home.social

#suricata — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #suricata, aggregated by home.social.

  1. 🚀 OhMyPCAP 4.0.0 is HERE!

    The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.

    New in v4.0:
    • Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
    • Exiftool + rich file metadata analysis — get more file information even if there are no YARA matches

    All the power you love is still here:
    Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).

    Ideal for malware analysis, incident response, threat hunting, forensics & teaching.

    Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)

    #PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis

    @chrissanders88 @lennyzeltser

  2. 🚀 OhMyPCAP 4.0.0 is HERE!

    The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.

    New in v4.0:
    • Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
    • Exiftool + rich file metadata analysis — get more file information even if there are no YARA matches

    All the power you love is still here:
    Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).

    Ideal for malware analysis, incident response, threat hunting, forensics & teaching.

    Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)

    #PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis

    @chrissanders88 @lennyzeltser

  3. 🚀 OhMyPCAP 4.0.0 is HERE!

    The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.

    New in v4.0:
    • Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
    • Exiftool + rich file metadata analysis — get more file information even if there are no YARA matches

    All the power you love is still here:
    Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).

    Ideal for malware analysis, incident response, threat hunting, forensics & teaching.

    Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)

    #PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis

    @chrissanders88 @lennyzeltser

  4. @drmorrisj Good Luck on finishing touches to Phd - a ton of work; i am thinking about actively trying to sell some edr - crowdstrike, emerging threats/proofpoint, recorded future, i have too many portals to make and stalled out deciding drupal or wp, maybe both and a toplist or two. I am going to try and go after some things like the yacy consulting and where licenses allow i will sell product plus consulting - one step at a time #generic templates #portal IT sales and consulting #structured data #ssl proxy #suricata #arkime #sigs #binary defense #best practices

  5. I built IT PCAP Triage - a small offline tool for people who hate digging through PCAPs manually.

    It runs Zeek, Suricata, capinfos and tshark, then generates a compact HTML security report with findings, risky hosts, DNS/TLS/SMB/HTTP summaries, IDS alerts and evidence.

    Still not a SIEM. Still not magic. Just automation for the boring first triage pass.

    0ut3r.space/2026/05/23/it-pcap

    #infosec #pcap #zeek #suricata #python #security

  6. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • ✅ Component version updates
    • 🐛 Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  7. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • ✅ Component version updates
    • 🐛 Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  8. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • ✅ Component version updates
    • 🐛 Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  9. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • ✅ Component version updates
    • 🐛 Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  10. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • ✅ Component version updates
    • 🐛 Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  11. Jupyter and Suricata make a pretty good pair.

    In his SuriCon 2022 talk, Jupyter Playbooks for Suricata, Markus Kont shows how jupyter notebooks can support rule exploration, threat hunting, analytics, and R&D prototyping around Suricata.

    Watch here: youtu.be/hevTFubjlDQ?si=dKGV0G

    #Suricata #SuriCon #OpenSource

  12. Suricata 9 is planned for next year, and development is already well underway.

    At our recent team meeting in Salzburg, we discussed priorities, next steps, and the work shaping the next version. Open source work does not wait for release season.

    #OISF #Suricata #OpenSource

  13. Community helps make open source stronger. Accessibility helps that community grow.

    Our Juliana Fajardini Reichow ( @jufajardini ) brought both into her sessions with DonasSecurity and Senac São Bernardo do Campo, where she shared Suricata, Outreachy, and her open source journey.

    #Suricata #OpenSource #OISF

  14. Mastodon Incident Report / Root cause analysis:

    Earlier today, users experienced timeouts with Search, Hashtags, and Autocomplete.

    Root Cause: Our setup separates the Mastodon frontend VPS (Hetzner) from backend services (for example Elasticsearch) via an OPNSense firewall. Suricata (our IPS) triggered a false-positive on internal traffic and aggressively blocked the VPS IP, severing the connection to the search database.

    Resolution: We identified the false-positive, added the frontend IP to the whitelist, and traffic immediately normalized. Everything is back to green!

    #mastodon #mastoadmin #burningboard #elasticsearch #firewall #opnsense #suricata #oopsie

  15. Mastodon Incident Report / Root cause analysis:

    Earlier today, users experienced timeouts with Search, Hashtags, and Autocomplete.

