home.social

#suricata — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #suricata, aggregated by home.social.

  1. Using and with manual checks using to identify IP addresses that are attacking my reverse proxy device. I block in the IPs that tick all three boxes:
    1. suricata reports attack,
    2. claude code investigates and confirms attack (and we log the CVE etc.), and
    3. IP is already high confidence bad actor.
    A bit slow really due to manual checking. How does one extend to ? What measures should one add?

  2. Using #suricata #IDS and #abuseipdb with manual checks using #claudecode to identify IP addresses that are attacking my reverse proxy device. I block in #nftables the IPs that tick all three boxes:
    1. suricata reports attack,
    2. claude code investigates and confirms attack (and we log the CVE etc.), and
    3. IP is already high confidence bad actor.
    A bit slow really due to manual checking. How does one extend to #IPv6 ? What measures should one add? #portscanning

  3. SuriCon is community-funded - sponsorships keep it self-sustaining.

    Spots remain from the $800 Mob tier (for individual super fans) up to Community Partner ($10K).

    And our last exclusive slot: Welcome Reception Sponsor ($6K).

    Secure your spot: suricon.net/sponsorships/

    #Suricata #SuriCon #SuriCon2026

  4. SuriCon is community-funded - sponsorships keep it self-sustaining.

    Spots remain from the $800 Mob tier (for individual super fans) up to Community Partner ($10K).

    And our last exclusive slot: Welcome Reception Sponsor ($6K).

    Secure your spot: suricon.net/sponsorships/

    #Suricata #SuriCon #SuriCon2026

  5. The Hunters Ledger ruleset was recently added to the #Suricata ruleset index; check it out here: the-hunters-ledger.com/

    Thank you Joseph Harrison (linkedin.com/in/josephrharriso)

  6. The Hunters Ledger ruleset was recently added to the #Suricata ruleset index; check it out here: the-hunters-ledger.com/

    Thank you Joseph Harrison (linkedin.com/in/josephrharriso)

  7. Suricata produces rich network telemetry, alerts, anomalies, flow data, DNS, TLS, SSH, Kerberos, and more, but raw EVE JSON isn't investigation ready on its own.

    The Suricata IDS/IPS Content Pack for Graylog parses, enriches, and maps that data to the Graylog Information Model, with a dashboard built in. Setup covers Filebeat via Sidecar or syslog forwarding.
    Full breakdown here: graylog.org/post/suricata-ids-
    #Graylog #Suricata #SIEM #ThreatHunting #InfoSec #NetworkSecurity

  8. Suricata produces rich network telemetry, alerts, anomalies, flow data, DNS, TLS, SSH, Kerberos, and more, but raw EVE JSON isn't investigation ready on its own.

    The Suricata IDS/IPS Content Pack for Graylog parses, enriches, and maps that data to the Graylog Information Model, with a dashboard built in. Setup covers Filebeat via Sidecar or syslog forwarding.
    Full breakdown here: graylog.org/post/suricata-ids-
    #Graylog #Suricata #SIEM #ThreatHunting #InfoSec #NetworkSecurity

  9. We're pleased to announce the releases of #Suricata 8.0.6 and 7.0.17! 🎉
    With this, Suricata 7 series has reached its #EOL.

    See the release notes at forum.suricata.io/t/suricata-8

  10. We're pleased to announce the releases of #Suricata 8.0.6 and 7.0.17! 🎉
    With this, Suricata 7 series has reached its #EOL.

    See the release notes at forum.suricata.io/t/suricata-8

  11. RE: infosec.exchange/@suricata/116

    These are cute. And cool.

    And the different messages that they represent and embrace are part of why I truly love #suricata project and community.

  12. Future Suricata contributors start small. These little shirts are a playful community moment, but this is how open source lasts. It stays useful today while remaining open to the people who will shape what comes next.

    Some future contributors are still growing into the shirt 🧸

    #Suricata

  13. Future Suricata contributors start small. These little shirts are a playful community moment, but this is how open source lasts. It stays useful today while remaining open to the people who will shape what comes next.

    Some future contributors are still growing into the shirt 🧸

    #Suricata

  14. #Suricata powers many of today’s leading network detection and response solutions, including Clear NDR Community, which is widely used by practitioners to explore what is possible with Suricata IDS/IPS/NSM and the network protocol monitoring logs and alerts it produces.

    #IDS #IPS #NSM

  15. #Suricata powers many of today’s leading network detection and response solutions, including Clear NDR Community, which is widely used by practitioners to explore what is possible with Suricata IDS/IPS/NSM and the network protocol monitoring logs and alerts it produces.

    #IDS #IPS #NSM

  16. Heading to BSides Porto?

    Be sure to connect with
    @jufajardini . She’ll be there representing Suricata on Saturday.

    Find her and chat about open source security, and don’t forget to ask her for some Suricata swag.

    bsidesporto.org

    #Suricata #BSidesPorto #OpenSource #Cybersecurity

  17. Heading to BSides Porto?

    Be sure to connect with
    @jufajardini . She’ll be there representing Suricata on Saturday.

    Find her and chat about open source security, and don’t forget to ask her for some Suricata swag.

    bsidesporto.org

    #Suricata #BSidesPorto #OpenSource #Cybersecurity

  18. Major releases take time. They evolve through development, testing, review, feedback, and real deployment needs.

    If you use #Suricata today, what should be improved or carried forward toward Suricata 9?

    Share your thoughts now, or bring them to #SuriCon .

  19. Major releases take time. They evolve through development, testing, review, feedback, and real deployment needs.

    If you use #Suricata today, what should be improved or carried forward toward Suricata 9?

    Share your thoughts now, or bring them to #SuriCon .

