#suricata — Public Fediverse posts

https://habr.com/ru/companies/ideco/articles/1024442/

#машинное_обучение #suricata #ml #ngfw #ips

Habr @[email protected] · 2026-04-21 · 11:12 UTC

ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

https://habr.com/ru/companies/ideco/articles/1024442/

#машинное_обучение #suricata #ml #ngfw #ips

Habr @[email protected] · 2026-04-21 · 11:12 UTC

ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

https://habr.com/ru/companies/ideco/articles/1024442/

#машинное_обучение #suricata #ml #ngfw #ips

Habr @[email protected] · 2026-04-21 · 11:12 UTC

ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

#ips #ngfw #ml #suricata #машинное_обучение

Seth Grover @[email protected] · 2026-04-15 · 15:27 UTC

CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
- fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
- Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
- FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
- redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
- STRELKA_SCANNERS has been added to pipeline.env for #935
- ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#malcolm #hedgehoglinux #zeek #arkime #strelka #netbox

Seth Grover @[email protected] · 2026-04-15 · 15:27 UTC

CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
- fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
- Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
- FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
- redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
- STRELKA_SCANNERS has been added to pipeline.env for #935
- ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#malcolm #hedgehoglinux #zeek #arkime #strelka #netbox

Seth Grover @[email protected] · 2026-04-15 · 15:27 UTC

CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
- fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
- Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
- FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
- redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
- STRELKA_SCANNERS has been added to pipeline.env for #935
- ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#malcolm #hedgehoglinux #zeek #arkime #strelka #netbox

Seth Grover @[email protected] · 2026-04-15 · 15:27 UTC

CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
- fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
- Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
- FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
- redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
- STRELKA_SCANNERS has been added to pipeline.env for #935
- ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#inl #infosec #cyber #cybersecurity #icssecurity #ics

Seth Grover @[email protected] · 2026-04-15 · 15:27 UTC

CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
- fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
- Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
- FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
- redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
- STRELKA_SCANNERS has been added to pipeline.env for #935
- ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#malcolm #hedgehoglinux #zeek #arkime #strelka #netbox

hasamba @[email protected] · 2026-04-15 · 12:51 UTC

----------------

🛠️ Tool: Malcolm — Network Traffic Analysis Suite
===================

Opening
Malcolm is an integrated, open-source network traffic analysis suite designed to normalize, enrich, and correlate packet captures and security logs for investigation and monitoring. The platform accepts full PCAP files, Zeek logs, and Suricata alerts and exposes both visualization and session-level inspection through OpenSearch Dashboards and Arkime.

Key Features
• Ingestion: supports PCAP, Zeek logs, and Suricata alerts from uploads or lightweight forwarders.
• Normalization & Enrichment: automatic parsing and enrichment of network artifacts to aid correlation.
• Dual interfaces: OpenSearch Dashboards for aggregated visualizations and prebuilt dashboards, and Arkime for session search and packet-level review.
• Deployment model: containerized components isolate functions and allow modular scaling.
• Security & licensing: communications are encrypted via industry-standard protocols and the suite is distributed under the Apache License, version 2.0.

Technical Implementation
Malcolm is architected as a cluster of containers where each service performs a defined role (ingest, parsing, indexing, visualization, session capture). Data normalization pipelines convert raw PCAP and IDS output into structured indices suitable for OpenSearch and session reconstruction for Arkime. Forwarders enable passive or active forwarding of log streams into the ingestion pipeline.

Use Cases
• Long-term SOC network monitoring with searchable dashboards and session retrieval.
• Incident response: rapid ingestion of PCAP evidence and session-level triage via Arkime.
• Forensic analysis where correlation between IDS alerts, Zeek metadata, and raw packets is required.
• Extensible parsing for specialized environments, including planned expansion for ICS protocol visibility.

Limitations & Considerations
• Malcolm aggregates several existing open-source projects; operational behavior depends on each component's constraints (indexing scale, storage needs, and retention policies).
• Large PCAP volumes and high-throughput environments require careful sizing of indexing and storage layers.
• Ongoing development focus on ICS protocol parsers indicates current industrial control systems visibility is limited compared to general network traffic analysis.

