#malcolm — Public Fediverse posts

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

https://github.com/idaholab/Malcolm/compare/v25.12.0...v25.12.1

• ✨ Features and enhancements
  • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
• ✅ Component version updates
  • supercronic to v0.2.40
  • Alpine (Docker base image) to v3.23
  • NetBox to v4.4.8
  • urllib3 to v2.6.0 (CVE-2025-66471, 8.9 High, GHSA-2xpw-w6gg-jr37)
• 🐛 Bug fixes
  • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
  • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
  • self-signed certificates not accepted by Chrome (#833)
  • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
• 🧹 Code and project maintenance
  • Added new Analytics section to documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.11.0 includes an overhaul of the install.py installation/configuration script, a few bug fixes, and some component version updates.

https://github.com/idaholab/Malcolm/compare/v25.09.0...v25.11.0

• ✨ Features and enhancements
  • We're in the process of majorly overhauling our install.py script (#395) used for setting up a Linux or MacOS system to run Malcolm and for configuring Malcolm's runtime options. There are future updates still to come (#766) but for now the command-line and dialog-based interfaces' functionality and backend are in place. The step-by-step wizard has been replaced with a menu-based interface that allows for changing individual values without having to step through the whole set of questions. The Docker-based Malcolm installation example on Ubuntu and end-to-end installation example have useful information about this change, as does the command-line arguments document. We've done a lot of testing on what's a complete rewrite of this, but there is a possibility we missed something; if you find an issue with the new install/configure script, please open a discussion or log a bug and let us know. For the next release or so, we're leaving the legacy installer in place as scripts/legacy_install.py which could be used in a pinch (e.g., run scripts/legacy_install.py --configure for the old configuration menu).
  • We've incorporated a new "Connections Tree" visualization. This visualization tracks the potential of lateral movement based on the observed communications between all devices that reach a root node, identified by IP address. It gives a high-level view showing both direct and indirect connetions between the root IP and all of its destinations, regardless of time, along with enriched data for each endpoint and connection.
  • Updates to the Validated Design Architecture Review (VADR) dashboards.
  • The OpenSearch container now includes the repository-s3 plugin, useful for those who wish to configure OpenSearch's snapshots to save to S3-compatible buckets.
• ✅ Component version updates
  • Arkime to v5.8.2
  • Fluent Bit to v4.1.1
  • Keycloak to v26.4.2
  • OpenResty to v1.27.1.2
  • OpenSearch Dashboards to v3.3.0
  • OpenSearch to v3.3.2
  • supercronic to v0.2.38
  • yq to v4.48.1
  • Zeek to v8.0.3
• 🐛 Bug fixes
  • Double imports when restarting Malcolm (#588) (thanks @KchChr)
• 🧹 Code and project maintenance
  • Refactored a number of Python functions to reduce cyclomatic complexity (#765, work ongoing)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml without intervention on the user's part.
  • Malcolm
    • NGINX_RESOLVER_IPV4_OFF and NGINX_RESOLVER_IPV6_OFF have been renamed to NGINX_RESOLVER_IPV4 and NGINX_RESOLVER_IPV6, respectively, and their logic reversed, in nginx.env.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.09.0 includes new features and available customizations, improvements to Threat Intelligence, component version updates, and several important bug fixes.

https://github.com/idaholab/Malcolm/compare/v25.08.1...v25.09.0

• ✨ Features and enhancements
  • improve Modbus register tracking with new modbus_detailed.log (cisagov/Malcolm#762)
  • add non-LVM option(s) for Malcolm/Hedgehog Linux ISO installers (cisagov/Malcolm#725)
  • allow configuring default search time frame for OpenSearch Dashboards (cisagov/Malcolm#724)
  • allow customizing maximum upload file size (cisagov/Malcolm#769)
  • add Arkime capture statistics to the Packet Capture Statistics dashboard (cisagov/Malcolm#703)
  • integrate Validated Architecture Design Review (VADR) dashboards (cisagov/Malcolm#780)
  • Threat Intelligence improvements
    • support Google Threat Intelligence feed for building Zeek intel source (cisagov/Malcolm#758)
    • renamed Zeek Intelligence dashboard to Threat Intelligence and improved it
    • links from context menu items in Arkime and Dashboards (like reference URLs for IOCs) now ask the user before navigating to external sites
  • Added icons with links to "ready" and "ingest statistics" APIs to landing page
  • Include tx-rx-secure.sh in files packaged by malcolm_appliance_packager.sh
• ✅ Component version updates
  • Arkime to v5.8.0
  • NetBox to v4.3.7
  • yq to v4.47.2
  • Fluent Bit to v4.0.10
• 🐛 Bug fixes
  • Python code handling X-Forwarded- headers should do case insensitive lookup (cisagov/Malcolm#764)
  • uploaded PCAPs that result in no filename-derived tags erroneously end up with internal tags on them (cisagov/Malcolm#774)
  • installer option for encrypted storage are not marking secondary data/artifact storage for encryption (cisagov/Malcolm#779)
  • Malcolm/Hedgehog Linux ISO-installed environments' auditd service fails to start (cisagov/Malcolm#761)
  • Failed shard query error on Overview dashboard (cisagov/Malcolm#754)
• 🧹 Code and project maintenance
  • refactor GitHub build actions for Malcolm Docker images to reduce duplication (cisagov/Malcolm#717)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • PCAP_UPLOAD_MAX_FILE_GB added to upload-common.env to allow configuring maximum PCAP upload size (cisagov/Malcolm#769)
    • DASHBOARDS_TIMEPICKER_FROM and DASHBOARDS_TIMEPICKER_TO added to dashboards-helper.env to allow configuring default search time frame for OpenSearch Dashboards (cisagov/Malcolm#724)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.07.0 includes quite a few new features and enhancements, performance improvements, bug fixes, and component version updates.

