-
Bugs
- Fix idaholab#107: expand action/result meaning in DNP3 (and other?) dashboards
- Clean up some
Nulvalues that could appear in Zeek logs - improve mapping of BACnet actions
- Clean up some
- Fix idaholab#108: export PCAP not working from Arkime sessions without "Arkime Sessions"
- Fix idaholab#110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
- prompt in
install.py --configurewhether or not to expose this port to external hosts
- prompt in
- Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters
- Fix idaholab#107: expand action/result meaning in DNP3 (and other?) dashboards
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.