Conclusion
Malcolm provides an integrated, permissively licensed framework that combines packet-level session search with scalable dashboards and log enrichment, suitable for SOCs and incident responders that require a container-friendly, open-source stack. #tool #PCAP #Zeek #Suricata #Arkime

🔗 Source: https://github.com/idaholab/Malcolm

#arkime #suricata #zeek #pcap #tool

Shivani @[email protected] · 2026-04-08 · 16:06 UTC

Wrote a little summary of some interesting learnings that have proven to be good guides but haven't led to a success story.. yet. :)

https://shivanibhardwaj.com/p/suricata-flowbits-dont-always-flow/

#suricata #np #computersciences #sat #math

Shivani @[email protected] · 2026-04-08 · 16:06 UTC

Wrote a little summary of some interesting learnings that have proven to be good guides but haven't led to a success story.. yet. :)

https://shivanibhardwaj.com/p/suricata-flowbits-dont-always-flow/

#suricata #np #computersciences #sat #math

Shivani @[email protected] · 2026-04-08 · 16:06 UTC

Wrote a little summary of some interesting learnings that have proven to be good guides but haven't led to a success story.. yet. :)

https://shivanibhardwaj.com/p/suricata-flowbits-dont-always-flow/

#suricata #np #computersciences #sat #math

Shivani @[email protected] · 2026-04-08 · 16:06 UTC

Wrote a little summary of some interesting learnings that have proven to be good guides but haven't led to a success story.. yet. :)

https://shivanibhardwaj.com/p/suricata-flowbits-dont-always-flow/

#math #sat #computersciences #np #suricata

Shivani @[email protected] · 2026-04-08 · 16:06 UTC

Wrote a little summary of some interesting learnings that have proven to be good guides but haven't led to a success story.. yet. :)

https://shivanibhardwaj.com/p/suricata-flowbits-dont-always-flow/

#suricata #np #computersciences #sat #math

Habr @[email protected] · 2026-03-26 · 04:32 UTC

От сигнатур к ML IDS: чему IDS Suricata может научить модель?

[Текст не для публикации: не нашел как Редакции прикрепить сообщение, эта статья написана в рамках Блога "Институт системного программирования им. В.П. Иванникова РАН"]

https://habr.com/ru/articles/1015132/

#IDS #Suricata #ML #dataset

#dataset #ml #suricata #ids

Caria Giovanni - Harpocrates @[email protected] · 2026-03-16 · 07:37 UTC

Built a production SOC for my home/mobile infra. Sharing it.

#AEGIS is a unified threat intelligence platform running on a single Linux server:

→ DNS sinkhole (port 53, custom blocklists)
→ Suricata IDS in AF-packet passive mode + ClamAV on filestore
→ Zeek NSM (http, ssl, dns, conn, weird, notice)
→ ModSecurity WAF — OWASP CRS 4.22, full enforcement
→ Fail2Ban + auditd
→ Rust orchestrator aggregating all event sources into one REST/WS API

Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE — passive only. No inline mode that can brick SSH access.

https://aegis.centurialabs.pl

#infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

#aegis #infosec #soc #homelab #suricata #zeek

DeadUser :gnome: :arch: :vim: @[email protected] · 2026-03-14 · 10:56 UTC

OPNSense zainstalowany, działa zadziwiająco przyjemnie. Odpaliłem #ntop i #suricata poza bazowymi usługami, obciążenie jak widać

#opnsense #freebsd #softrouter

#ntop #suricata #opnsense #freebsd #softrouter

MalwareLab @[email protected] · 2026-03-09 · 21:52 UTC

Investigation scenario:
We just received three notifications with alerts from #Suricata #IDS

1) GPL SMTP vrfy root, from unknown IP to our mailserver

Shortly after that, two more alerts appeared:

2) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response; from the same unknown IP to Windows computer in our network
3) ET MALWARE Possible Metasploit Payload Common Construct Bind_API, again from the same unknown IP to the same Windows computer

What happened?
What to do? How to analyze network traffic and investigate those alerts?