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

• ✨ Features and enhancements
  • Add IANA service name and description enrichment to Zeek's known_services.log (#705)
  • Improve the speed of pruning files (#710)
  • allow multiple instance of Suricata in PCAP processing mode via UNIX socket (#707)
  • expose Arkime WISE tagging features to the user (#377)
  • handle comma- or semicolon-separated directories for PCAP_PROCESSED_DIRECTORY (to support new live PCAP processing method in Malcolm-Helm) (#702)
  • handle new OPCUA Binary summary logs (#709)
  • incorporate new ANSI C12.22 parser and add corresponding dashboard (#708)
  • overhauled instructions for Deploying Malcolm on Amazon Web Services (AWS) including deploying Malcolm on Amazon Elastic Kubernetes Service (EKS) in Auto Mode
  • install.py script is now a bit more robust in trying to help ensure the correct packages and Python libraries are installed
• ✅ Component version updates
  • Fluent Bit to v4.0.5
  • Arkime v5.7.1
  • Supercronic v0.2.34
  • OpenSearch and OpenSearch Dashboards v3.1.0
  • Keycloak v26.2.5
  • yq v4.47.1
  • NetBox v4.3.4
    • NetBox Initializers plugin v4.3.0
    • NetBox Topology Views plugin v4.3.0
  • Zeek v7.2.2
  • Spicy v1.13.2
  • urllib3 Python Library to v2.5.0 (addresses CVE-2025-50181)
  • ICSNPP Zeek network analyzer updates
    • BACnet parser fixes for previously unsupported services (see cisagov/icsnpp-bacnet#50 and cisagov/icsnpp-bacnet#51)
    • Ethernet/IP various fixes (cisagov/icsnpp-enip#34 (partial); cisagov/icsnpp-enip#35; cisagov/icsnpp-enip#36; cisagov/icsnpp-enip#37; cisagov/icsnpp-enip#38)
    • GENISYS minor updates (cisagov/icsnpp-genisys#25)
    • OPCUA Binary summary logs (cisagov/icsnpp-opcua-binary#102)
    • S7comm fixes for ACK message processing (cisagov/icsnpp-s7comm#19; cisagov/icsnpp-s7comm#20)
• 🐛 Bug fixes
  • zeek logs not cleaned by clean-processed-folder.py due to MIME type mismatch (#712)
  • packet capture statistics dashboard not working in Kibana (#704)
  • need to adjust shared object creation script (e.g., dashboards import) for new versions of Kibana (#713)
  • log fingerprinting needs to be examined to avoid unintentional collisions (#715)
  • install.py issues in Rocky Linux, Almalinux (#385)
  • OpenSearch container health check issue when OpenSearch is disabled (#716)
  • investigate NetBox API access via Malcolm's netbox endpoint and mapi endpoint (#701)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

Compare v25.05.0 to v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

• ✨ Features and enhancements
  • This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
    • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
      1. Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
      2. For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
    • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
    • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
    • See the role-based access control documentation for more information on this feature.
  • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
  • Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
    • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
  • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692)
  • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)
    • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in cisagov/Malcolm#695.
  • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
  • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
  • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
  • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
  • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
  • NGINX now generates a robots.txt file to avoid web crawlers
• ✅ Component version updates
  • Alpine base Docker image to v3.22.0
  • Arkime to v5.7.0
  • capa to v9.2.1
  • flask-cors Python library to v6.0.0 to address CVE-2024-6839, CVE-2024-6844, and CVE-2024-6866
  • OpenSearch and OpenSearch Dashboards to v3.0.0
    • What To Expect
    • Announcing OpenSearch 3.0
    • Performance Improvements
  • opensearch-py Python library to v3.0.0
  • osd_transform_vis Dashboards visualization library to v3.0.0
  • requests Python library to v2.32.4 to address CVE-2024-47081
  • YARA to v4.5.3
  • Zeek to v7.2.1
• 🐛 Bug fixes
  • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
  • documentation served at /readme is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694)
  • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
  • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
• 🧹 Code and project maintenance
  • Tweaked some code comments and documentation to bring the cisagov and idaholab repos into harmony.
  • Documentation improvements
  • Removed some unused files and outdated comments

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #rbac #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v25.04.1 contains new features and improvements, component version updates, bug fixes, and other great stuff.