    Root Cause: Our setup separates the Mastodon frontend VPS (Hetzner) from backend services (for example Elasticsearch) via an OPNSense firewall. Suricata (our IPS) triggered a false-positive on internal traffic and aggressively blocked the VPS IP, severing the connection to the search database.

    Resolution: We identified the false-positive, added the frontend IP to the whitelist, and traffic immediately normalized. Everything is back to green!

    #mastodon #mastoadmin #burningboard #elasticsearch #firewall #opnsense #suricata #oopsie

  16. Mastodon Incident Report / Root cause analysis:

    Earlier today, users experienced timeouts with Search, Hashtags, and Autocomplete.

    Root Cause: Our setup separates the Mastodon frontend VPS (Hetzner) from backend services (for example Elasticsearch) via an OPNSense firewall. Suricata (our IPS) triggered a false-positive on internal traffic and aggressively blocked the VPS IP, severing the connection to the search database.

    Resolution: We identified the false-positive, added the frontend IP to the whitelist, and traffic immediately normalized. Everything is back to green!

    #mastodon #mastoadmin #burningboard #elasticsearch #firewall #opnsense #suricata #oopsie

  17. Mastodon Incident Report / Root cause analysis:

    Earlier today, users experienced timeouts with Search, Hashtags, and Autocomplete.

    Root Cause: Our setup separates the Mastodon frontend VPS (Hetzner) from backend services (for example Elasticsearch) via an OPNSense firewall. Suricata (our IPS) triggered a false-positive on internal traffic and aggressively blocked the VPS IP, severing the connection to the search database.

    Resolution: We identified the false-positive, added the frontend IP to the whitelist, and traffic immediately normalized. Everything is back to green!

    #mastodon #mastoadmin #burningboard #elasticsearch #firewall #opnsense #suricata #oopsie

  18. Mastodon Incident Report / Root cause analysis:

    Earlier today, users experienced timeouts with Search, Hashtags, and Autocomplete.

    Root Cause: Our setup separates the Mastodon frontend VPS (Hetzner) from backend services (for example Elasticsearch) via an OPNSense firewall. Suricata (our IPS) triggered a false-positive on internal traffic and aggressively blocked the VPS IP, severing the connection to the search database.

    Resolution: We identified the false-positive, added the frontend IP to the whitelist, and traffic immediately normalized. Everything is back to green!

    #mastodon #mastoadmin #burningboard #elasticsearch #firewall #opnsense #suricata #oopsie

  19. Suricata was at BotConf on April 14, with Peter Manev and Éric Leblond ( @Regit ) leading a hands-on workshop.

    Good to spend time in person with people digging into the practical side of the project and working through the details together.

    #Suricata #BotConf2026 #OpenSource

  20. Bueno, parece que los ataques de scraping estan cesando o por lo menos el bloqueo del firewall está siendo exitoso y permite más o menos respirar al servidor. Como últimas novedades, ayer terminé de migrar las listas de bloque de Alias y reglas manuales, a listas dinámicas automáticas, aparte de que agregué algunas más que estaban faltando. Las listas dinámicas corren en bajo nivel en el firewall y aprovechan el motor pf packet filter que hace famoso a pf-Sense. Eso quedó lujo y los tests que corrí muestran que el firewall ni se despeina filtrando unas 50k IPs. También en el proxy Nginx dejé corriendo CrowdSec junto con Fail2ban y ahora ambos alimentan de IPs maliciosas que detectan, al pf-Sense que las bloquea para toda la red. CrowdSec fue sugerencia de @j3j5 y luego de @ElenaMusk y valió la pena porque solo lo conocía de nombre, nunca lo había probado, muchas gracias por el apoyo y la ayuda. Pensé que era similar a Fail2ban pero se nota que es mucho más moderno y agarra IPs que Fail2ban no agarra, justamente por el análisis decomportamiento. Yo creo que estamos bastante bien ahora, con pfBlocker-NG, Suricata y DNSBL corriendo en pf-Sense y Fail2ban y CrowdSec corriendo en el proxy que a su vez retroalimenta a pf-Sense. #pfsense #crowdsec #dnsbl #suricata #seguridad #undernet #mastodon

