Releases: idaholab/Malcolm
Malcolm v5.2.6
Malcolm v5.2.6 is a patch release with improvements and bug fixes.
-
Bugs fixed
- Fixed Logstash failing to start #78
- Added tuning options to address Logstash out of memory errors #79
- Incorporated latest bugfixes in BACnet parser
- Fixed issue with mapping some field types being incorrect for BSAP and OSPF logs
-
Improvements
- Added http-more-files-names plugin to populate files.log filenames entries for HTTP requests
- Normalized bsap_ip_header.type_name to event.action
- Removed unnecessary Logstash field conversions for types already defined in the template
- Improved
logs
andstatus
convenience scripts to allow filtering to a particular service - Improved convenience script for working with GitHub workflows during Malcolm development
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.2.5
Malcolm v5.2.5 is a patch release with improvements and bug fixes.
-
Threat Intelligence
- #77 - automatically generate Zeek intelligence indicators from MISP
- perform autogeneration of Zeek intel files from TAXII/MISP feeds multithreaded
- allow filtering indicators from TAXII/MISP by date (e.g., "only include those created/modified in the last n days", etc.)
- added intelligence hits as a new severity ranked category
- highlight intel sources more clearly in dashboard
-
Hedgehog Linux (sensor appliance)
- added
sensormonitor
convenience function to monitor services, disk space and logs
- added
-
Bug fixes
- Remove CIP fields no longer supplied by the ICSNPP EtherNet/IP parser and update dashboard accordingly
- #76 - directory creation race condition starting up zeek on sensor which may cause zeekctl to fail
- cisagov#189 - mount destination [/opt/zeek/share/zeek/site/intel] not absolute: unknown
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.2.4
Malcolm v5.2.4 is a patch release with improvements and bug fixes.
-
New features
- #74 (automatically generate Zeek intelligence indicators from STIX/TAXII)
-
Improvements
- group MAC addresses and OUI (vendors) into
related.mac
andrelated.oui
for easier searching across all fields - improvements to default anomaly detectors
- group MAC addresses and OUI (vendors) into
-
Bug fixes
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.2.3
Malcolm v5.2.3 is a patch release with component version bumps, bug fixes and improvements.
-
Version bumps
-
Improvements
- Added script and better documentation for putting Malcolm in "read-only" mode
- Improved
Files
dashboard
-
Bug fixes
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.2.2
Malcolm v5.2.2 is a patch release with some improvements to the API and a fix for using Zeek intelligence files on Hedgehog Linux.
- Added more capabilities to the API
- added
/document/
API - added
filter
ability to/agg/
and/document/
API - added more documentation and examples
- added
- For Zeek intel. files, changed location from
/opt/zeek/share/zeek/site/intel
to/opt/sensor/sensor_ctl/zeek/intel
so that they aren't lost on reboot
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.2.1
Malcolm v5.2.1 is patch release identical to v5.2.0 with the addition of a fix (arkime/arkime@f13e936) for a regression bug introduced in Arkime v3.3.0 which prevented the Arkime viewer from correctly loading some large or XORed packets.
In addition, a minor change was made to the startup scripts for Hedgehog Linux's Zeek configuration to allow Zeek intelligence files to be automatically loaded the same way they are in Malcolm's Zeek container.
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.2.0
Malcolm v5.2.0 is a feature release with a several new features and improvements, version bumps and bug fixes.
EDIT: As of this morning (1/21/2022) I'm tracking a regression in Arkime v3.3.0 with viewing the packet payload of some large sessions. It's likely a patch release will be put out later today to address this. Apologies.
-
New features
- Zeek Intelligence Framework (see #20)
- To quote Zeek's Intelligence Framework documentation, "The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item." Zeek intelligence indicator types include IP addresses, URLs, file names, hashes, email addresses, and more.
- Malcolm doesn't come bundled with intelligence files from any particular feed, but they can be easily included into your local instance. On startup, Malcolm's
malcolmnetsec/zeek
docker container enumerates the subdirectories under./zeek/intel
(which is bind mounted into the container's runtime) and configures Zeek so that those intelligence files will be automatically included in its local policy. Subdirectories under./zeek/intel
which contain their own__load__.zeek
file will be@load
-ed as-is, while subdirectories containing "loose" intelligence files will be loaded automatically with aredef Intel::read_files
directive.
- New OPCUA Binary protocol parser for Zeek and corresponding dashboard.
- Zeek Intelligence Framework (see #20)
-
Improvements
- set
ecs.provider
toarkime
for logs from Arkime'scapture
to make categorizing logs by source easier - API
- allow bucketing multiple fields from
/agg/
API - added
/fields/
API to list fields
added documentation
- allow bucketing multiple fields from
- ECS normalization to
related.hosts
field for all applicable protocols - updated documentation, screenshots and slides
- spreadsheet mapping STIX v1.2 fields to Zeek fields and Malcolm normalized fields
- updated MITRE ATT&CK mappings for Capa hits
- added a pseudo-read-only NGINX configuration
- set
-
Version bumps
- Arkime to v3.3.0
- OpenSearch to v1.2.4
- Capa to v3.1.0
- cve-2021-44228 Log4Shell detector plugin for Zeek to v0.5.3 (see corelight/cve-2021-44228#46)
-
Bug Fixes
- fix #71 (type mismatch for network.vlan.id between Malcolm and Arkime definitions) which prevented vlan traffic from indexing correctly from Arkime's
capture
with Malcolm's field template - fix for ethernet/IP traffic which could lead to Zeek runaway memory allocation until crash: "Fixed bug with Request Paths containing Port Segments" (cisagov/icsnpp-enip@4696a43)
- fix #71 (type mismatch for network.vlan.id between Malcolm and Arkime definitions) which prevented vlan traffic from indexing correctly from Arkime's
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.1.0
Malcolm v5.1.0 is a feature release laying the groundwork for a new REST API for querying Malcolm. It also contains a few component version bumps.
- New features
- put framework in for Malcolm REST API (#70) - not feature complete yet, but minimally usable
- Version bumps
- OpenSearch to v1.2.3
- LogStash Docker image to v7.16.2 with OpenSearch output plugin v1.2.0
- Latest releases of Zeek packages
- Misc.
- Reformatted all Python code with Black with the options
--line-length 120 --skip-string-normalization
- Updated some deprecated logstash filter parameters in
translate
filter
- Reformatted all Python code with Black with the options
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.0.4
Malcolm v5.0.4 is a patch release with improvements to Zeek detection of CVE-2021-44228 ("Log4Shell" Log4J vulnerability).
- build with latest corelight/cve-2021-44228 release
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v5.0.3
Malcolm v5.0.3 is a patch release with a few minor bug fixes and improvements to Zeek detection of CVE-2021-44228 ("Log4Shell" Log4J vulnerability).
- build with latest zeek/spicy-ldap release (dpd-based detection rather than just port-based)
- build with latest corelight/cve-2021-44228 release
- fix #69 (zeek resists shutdown on sensor during halt/reboot)
- bump OpenSearch to v1.2.2 which has log4j 2.16
- added convenience script for working with GitHub workflow-built images
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.