For these notes, I'm lumping v25.04.0 and v25.04.1 together, as v25.04.1 was released only two days after v25.04.0 in order to update Arkime to v5.6.4 which mitigates newly-discovered remote code execution (RCE) vulnerabilities.

https://github.com/idaholab/Malcolm/compare/v25.03.1...v25.04.1

• ✨ Features and enhancements

  • add option to use external NetBox instance (cisagov/Malcolm#597)
  • add -q/--quiet option for start/restart (cisagov/Malcolm#656)
  • handle non-HTTPS arkime case (cisagov/Malcolm#629)

  • lots of improvements to control.py and install.py for Kubernetes deployment

    • improved start/stop/wipe control script behavior
    • allow providing resource requests in manifests via YML file and command-line argument

    ...
    Kubernetes:
      -n, --namespace <string>
                            Kubernetes namespace
      --skip-persistent-volume-checks [SKIPPERVOLCHECKS]
                            Skip checks for PersistentVolumes/PersistentVolumeClaims in manifests (only for "start" operation with Kubernetes)
      --no-capture-pods [NOCAPTUREPODSSTART]
                            Do not deploy pods for traffic live capture/analysis (only for "start" operation with Kubernetes)
      --no-capabilities [NOCAPABILITIES]
                            Do not specify modifications to container capabilities (only for "start" operation with Kubernetes)
      --inject-resources [INJECTRESOURCES]
                            Inject container resources from kubernetes-container-resources.yml (only for "start" operation with Kubernetes)
      --image-source <string>
                            Source for container images (e.g., "ghcr.io/idaholab/malcolm"; only for "start" operation with Kubernetes)
      --image-tag <string>  Tag for container images (e.g., "25.04.0"; only for "start" operation with Kubernetes)
      --delete-namespace [DELETENAMESPACE]
                            Delete Kubernetes namespace (only for "wipe" operation with Kubernetes)
    ...
    

  • improvements to Malcolm's vanilla Kubernetes manifests

    • lowered the amount of storage for the persistent volumes in the AWS EFS example
    • replaced name label with app label for deployments in accordance with best practices

  • improve links on landing page for NetBox and auth to accurately reflect what Malcolm is using

  • added more smarts to the NGINX startup script to dynamically set up upstreams that may or may not exist based on enabled or disabled Malcolm features

  • fixed a minor issue in the script setting up Zeek intelligence updates where it would remove its own lockfile

• ✅ Component version updates

  • Alpine Linux v3.21
  • Arkime v5.6.4 to resolve RCE vulnerabilities, as described below in the #announcements channel on the Arkime slack: * possible to bypass forced expressions for some API calls * direct access to OpenSearch/Elasticsearch could be used to create session documents that hang viewer or have viewer execute code * since Arkime 5.1.0 any arkimeUser user could create OpenSearch/Elasticsearch documents in any index that viewer had access to
  • Keycloak v26.2
  • NetBox v4.2.8
  • netbox-initializers v4.2.0
  • netbox-topology v4.2.1
  • Fluent Bit to v4.0.1

• 🐛 Bug fixes

  • API tokens created in NetBox still require authentication through NGINX reverse proxy (cisagov/Malcolm#383)
  • adjust Logstash health check so K8s liveness probe doesn't kill it (cisagov/Malcolm#630)
  • be more resilient in zeekctl status checks in zeekdeploy.sh (cisagov/Malcolm#652)
  • in deployments with multiple zeek-live containers, each container's restarting causes the others to restart zeek (cisagov/Malcolm#651)

• 🧹 Code and project maintenance

  • document customizing Malcolm with an additional output pipeline (cisagov/Malcolm#643)
  • overhaul "deploying Malcolm on AWS" documentation (cisagov/Malcolm#655)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

This has been a busy month for Malcolm! I pushed hard to get v25.03.0 out earlier this month, as it contained pretty much just the Keycloak integration one of our partners (and major funding sources) was waiting for. Rather than wait until April for the other stuff that would have gone into the regular end-of-the-month release, I decided to pull those items into this smaller release just a week and a half after the last one.

Malcolm v25.03.1 contains a few enhancements, bug fixes, and several component version updates, including one that addresses a CVE that may affect Hedgehog Linux Kiosk mode and Malcolm's API container.

NOTE: If you have not already upgraded to v25.03.0, read the notes for v25.02.0 and v25.03.0 and follow the Read Before Upgrading instructions on those releases.