  21. Bueno, parece que los ataques de scraping estan cesando o por lo menos el bloqueo del firewall está siendo exitoso y permite más o menos respirar al servidor. Como últimas novedades, ayer terminé de migrar las listas de bloque de Alias y reglas manuales, a listas dinámicas automáticas, aparte de que agregué algunas más que estaban faltando. Las listas dinámicas corren en bajo nivel en el firewall y aprovechan el motor pf packet filter que hace famoso a pf-Sense. Eso quedó lujo y los tests que corrí muestran que el firewall ni se despeina filtrando unas 50k IPs. También en el proxy Nginx dejé corriendo CrowdSec junto con Fail2ban y ahora ambos alimentan de IPs maliciosas que detectan, al pf-Sense que las bloquea para toda la red. CrowdSec fue sugerencia de @j3j5 y luego de @ElenaMusk y valió la pena porque solo lo conocía de nombre, nunca lo había probado, muchas gracias por el apoyo y la ayuda. Pensé que era similar a Fail2ban pero se nota que es mucho más moderno y agarra IPs que Fail2ban no agarra, justamente por el análisis decomportamiento. Yo creo que estamos bastante bien ahora, con pfBlocker-NG, Suricata y DNSBL corriendo en pf-Sense y Fail2ban y CrowdSec corriendo en el proxy que a su vez retroalimenta a pf-Sense. #pfsense #crowdsec #dnsbl #suricata #seguridad #undernet #mastodon

  22. Bueno, parece que los ataques de scraping estan cesando o por lo menos el bloqueo del firewall está siendo exitoso y permite más o menos respirar al servidor. Como últimas novedades, ayer terminé de migrar las listas de bloque de Alias y reglas manuales, a listas dinámicas automáticas, aparte de que agregué algunas más que estaban faltando. Las listas dinámicas corren en bajo nivel en el firewall y aprovechan el motor pf packet filter que hace famoso a pf-Sense. Eso quedó lujo y los tests que corrí muestran que el firewall ni se despeina filtrando unas 50k IPs. También en el proxy Nginx dejé corriendo CrowdSec junto con Fail2ban y ahora ambos alimentan de IPs maliciosas que detectan, al pf-Sense que las bloquea para toda la red. CrowdSec fue sugerencia de @j3j5 y luego de @ElenaMusk y valió la pena porque solo lo conocía de nombre, nunca lo había probado, muchas gracias por el apoyo y la ayuda. Pensé que era similar a Fail2ban pero se nota que es mucho más moderno y agarra IPs que Fail2ban no agarra, justamente por el análisis decomportamiento. Yo creo que estamos bastante bien ahora, con pfBlocker-NG, Suricata y DNSBL corriendo en pf-Sense y Fail2ban y CrowdSec corriendo en el proxy que a su vez retroalimenta a pf-Sense. #pfsense #crowdsec #dnsbl #suricata #seguridad #undernet #mastodon

  23. Bueno, parece que los ataques de scraping estan cesando o por lo menos el bloqueo del firewall está siendo exitoso y permite más o menos respirar al servidor. Como últimas novedades, ayer terminé de migrar las listas de bloque de Alias y reglas manuales, a listas dinámicas automáticas, aparte de que agregué algunas más que estaban faltando. Las listas dinámicas corren en bajo nivel en el firewall y aprovechan el motor pf packet filter que hace famoso a pf-Sense. Eso quedó lujo y los tests que corrí muestran que el firewall ni se despeina filtrando unas 50k IPs. También en el proxy Nginx dejé corriendo CrowdSec junto con Fail2ban y ahora ambos alimentan de IPs maliciosas que detectan, al pf-Sense que las bloquea para toda la red. CrowdSec fue sugerencia de @j3j5 y luego de @ElenaMusk y valió la pena porque solo lo conocía de nombre, nunca lo había probado, muchas gracias por el apoyo y la ayuda. Pensé que era similar a Fail2ban pero se nota que es mucho más moderno y agarra IPs que Fail2ban no agarra, justamente por el análisis decomportamiento. Yo creo que estamos bastante bien ahora, con pfBlocker-NG, Suricata y DNSBL corriendo en pf-Sense y Fail2ban y CrowdSec corriendo en el proxy que a su vez retroalimenta a pf-Sense. #pfsense #crowdsec #dnsbl #suricata #seguridad #undernet #mastodon