We do not have any EDR or XDR installed on that Windows computer. Right now,we have only Suricata eve.json logs ingested to the #OpenObserve #SIEM

If you would like to see more, you are welcome to attend my @suricata webinar on March 11.
Register here: https://us02web.zoom.us/webinar/register/WN_I6BNbCU2SNG2fAOEiotPiQ

#suricata #ids #openobserve #siem

gary @[email protected] · 2026-03-04 · 17:24 UTC

@da_667 you need a ssl/tls proxy to really see more of the traffic, don't categorize it as some sort of thing that is optional when all the big guys lean heavily on it to more fully inspect traffic flows #dpi #cert #zeek #suricata #framing

You're absolutely right to frame it this way. The "TLS kills IDS/IPS" argument is one of those oversimplifications that sounds clever but misses the point entirely. Encryption doesn't make threats invisible - it just changes where and how you look for them.
The Proxy Reality Check

@da_667 hits the nail on the head - SSL/TLS inspection isn't optional if you want visibility, it's foundational. The "big guys" (Cisco, Palo Alto, Zscaler) aren't running proxies because they have money to burn - they're doing it because you can't inspect what you can't see.

But here's where Chapter 10 can really shine - showing that inspection exists on a spectrum:
Invasive Approaches (The Proxy Path)

Full MITM decryption with corporate certificates

What you gain: Complete visibility into application-layer threats, data exfiltration attempts, hidden C2 channels

What you sacrifice: Performance overhead, privacy considerations, certificate management headaches

The reality check: This is how enterprises actually catch advanced threats

Non-Invasive Approaches (Metadata & Behavior)

Zeek: Still extracts certificates, SNI, JA3 fingerprints, tunnel durations - even from encrypted flows

Suricata: Can match on encrypted traffic patterns, detect known C2 fingerprints without decryption

Flow data: Connection patterns tell stories - beaconing intervals, data asymmetries, strange destination patterns

TLS handshake analysis: Cipher suite choices, certificate chains, extensions - all potential indicators

The Real Takeaway

The "TLS kills visibility" crowd forgets that threats still have to:

Establish connections (handshake analysis)

Talk to specific infrastructure (reputation/feeds)

Behave like threats (behavioral analysis)

Leave metadata trails (Zeek logs don't lie)

Your Chapter 10 should hammer home that visibility is a spectrum, not binary. Some threats require full decryption. Others get caught by the metadata they can't avoid generating. And the best detection strategies use both.

What specific angle are you taking with the invasive vs non-invasive comparison? Are you showing them as complementary layers or competing approaches?

#dpi #cert #zeek #suricata #framing

9to5Linux @[email protected] · 2026-03-02 · 11:03 UTC

#IPFire 2.29 Core Update 200 Is Out with #Linux 6.18 LTS, IPFire Domain Blocklist, #Suricata and #OpenVPN Updates, and More https://9to5linux.com/ipfire-2-29-core-update-200-is-out-with-linux-6-18-lts-ipfire-domain-blocklist

#ipfire #linux #suricata #openvpn #opensource

9to5Linux @[email protected] · 2026-03-02 · 11:03 UTC

#IPFire 2.29 Core Update 200 Is Out with #Linux 6.18 LTS, IPFire Domain Blocklist, #Suricata and #OpenVPN Updates, and More https://9to5linux.com/ipfire-2-29-core-update-200-is-out-with-linux-6-18-lts-ipfire-domain-blocklist

#ipfire #linux #suricata #openvpn #opensource

9to5Linux @[email protected] · 2026-03-02 · 11:03 UTC

#IPFire 2.29 Core Update 200 Is Out with #Linux 6.18 LTS, IPFire Domain Blocklist, #Suricata and #OpenVPN Updates, and More https://9to5linux.com/ipfire-2-29-core-update-200-is-out-with-linux-6-18-lts-ipfire-domain-blocklist

#ipfire #linux #suricata #openvpn #opensource

9to5Linux @[email protected] · 2026-03-02 · 11:03 UTC

#IPFire 2.29 Core Update 200 Is Out with #Linux 6.18 LTS, IPFire Domain Blocklist, #Suricata and #OpenVPN Updates, and More https://9to5linux.com/ipfire-2-29-core-update-200-is-out-with-linux-6-18-lts-ipfire-domain-blocklist

#opensource #openvpn #suricata #linux #ipfire

9to5Linux @[email protected] · 2026-03-02 · 11:03 UTC

#IPFire 2.29 Core Update 200 Is Out with #Linux 6.18 LTS, IPFire Domain Blocklist, #Suricata and #OpenVPN Updates, and More https://9to5linux.com/ipfire-2-29-core-update-200-is-out-with-linux-6-18-lts-ipfire-domain-blocklist