Changes in this release

• ✨ Features and enhancements
  • Incorporate new S7comm device identification log, s7comm_known_devices.log (#622)
  • Display current PCAP, Zeek, and Suricata capture results in Hedgehog Linux Kiosk mode (#566)
  • Keycloak authentication: configurable group or role membership restrictions for login (#633) (see Requiring user groups and realm roles)
  • Mark newly-discovered and uninventoried devices in logs during NetBox enrichment (#573)
  • Added "Apply recommended system tweaks automatically without asking for confirmation?" question to install.py to allow the user to accept changes to sysctl.conf, grub kernel parameters, etc., without having to answer "yes" to each one.
• ✅ Component version updates
  • Arkime to v5.6.2
  • evtx to v0.9.0
  • Fluent Bit to v3.2.10
  • gunicorn to v23.0.0 to address CVE-2024-6827, "Gunicorn HTTP Request/Response Smuggling vulnerability"
  • Zeek to v7.1.1
• 🐛 Bug fixes
  • Fix install.py error when answering yes to "Pull Malcolm images?" with podman (#604)
  • Order of user-provided tags from PCAP upload interface not preserved (#624)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • added NGINX_REQUIRE_GROUP and NGINX_REQUIRE_ROLE to auth-common.env to support Requiring user groups and realm roles for Keycloak authentication
• 🧹 Code and project maintenance
  • Ensure Malcolm's NetBox configuration Python scripts are baked into the image in addition to bind-mounting them in docker-compose.yml at runtime.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #SSO #OIDC #Keycloak #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v25.03.0 adds 🔐 authentication via Keycloak and all that entails: single sign-on (SSO), identity providers, federation of LDAP/Kerberos servers, and more! Malcolm can connect to an existing Keycloak server or it can use its own embedded Keycloak instance. This release also includes a few component version updates.

Please read the release notes from this release and from v25.02.0 for some things to check prior to updating.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️. Check out the Quick Start guide for examples on how to get up and running.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #SSO #OIDC #Keycloak #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v25.02.0 contains some major performance improvements, a few smaller new features and enhancements, several component version updates, bug fixes, and documentation updates. See the release notes for more details.

• ✨ Features and enhancements
  • performance improvements (4x faster) for NetBox enrichment (#547) and autopopulation
  • performance improvements (18x faster) for Suricata's processing of uploaded PCAP files (#457)
  • include corelight/zeek-long-connections plugin to log long connections (#585)
  • significant work-in-progress towards support for Sigma rules via OpenSearch Security Analytics (still incomplete due to some blocking issues upstream, see #475 for details)
• ✅ Component version updates
  • Arkime to v5.6.1
  • capa to v9.0.0
  • OpenSearch and OpenSearch Dashboards to v2.19.0

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v25.01.0 contains quite a few UI/UX improvements; new parsers; a bevy of component version updates including to Arkime, Zeek, NetBox; and several bug fixes.

• ✨ Features and enhancements
  • integrate Omron FINS parser and added corresponding dashboard (cisagov/Malcolm#554)
  • integrate PostgreSQL parser (added in Zeek v7.1.0) and added corresponding dashboard (cisagov/Malcolm#553)
  • normalize Winlogbeat with Fluent Bit's winlog/winevtlog event and evtx event schemas (cisagov/Malcolm#356)
    • Winlogbeat seems to parse more fields from Windows events than Fluent Bit's winevtlog or winlog do, so users forwarding Windows event logs to Malcolm using Fluent Bit may want to evaluate Winlogbeat as an alternative.
  • support syslog ingestion over UDP and/or TCP (cisagov/Malcolm#354)
  • clicking field values in Dashboards tables will now pivot to Arkime or NetBox (cisagov/Malcolm#551)
  • add navigation pane to all non-network dashboards (cisagov/Malcolm#543)
• ✅ Component version updates
  • Arkime to v5.6.0
  • beats to v8.17.0
  • elasticsearch-dsl Python library to v8.17.1
  • Jinja Python library to v3.1.5 (security fix release)
  • Logstash to v8.17.0
  • NetBox to v4.1.11
  • osd_transform_vis (Dashboards visualization library) to v2.18.0
  • yq to v4.45.1
  • Zeek to v7.1.0 (cisagov/Malcolm#553)
• 🐛 Bug fixes
  • Extracted File Downloads interface not working with some filenames (cisagov/Malcolm#524)
  • user-defined custom field formats for index patterns are overwritten (cisagov/Malcolm#542)
  • port numbers should not be shown with commas in Dashboards (cisagov/Malcolm#540)
  • pivoting between Arkime and Dashboards doesn't work when Malcolm is behind a reverse proxy (e.g., traefik) (cisagov/Malcolm#552)
  • opensearch.keystore not created when running in Hedgehog run profile (cisagov/Malcolm#533)
  • ensure all conn.log entries are tagged ics for OT protocols (cisagov/Malcolm#541)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v24.12.0 contains several improvements to the Malcolm configuration script, the Malcolm user interface, and the Malcolm API, as well as component version updates and bug fixes. This release also corresponds with the release of malcolm-test, a Malcolm system testing framework.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for network security monitoring.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker, Podman, and Kubernetes. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼. More videos are coming soon.