  24. Bueno, parece que los ataques de scraping estan cesando o por lo menos el bloqueo del firewall está siendo exitoso y permite más o menos respirar al servidor. Como últimas novedades, ayer terminé de migrar las listas de bloque de Alias y reglas manuales, a listas dinámicas automáticas, aparte de que agregué algunas más que estaban faltando. Las listas dinámicas corren en bajo nivel en el firewall y aprovechan el motor pf packet filter que hace famoso a pf-Sense. Eso quedó lujo y los tests que corrí muestran que el firewall ni se despeina filtrando unas 50k IPs. También en el proxy Nginx dejé corriendo CrowdSec junto con Fail2ban y ahora ambos alimentan de IPs maliciosas que detectan, al pf-Sense que las bloquea para toda la red. CrowdSec fue sugerencia de @j3j5 y luego de @ElenaMusk y valió la pena porque solo lo conocía de nombre, nunca lo había probado, muchas gracias por el apoyo y la ayuda. Pensé que era similar a Fail2ban pero se nota que es mucho más moderno y agarra IPs que Fail2ban no agarra, justamente por el análisis decomportamiento. Yo creo que estamos bastante bien ahora, con pfBlocker-NG, Suricata y DNSBL corriendo en pf-Sense y Fail2ban y CrowdSec corriendo en el proxy que a su vez retroalimenta a pf-Sense. #pfsense #crowdsec #dnsbl #suricata #seguridad #undernet #mastodon

  25. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 — use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 — examine large chown'ed directories in container images and see if they can be reduced
      • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • ✅ Component version updates
    • 🐛 Bug fixes
      • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 — configuration script can disable ICS parsers unintentionally
      • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 — replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 — develop IronBank (US DoD) images for Malcolm
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  26. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 — use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 — examine large chown'ed directories in container images and see if they can be reduced
      • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • ✅ Component version updates
    • 🐛 Bug fixes
      • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 — configuration script can disable ICS parsers unintentionally
      • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 — replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 — develop IronBank (US DoD) images for Malcolm
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  27. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 — use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 — examine large chown'ed directories in container images and see if they can be reduced
      • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • ✅ Component version updates
    • 🐛 Bug fixes
      • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 — configuration script can disable ICS parsers unintentionally
      • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 — replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 — develop IronBank (US DoD) images for Malcolm
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  28. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 — use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 — examine large chown'ed directories in container images and see if they can be reduced
      • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • ✅ Component version updates
    • 🐛 Bug fixes
      • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 — configuration script can disable ICS parsers unintentionally
      • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 — replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 — develop IronBank (US DoD) images for Malcolm
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  29. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 — use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 — examine large chown'ed directories in container images and see if they can be reduced
      • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • ✅ Component version updates
    • 🐛 Bug fixes
      • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 — configuration script can disable ICS parsers unintentionally
      • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 — replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 — develop IronBank (US DoD) images for Malcolm
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  30. And our Victor Julien ( @inliniac ) will be at NLUUG Spring Conference 2026 on May 7 in Utrecht, speaking on Suricata: 10 years later.

    A look back at how the project has evolved over the past decade and where it stands today.

    More info: leden.nluug.nl/aanmelden/index

    #Suricata #NLUUG #OpenSource

  31. A big thank you to the sponsors making SuriCon 2026 possible. Your support helps keep the Suricata community and open source network security moving forward. 🙏

    Interested in sponsoring SuriCon 2026? Learn more here: suricon.net/sponsorships/

    #Suricata #SuriCon2026 #OpenSource #OISF

  32. A big thank you to the sponsors making SuriCon 2026 possible. Your support helps keep the Suricata community and open source network security moving forward. 🙏

    Interested in sponsoring SuriCon 2026? Learn more here: suricon.net/sponsorships/

    #Suricata #SuriCon2026 #OpenSource #OISF

  33. A big thank you to the sponsors making SuriCon 2026 possible. Your support helps keep the Suricata community and open source network security moving forward. 🙏

    Interested in sponsoring SuriCon 2026? Learn more here: suricon.net/sponsorships/

    #Suricata #SuriCon2026 #OpenSource #OISF

  34. A big thank you to the sponsors making SuriCon 2026 possible. Your support helps keep the Suricata community and open source network security moving forward. 🙏

    Interested in sponsoring SuriCon 2026? Learn more here: suricon.net/sponsorships/

    #Suricata #SuriCon2026 #OpenSource #OISF

  35. A big thank you to the sponsors making SuriCon 2026 possible. Your support helps keep the Suricata community and open source network security moving forward. 🙏

    Interested in sponsoring SuriCon 2026? Learn more here: suricon.net/sponsorships/

    #Suricata #SuriCon2026 #OpenSource #OISF

  36. The OISF team is together in Salzburg this week for our in-person team meeting! 🙌

    We love the moments we get to come together as a team and work through what’s next, from ongoing development to the work that supports the Suricata community.

