Malcolm v5.2.6

Malcolm v5.2.6 is a patch release with improvements and bug fixes.

v5.2.5...v5.2.6

• Bugs fixed

  • Fixed Logstash failing to start #78
  • Added tuning options to address Logstash out of memory errors #79
  • Incorporated latest bugfixes in BACnet parser
  • Fixed issue with mapping some field types being incorrect for BSAP and OSPF logs

• Improvements

  • Added http-more-files-names plugin to populate files.log filenames entries for HTTP requests
  • Normalized bsap_ip_header.type_name to event.action
  • Removed unnecessary Logstash field conversions for types already defined in the template
  • Improved logs and status convenience scripts to allow filtering to a particular service
  • Improved convenience script for working with GitHub workflows during Malcolm development

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.5

Malcolm v5.2.5 is a patch release with improvements and bug fixes.

v5.2.4...v5.2.5

• Threat Intelligence

  • #77 - automatically generate Zeek intelligence indicators from MISP
  • perform autogeneration of Zeek intel files from TAXII/MISP feeds multithreaded
  • allow filtering indicators from TAXII/MISP by date (e.g., "only include those created/modified in the last n days", etc.)
  • added intelligence hits as a new severity ranked category
  • highlight intel sources more clearly in dashboard

• Hedgehog Linux (sensor appliance)

  • added sensormonitor convenience function to monitor services, disk space and logs

• Bug fixes

  • Remove CIP fields no longer supplied by the ICSNPP EtherNet/IP parser and update dashboard accordingly
  • #76 - directory creation race condition starting up zeek on sensor which may cause zeekctl to fail
  • cisagov#189 - mount destination [/opt/zeek/share/zeek/site/intel] not absolute: unknown

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.4

Malcolm v5.2.4 is a patch release with improvements and bug fixes.

v5.2.3...v5.2.4

• New features

  • #74 (automatically generate Zeek intelligence indicators from STIX/TAXII)

• Improvements

  • group MAC addresses and OUI (vendors) into related.mac and related.oui for easier searching across all fields
  • improvements to default anomaly detectors

• Bug fixes

  • Fix #75 (OpenSearch Dashboards loads slowly without network connectivity)
  • Fix #76 (directory creation race condition starting up zeek on sensor which may cause zeekctl to fail)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.3

Malcolm v5.2.3 is a patch release with component version bumps, bug fixes and improvements.

v5.2.2...v5.2.3

• Version bumps

  • Arkime v3.3.1
  • Zeek v4.2.0

• Improvements

  • Added script and better documentation for putting Malcolm in "read-only" mode
  • Improved Files dashboard

• Bug fixes

  • Fixed an issue where Logstash wasn't parsing the ftime from files.log correctly (a field added by the Spicy ZIP analyzer)
  • Fixed #73 (path for tcpdump changed) for Hedgehog Linux
  • Fixed #72 (better file directory/name parsing and normalization in Logstash)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.2

Malcolm v5.2.2 is a patch release with some improvements to the API and a fix for using Zeek intelligence files on Hedgehog Linux.

v5.2.1...v5.2.2

• Added more capabilities to the API
  • added /document/ API
  • added filter ability to /agg/ and /document/ API
  • added more documentation and examples
• For Zeek intel. files, changed location from /opt/zeek/share/zeek/site/intel to /opt/sensor/sensor_ctl/zeek/intel so that they aren't lost on reboot

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.1

Malcolm v5.2.1 is patch release identical to v5.2.0 with the addition of a fix (arkime/arkime@f13e936) for a regression bug introduced in Arkime v3.3.0 which prevented the Arkime viewer from correctly loading some large or XORed packets.

In addition, a minor change was made to the startup scripts for Hedgehog Linux's Zeek configuration to allow Zeek intelligence files to be automatically loaded the same way they are in Malcolm's Zeek container.

v5.2.0...v5.2.1

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.2.0

Malcolm v5.2.0 is a feature release with a several new features and improvements, version bumps and bug fixes.

EDIT: As of this morning (1/21/2022) I'm tracking a regression in Arkime v3.3.0 with viewing the packet payload of some large sessions. It's likely a patch release will be put out later today to address this. Apologies.

v5.1.0...v5.2.0

• New features

  • Zeek Intelligence Framework (see #20)
    • To quote Zeek's Intelligence Framework documentation, "The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item." Zeek intelligence indicator types include IP addresses, URLs, file names, hashes, email addresses, and more.
    • Malcolm doesn't come bundled with intelligence files from any particular feed, but they can be easily included into your local instance. On startup, Malcolm's malcolmnetsec/zeek docker container enumerates the subdirectories under ./zeek/intel (which is bind mounted into the container's runtime) and configures Zeek so that those intelligence files will be automatically included in its local policy. Subdirectories under ./zeek/intel which contain their own __load__.zeek file will be @load-ed as-is, while subdirectories containing "loose" intelligence files will be loaded automatically with a redef Intel::read_files directive.
  • New OPCUA Binary protocol parser for Zeek and corresponding dashboard.

• Improvements

  • set ecs.provider to arkime for logs from Arkime's capture to make categorizing logs by source easier
  • API
    • allow bucketing multiple fields from /agg/ API
    • added /fields/ API to list fields
      added documentation
  • ECS normalization to related.hosts field for all applicable protocols
  • updated documentation, screenshots and slides
  • spreadsheet mapping STIX v1.2 fields to Zeek fields and Malcolm normalized fields
  • updated MITRE ATT&CK mappings for Capa hits
  • added a pseudo-read-only NGINX configuration

• Version bumps

  • Arkime to v3.3.0
  • OpenSearch to v1.2.4
  • Capa to v3.1.0
  • cve-2021-44228 Log4Shell detector plugin for Zeek to v0.5.3 (see corelight/cve-2021-44228#46)

• Bug Fixes

  • fix #71 (type mismatch for network.vlan.id between Malcolm and Arkime definitions) which prevented vlan traffic from indexing correctly from Arkime's capture with Malcolm's field template
  • fix for ethernet/IP traffic which could lead to Zeek runaway memory allocation until crash: "Fixed bug with Request Paths containing Port Segments" (cisagov/icsnpp-enip@4696a43)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.1.0

Malcolm v5.1.0 is a feature release laying the groundwork for a new REST API for querying Malcolm. It also contains a few component version bumps.

v5.0.4...v5.1.0

• New features
  • put framework in for Malcolm REST API (#70) - not feature complete yet, but minimally usable
• Version bumps
  • OpenSearch to v1.2.3
  • LogStash Docker image to v7.16.2 with OpenSearch output plugin v1.2.0
  • Latest releases of Zeek packages
• Misc.
  • Reformatted all Python code with Black with the options --line-length 120 --skip-string-normalization
  • Updated some deprecated logstash filter parameters in translate filter

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.0.4

Malcolm v5.0.4 is a patch release with improvements to Zeek detection of CVE-2021-44228 ("Log4Shell" Log4J vulnerability).

v5.0.3...v5.0.4

• build with latest corelight/cve-2021-44228 release

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Malcolm v5.0.3

Malcolm v5.0.3 is a patch release with a few minor bug fixes and improvements to Zeek detection of CVE-2021-44228 ("Log4Shell" Log4J vulnerability).

v5.0.2...v5.0.3

• build with latest zeek/spicy-ldap release (dpd-based detection rather than just port-based)
• build with latest corelight/cve-2021-44228 release
• fix #69 (zeek resists shutdown on sensor during halt/reboot)
• bump OpenSearch to v1.2.2 which has log4j 2.16
• added convenience script for working with GitHub workflow-built images

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.