https://github.com/cisagov/Malcolm/compare/v24.11.0...v24.12.0

• ✨ Features and enhancements
  • Creation of a Malcolm system testing framework (#486)
  • Added a number of Zeek packages to detect various CVEs
  • Improvements to the Indices, Ready, and Document Ingest Statistics APIs
  • Use new arkime tag-hiding feature to hide netbox tag from UI (#495)
  • Provide configuration script options for pulling from threat intel feeds (#532)
  • Prompt during configuration whether to enable capture statistics (#504)
  • Add additional EVTX fields to index template (#525) and minor improvements to normalization
  • Add simple readiness indicator to upload page (#528)
  • Add option to upload page to disable NetBox enrichment for the currently-uploaded batch of PCAPs
  • Expose more of the Logstash API passthrough to the Malcolm API
• ✅ Component version updates
  • Arkime to v5.5.1
  • capa to v8.0.1
  • elasticearch-dsl Python library to v8.17.0
  • elasticsearch Python library to v8.17.0
  • Fluent Bit to v3.2.2
  • NetBox to v4.1.8 (major update from the v4.0.x series, see #496)
  • opensearch-py Python library to v2.8.0
  • yq to v4.44.6
  • Zeek to v7.0.5 (security and bugfix release)
• 🐛 Bug fixes
  • Zeek DNS records don't open correctly in Arkime sessions (#509)
  • Mandiant threat intel source doesn't get split correctly when using JSON zeek log format (#494)
  • Set indices.query.bool.max_clause_count to 8192 to reflect maximum number of fields
  • Increase Java stack size (-Xss) for Logstash from 1536k to 2048k
  • Minor fixes for parsing Zeek intel.log (some fields not named correctly with Zeek JSON-formatted logs)
  • Fixes to some Zeek dns.log parsing conflicts between ECS's DNS fields and what the Arkime schema is expecting
  • Fixed setting the Signature event severity tags
• 🧹 Code and project maintenance
  • Replaced hard-coded Malcolm version number in documentation markdown files with variable-based replacer populated during generation
  • Documentation and screenshot updates

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v24.11.0 contains a new threat intelligence feed integration, a few new API calls, other minor improvements, bug fixes, and component version updates.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for network security monitoring.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker, Podman, and Kubernetes. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

v24.10.1...v24.11.0

• ✨ Features and enhancements
  • Added dashboard-export to the list of Malcolm APIs (cisagov/Malcolm#401)
  • Added ingest-stats to the list of Malcolm APIs (cisagov/Malcolm#488)
  • Added support for pulling from the Mandiant Threat Intelligence service to feed the Zeek intelligence framework as used by Malcolm's and Hedgehog Linux's Zeek processes. The integration uses the google/mandiant-ti-client library for Python. (cisagov/Malcolm#358)
  • Improved normalization of Zeek's intel.log to the ECS's threat fields
  • Improved the Zeek Intel dashboard
  • Improved the health/liveness probe for the Logstash container
  • Changed behavior of Malcolm's non-live Zeek container (responsible for processing uploaded PCAPs) so that it becomes available to process data even before an intelligence feed pull is finished
  • Implemented paging for extracted files download dialog (cisagov/Malcolm#361)
  • Implemented support for sending Zeek logs to Kafka using the SeisoLLC/zeek-kafka plugin (cisagov/Malcolm#357)
  • Added the NetBox HealthCheck plugin as a default NetBox plugin
  • Updated the Malcolm services readiness status API to use the new LogStash health report API and the NetBox HealthCheck plugin as the basis for reporting the state of LogStash and NetBox, respectively.
  • Added parsing for the new OPCUA-Binary write subscription service log
• ✅ Component version updates
  • Arkime to v5.5.0
  • Beats to v8.16.0
  • elasticsearch Python library to v8.16.0
  • elasticsearch-dsl Python library to v8.16.0
  • evtx to v0.8.4
  • LogStash to v8.16.0
  • OpenSearch and OpenSearch Dashboard to v2.18.0
  • watchdog Python library to v6.0.0
  • werkzeug Python library to v3.0.6 to address CVE-2024-49767 and CVE-2024-49766
• 🐛 Bug fixes
  • Fixed an issue with the ./scripts/configure script not prompting to regenerate the internal NetBox passwords when it should have
  • Fixed errors when running malcolm_appliance_packager.sh on macOS (cisagov/Malcolm#492, thanks @robrui)
• 🧹 Code and project maintenance
  • All open issues and the project board have been migrated from the Idaho National Lab fork to the upstream CISA fork. The repos will continue to be kept in sync going forward. (cisagov/Malcolm#350)