    #Suricata #OISF #OpenSource

  37. Revisiting @Regit - Éric Leblond’s SuriCon 2022 talk on IOC matching and anomaly detection. A useful look at large-scale matching, IOC checking, and anomaly detection in Suricata datasets.

    2022 talk: youtu.be/2eyX0sNtJ3I?si=eN_a1c

    2025 follow-up: youtube.com/watch?v=vhKJJnYqSTs

    #Suricata #SuriCon #OpenSource

  38. 🎤 SuriCon is only as good as the people who show up and share.

    If you've been thinking about submitting a talk for #SuriCon2026, now is the time. We hope to see you on stage in Lisbon this November!

    Submit here: pretalx.com/suricon2026/cfp

    #Suricata #CallforTalks #Community #OISFoundation

  39. 🎤 SuriCon is only as good as the people who show up and share.

    If you've been thinking about submitting a talk for #SuriCon2026, now is the time. We hope to see you on stage in Lisbon this November!

    Submit here: pretalx.com/suricon2026/cfp

    #Suricata #CallforTalks #Community #OISFoundation

  40. 🎤 SuriCon is only as good as the people who show up and share.

    If you've been thinking about submitting a talk for #SuriCon2026, now is the time. We hope to see you on stage in Lisbon this November!

    Submit here: pretalx.com/suricon2026/cfp

    #Suricata #CallforTalks #Community #OISFoundation

  41. 🎤 SuriCon is only as good as the people who show up and share.

    If you've been thinking about submitting a talk for #SuriCon2026, now is the time. We hope to see you on stage in Lisbon this November!

    Submit here: pretalx.com/suricon2026/cfp

    #Suricata #CallforTalks #Community #OISFoundation

  42. 🎤 SuriCon is only as good as the people who show up and share.

    If you've been thinking about submitting a talk for #SuriCon2026, now is the time. We hope to see you on stage in Lisbon this November!

    Submit here: pretalx.com/suricon2026/cfp

    #Suricata #CallforTalks #Community #OISFoundation

  43. ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

    В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

    habr.com/ru/companies/ideco/ar

    #IPS #NGFW #ml #suricata #машинное_обучение

  44. ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

    В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

    habr.com/ru/companies/ideco/ar

    #IPS #NGFW #ml #suricata #машинное_обучение

  45. ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

    В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

    habr.com/ru/companies/ideco/ar

    #IPS #NGFW #ml #suricata #машинное_обучение

  46. ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

    В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

    habr.com/ru/companies/ideco/ar

    #IPS #NGFW #ml #suricata #машинное_обучение

  47. #Suricata is een veelgebruikte open source (GPLv2) netwerk security engine, voornamelijk gebruikt als IDS (Intrusion Detection System) en IPS (Intrusion Prevention System).

    Op de NLUUG voorjaarsconferentie van 7 mei 2026 zal Victor Julien ( @inliniac ) verbeteringen in Suricata van de afgelopen 10 jaar presenteren en inzicht geven hoe netwerk security uiterst belangrijk blijft.

    Schrijf je in voor de nluug.nl/evenementen/nluug/voo en zie je op de voorjaarsconferentie!

    #NLUUG is dé vereniging voor (professionele) gebruikers van UNIX/Linux, #OpenSource, #OpenSystemen en #OpenStandaarden in NL.

  48. DNS tunneling is easy to miss. Peter Manev walks through a real-world case using Suricata 8: detection, investigation, and reverse engineering.

    Don't miss it! Register now: us02web.zoom.us/webinar/regist

    #Suricata #OpenSource #FreeWebinar

  49. DNS tunneling is easy to miss. Peter Manev walks through a real-world case using Suricata 8: detection, investigation, and reverse engineering.

    Don't miss it! Register now: us02web.zoom.us/webinar/regist

    #Suricata #OpenSource #FreeWebinar

  50. DNS tunneling is easy to miss. Peter Manev walks through a real-world case using Suricata 8: detection, investigation, and reverse engineering.

    Don't miss it! Register now: us02web.zoom.us/webinar/regist

    #Suricata #OpenSource #FreeWebinar