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm had two smaller releases in October rather than one larger one at the end of the month, so I've taken the liberty of combining the highlights of both releases here for your reading pleasure. As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v24.10.1 contains minor improvements, a few component version updates, a fix for a few regression bugs, and a fair amount of code cleanup.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for network security monitoring.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker, Podman, and Kubernetes. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

v24.09.0...v24.10.1

• ✨ Features and enhancements
  • Update AWS AMI build scripts and demo setup scripts to use Amazon Linux 2023 instead of Amazon Linux 2 (#591)
  • Add support for websocket.log (#593)
  • Add a "readiness" API that can be used to determine if various Malcolm services are ready (#598)
  • Enable Zeek's parsing of HTTP server and client header names as zeek.http.client_header_names and zeek.http.server_header_names
  • Some documentation improvements
  • Build improvement: fall back to alternative Zeek .deb download URL (#585)
  • Build improvement: limit threads for spicy build processes during Zeek package installation (#571)
• ✅ Component version updates
  • beats to v8.15.3
  • capa to v7.4.0
  • elasticsearch-dsl Python library to v8.15.4
  • Fluent Bit to v3.1.9
  • Logstash to v8.15.3
  • OpenSearch and OpenSearch Dashboards to v2.17.1
  • osd_transform_vis Dashboards visualization to v2.17.1
  • Spicy to v1.11.3
  • supercronic to v0.2.33
  • watchdog Python library to v5.0.3
  • Zeek to v7.0.3
• 🐛 Bug fixes
  • Fix OpenSearch anomaly detection default detectors not being created (regression, #596)
  • Fix broken dashboards regression from v24.09.0 (regression, #588)
  • Fix Zeek-extracted files not getting saved to correct location for live Zeek capture (#590)
  • Fix for building Hedgehog Linux for Raspberry Pi 4 on an M2 MacBook
• ⚙️ Configuration changes in environment variables
  • Malcolm
    • ZEEK_JA4SSH_PACKET_COUNT (with a default of 200) has been added to ./config/zeek.env, which can be used to set logging interval number of packets for ja4ssh.log (#508)
  • Hedgehog Linux
    • ZEEK_JA4SSH_PACKET_COUNT has been added to control_vars.conf for the same purpose as described above
• 🧹 Code and project maintenance
  • Examine distro hardening, fix and update documentation as needed for Malcolm and Hedgehog Linux ISO-installed environments (#328)
  • Refactoring and code cleanup in the Logstash Zeek pipeline (#592)
  • Logstash container initialization code now automatically ensures that the Zeek TSV log parsing filters (dissect and split filters) in these files are looking for TAB characters (i.e., automatically replace spaces with tabs in these filter files in case the author forgot to do so) (#592)
  • Did some code cleanup in the ./shared/bin directory, mostly moving things that were specific to either the Malcolm or Hedgehog Installer ISO environments out of shared and into their respective locations for the ISO installer build.
  • When doing the aquasecurity/trivy-action action, use TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db to try to fall back to an alternative official location for the vulnerability database if the first one fails. Also, pin this action to the v0.28.0 release rather than setting it to master.
  • As it's used pretty ubiquitously in shared scripts by many of the Malcolm containers, the jq utility is now installed across the board during the container image build.
  • Added a script to gather GitHub API metrics for Malcolm downloads (#594)
  • Bumped maximum field limit in OpenSearch templates from 5000 to 6000

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

"I've got a fever, and the only prescription is more Malcolm!" 🐄🔔

I'm pleased to announce the v24.09.0 release of Malcolm, a powerful network traffic analysis tool suite for network security monitoring. Malcolm v24.09.0 contains new features and enhancements, component version updates, and bug fixes.

• Features and enhancements
  • Added Podman support (idaholab/Malcolm#407)
  • Add option to go backwards in Malcolm's dialog-based install.py installation and configuration script (idaholab/Malcolm#487) (🤯 Earth-shattering news, I know)
  • Automatically create empty index on startup to avoid "no data" message spamming by Dashboards (idaholab/Malcolm#527 and idaholab/Malcolm#567)
  • Integrate HART-IP parser (idaholab/Malcolm#561)
  • Allow users to use the Arkime Lua plugin without having to create new bind volume mounts manually (idaholab/Malcolm#533)
  • Allow splitting out indexes by other field values (idaholab/Malcolm#450)
  • Allow total index size-based pruning for opensearch-remote and elasticsearch-remote database modes (idaholab/Malcolm#446)
  • Include netbox-topology-views plugin by default (idaholab/Malcolm#553)
  • When building Docker images and the Hedgehog Linux ISO, allow specifying alternate download URL for MaxMind GeoIP database files (idaholab/Malcolm#565)
  • Update EtherNet/IP and CIP to account for new packet correlation ID (idaholab/Malcolm#558)
  • Improvements to documentation and install.py for Linux performance tweaks (idaholab/Malcolm#495)
  • Update Network Traffic Analysis with Malcolm slides
• Component updates for OpenSearch and OpenSearch Dashboards, YARA, Zeek, and many more!
• Bug fixes
  • Filtering on hunt ID in Arkime not working (idaholab/Malcolm#554)
  • Hedgehog with OOB/VPN connection sets ARKIME_NODE_HOST incorrectly (idaholab/Malcolm#560 and idaholab/Malcolm#559)
  • Offline suricata Docker container does not initialize suricata.yml config file (idaholab/Malcolm#564)

Check out the release notes for more details and downloads.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

We're pleased to announce the v24.07.0 release of Malcolm, the open-source network traffic analysis tool suite!

We've been hard at work this work developing and reviewing some Malcolm training materials (which should be available Soon™) so this release isn't quite as substantial as some others have been, but there's are still several bug fixes and improvements that made their way into this release, as well as component version updates, so check it out!

While you're here, we have a few other links to share, as we try to better define and streamline how the community interfaces with the project:

• Of course, the documentation is a good place to start. TL;DR: RTFM (Read The Fine Manual).
• The Malcolm Discussions board has just been opened up! Discussions is your go-to destination for announcements, Malcolm Q&A, help, troubleshooting, and general Malcolm dialogue.
• If you've got an idea for a feature or enhancement or if you've found a bug, visit the Malcolm Issue Tracker.
• The Malcolm Project Board is where you can see what we're working on and what's slated for the next release or two.
• We're on YouTube! We're working to develop targeted Malcolm training videos on a variety of topics. In addition to the original channel, we're in the process of getting our videos hosted on CISA's YouTube channel as well, so you'll see our videos in both places for the forseeable future.
• If your organization needs to reach out for a more program-focused discussion, you can email us.

And, finally, the first-ever Malcolm user conference, Mal.Con '24 is fast approaching! Mal.Con will be held September 4, 2024 in-person in Arlington, VA with the option for virtual attendance as well. See here for information and register here.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

I'm on cloud nine since the v24.06.0 release of Malcolm, bringing you (who could have imagined?!?) new features, improvements, component version updates, and a few bug fixes. Please see the release notes, particularly if you've been using NetBox, as an update to that tool brings some backwards-compatibility-breaking changes (sorry 😢).

• Features and enhancements
  • Support for multiple NetBox sites (issue #449)
    • Malcolm now supports enrichment from a NetBox inventory for asset interaction analysis across multiple sites. The NetBox site can be specified for uploaded PCAP, for a Hedgehog Linux sensor, and for Malcolm live capture.
  • JA4+ replaces the JA3 TLS fingerprinting standard from 2017 (see also this blog post) (issue #419)
  • Support uploading Windows Event Log evtx files (issue #465) and update associated dashboard
  • Document using GitHub runners to build Malcolm images (for contributors' guide, issue #491)
  • Generate new forwarder SSL keys on-the-fly when transferring between Malcolm and Hedgehog Linux (issue #492)
  • Incorporate ATT&CK-based Control-system Indicator Detection for Zeek (ACID) (issue #489), a collection of Operational Techonology (OT) protocol indicators developed to alert on specific ATT&CK for ICS behaviors
  • Add platform architecture and machine boot time to Malcolm version API
  • Add links to the navigation pane of most dashboards to "other" dashboards for non-network log data (e.g., resource monitoring, Windows Event logs, etc.)
• Component version updates
  • NetBox to v4.0.6 (from v3.6.7, issue #385)
  • OpenSearch and OpenSearch Dashboards to v2.15.0
  • and lots more...
• Bug fixes
  • Arkime viewer not rolling PCAPs (issue #484)
  • Free up space in GitHub runner environment building ISO images to avoid build errors due to exhausted disk space

New to Malcolm? Grab some popcorn and watch these overview videos to give you an idea of what it's about. See the quick start guide to learn how to install Malcolm, or check out these tutorial videos for installing using Docker or from the official ISO installer images for Malcolm and Hedgehog Linux, which can be downloaded from Malcolm's releases page on GitHub.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov #ja4

Here's some information about Mal.Con '24, the upcoming first-ever #Malcolm user community conference, hosted by DHS CISA!

Mal.Con '24

We're excited to announce Mal.Con '24, a conference dedicated to technical discussions, capability demonstrations, and road-mapping future development and training activities for Malcolm!

Details

• When: 9/4/2024
• Where: Arlington, VA
• Wear: Casual attire

Sneak Peak

Here is a small sample of some of the presentations we have lined up:

• How to use NetBox to inventory your ICS network and how are we making asset description easier for owner/operators
• CISA & MITRE's new open-source package ACID: advanced detections & behavioral analysis for OT protocols
• CISA & INL's new open-source protocol parser toolkit, Parsnip: overview & deep-dive demonstration
• ICS Capture-the-Flag running 8/30-9/4 with live awards presentation at Mal.Con '24

Help Us Out

A few asks:

• Please take a moment to fill out this registration survey if you plan to attend either in person or remotely.
• Pass this around to others who may be interested!

Stay Tuned

Thank you for your support with this event! We're planning to post updates for the event on GitHub and we will send direct email reminders as we get closer to Mal.Con '24.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov

We're over the moon to announce the release of v24.05.0 of Malcolm, which contains (you guessed it) new features, improvements, bug fixes, and component version updates. Here are some of this release's highlights; see the release notes for more details.

See this playlist of overview videos for an introduction to Malcolm and its main components.

• Features and enhancements
  • ARM64/AArch64 support - Malcolm can now run natively on ARM64 hardware. This support was tested on an Apple M2 Max MacBook Pro with Docker Desktop and on AWS using an t4g.2xlarge EC2 instance. As this is a completely new CPU architecture for Malcolm, please let us know if you run into any issues running Malcolm on ARM64.
  • Capture performance tuning - We've added environment variables to give more control over tuning capture performance for Zeek, Suricata, and Arkime in Malcolm and Hedgehog Linux.
  • Custom tags - Custom tags can now be specified at the point of log file ingestion on Malcolm and Hedgehog Linux. This makes it easier to to group and search network traffic by sensor.
• Component version updates
  • Arkime to v5.2.0
  • OpenSearch and OpenSearch Dashboards to v2.14.0
  • Suricata to v7.0.5
  • Zeek to v6.2.1
  • ... and more
• Bug fixes

Malcolm and Hedgehog Linux can be deployed via containers using Docker or Kubernetes on systems using those technologies, or installed using the official ISO installer images which can can be downloaded from Malcolm's releases page on GitHub.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov #Kubernetes #Docker #raspberrypi #arm64

The v24.04.0 release of Malcolm contains new features, improvements, bug fixes and component version updates.

See this playlist of overview videos for an introduction to Malcolm and its main components.

• Features and enhancements
  • Zeek-extracted files scanned and preserved on a Hedgehog Linux sensor can now be accessed via the extracted files download user interface (#331).
  • Improvements to creation of index templates, dashboards, and other saved objects on startup (#208) to ensure that saved objects get created correctly upon upgrade (see this comment for more details on this feature).
  • Populating the NetBox inventory via passively-gathered network traffic metadata now uses network traffic logs for DNS, NTLM, and DHCP to identify assets' host names when possible for use when populating device and VM names (#415). Autopopulated devices now have their status field set to Active rather than Staged, and uses tags instead to indicated that they were created through autopopulation.
  • Users can now specify pruning thresholds for carved files so that old files are deleted in order to avoid filling available storage (#453). See a new section of documentation on Managing disk usage for more information about this and similar settings.
  • Users can now specify a prefix that will be prepended to dashboards as they are imported into OpenSearch Dashboards or Kibana, allowing users who have dashboards from other sources to differentiate between those and Malcolm's (#455).
  • The default anomaly detectors created for the OpenSearch Anomaly Detection plugin are now created with category fields for high cardinality to allow for better breakdown of contributing values to anomalies discovered (#464).
  • Include JA4+ plugin in Arkime. See #419 for status on upcoming full JA4+ support in Malcolm.
  • Hedgehog Linux sensors can now periodically refresh their Zeek inteligence files.
  • Assorted documentation improvements.
• Component version updates
  • Arkime to v5.1.2
  • Beats to v8.13.2
  • elasticsearch-dsl to v8.13.0
  • elasticsearch-py to v8.13.0
  • Fluent Bit to v3.0.3
  • gunicorn to v22.0.0 to address CVE-2024-1135.
  • idna to v3.7 to address CVE-2024-3651
  • Logstash to v8.13.2
  • OpenSearch and OpenSearch Dashboards to v2.13.0
• Bug fixes
  • The documentation for Windows host system configuration was out of date and has been updated for the latest version of Microsoft Windows Subsystem for Linux (#421).
  • An issue was fixed in which Malcolm's list of users and their password hashes could become corrupted if the file did not initially end with a newline character (#426).
  • The manner in which Zeek intel files are generated has been changed to avoid problems found in Kubernetes deployments when scaling out the number of zeek-live containers (#456). See this comment for more details.
  • Removed the version top-level element from docker-compose.yml files as it is now obsolete and caused a warning message that sometimes was not handled correctly.
  • Fix Malcolm ISO not correctly detecting if it's in a live boot ISO environment or installed mode.
  • Restart live Zeek instances with zeekctl deploy instead of zeekctl restart.

Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov #Kubernetes #Docker #raspberrypi