  20. 🚀 SO-CRATES 1.1 is here — now with Light Mode! ☀️

    The tool you loved as OhMyPCAP keeps getting better.

    Your all-in-one Docker/Podman container for rapid analysis of PCAPs, logs, and binaries just leveled up.

    ✅ PCAPs → Suricata alerts, rich metadata, ASCII transcripts, stream carving
    ✅ Logs → Sigma alerts + originals
    ✅ Binaries → YARA matches + metadata

    Perfect for air-gapped environments, malware analysis, IR, threat hunting, forensics & teaching.

    What’s your preference?
    → Dark Mode 🖤
    → Light Mode ☀️
    → Why not both?
    → Needs glorious 4-color CGA option lol
    Comment below!

    #DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma #DarkMode #LightMode

  21. Как работает эта ваша суриката 3 часть

    Третья часть цикла статей по разбору устройства работы IDS/IPS решения Suricata. Разберём на практике уязвимость CVE‑2025‑66698 – обход аутентификации в Veda (Semantic Machines) v5.4.8. Запишем трафик с вредоносными запросами и составим suricata-правило, которое детектирует эксплуатацию уязвимости. В статье также приводятся объяснения как работают content, pcre и липкие буферы.

    habr.com/ru/articles/1049776/

    #suricata #dalton #wireshark #безопасность_сети #dpi #ids

  22. Two opportunities to learn more on Suricata this August, at BlackHat.

    For those who learn best through real traffic, rules, tuning, and workflow questions, this is one to keep on the radar. Suricata’s value is clearest when you can see it in practice.

    August 5: blackhat.com/us-26/arsenal/sch

    August 6: blackhat.com/us-26/arsenal/sch

    #Suricata #BlackHatUSA2026

  23. Two opportunities to learn more on Suricata this August, at BlackHat.

    For those who learn best through real traffic, rules, tuning, and workflow questions, this is one to keep on the radar. Suricata’s value is clearest when you can see it in practice.

    August 5: blackhat.com/us-26/arsenal/sch

    August 6: blackhat.com/us-26/arsenal/sch

    #Suricata #BlackHatUSA2026

  24. New in Suricata 9 and available in main, the `subslice` transform keyword creates a bounded window from a sticky buffer before content matching.

    Jeff Lucovsky covers how it works, with URI-ending, header-skipping, and short User-Agent examples.

    suricata.io/2026/06/16/suricat

    #SuricataTips #Suricata

  25. New in Suricata 9 and available in main, the `subslice` transform keyword creates a bounded window from a sticky buffer before content matching.

    Jeff Lucovsky covers how it works, with URI-ending, header-skipping, and short User-Agent examples.

    suricata.io/2026/06/16/suricat

    #SuricataTips #Suricata

  26. SuriCon 2026 is taking shape in Lisbon.

    Sponsor support helps make the event possible. Thank you to OPNsense, Léargas Security, Stamus Networks, AWS, and Corelight for helping create space for training, technical conversations, and community work.

    Become a sponsor: suricon.net/sponsorships/

    #Suricata #SuriCon2026 #Sponsors

  27. SuriCon 2026 is taking shape in Lisbon.

    Sponsor support helps make the event possible. Thank you to OPNsense, Léargas Security, Stamus Networks, AWS, and Corelight for helping create space for training, technical conversations, and community work.

    Become a sponsor: suricon.net/sponsorships/

    #Suricata #SuriCon2026 #Sponsors

  28. Как работает эта ваша суриката 2 часть

    Вторая часть цикла статей о практическом применении Suricata IDS/IPS. Рассмотрим базовые модификаторы Suricata на примерах DNS-запросов и на сетевых атаках. Уделим внимание механизму threshold для предотвращения флуда алертов.

    habr.com/ru/articles/1047804/

    #suricata #dalton #безопасность_сети #ids #dpi

  29. Как работает эта ваша суриката

    Всем привет! Моя работа связана с анализом сетевого трафика и написанием детектирующих правил Suricata. Я хочу поделиться с вами опытом работы с данным инструментом. Разберёмся в тонкостях работы этого ids/ips решения, научимся писать сигнатурные правила, а также понимать, как их писать для выявления нелегитимной активности.

    habr.com/ru/articles/1047246/

    #suricata #dalton #безопасность_сети

  30. Corelight is joining SuriCon 2026 as a Community Partners sponsor.

    Suricata often sits where network visibility, detection, and investigation meet. Corelight connects to that work by bringing Suricata IDS alerts together with Zeek network evidence.

    Learn more: corelight.com

    #Suricata #SuriCon2026

  31. Corelight is joining SuriCon 2026 as a Community Partners sponsor.

    Suricata often sits where network visibility, detection, and investigation meet. Corelight connects to that work by bringing Suricata IDS alerts together with Zeek network evidence.

    Learn more: corelight.com

    #Suricata #SuriCon2026

  32. 🚀Introducing SO-CRATES 1.0 — Security Onion Containerized Rapid Analysis of Threats, Evil, and Sus!

    SO-CRATES is a single container image for analyzing pcap files, log files, and binary files. It was formerly known as OhMyPCAP.

    Here's what you can do with SO-CRATES:
    ✅analyze pcap files and then review Suricata alerts, metadata, and extracted files
    ✅import log files and then review Sigma alerts and the original log entries
    ✅import binary files and then review YARA matches and file metadata

    All of this runs in a single Docker/Podman container — perfect for air-gapped environments, malware analysis, incident response, threat hunting, forensics & teaching.

    Who’s trying it out? Drop a ❤️ and reply with your main use case!

    #DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma

    @securityonion
    @chrissanders88

  33. 🚀Introducing SO-CRATES 1.0 — Security Onion Containerized Rapid Analysis of Threats, Evil, and Sus!

    SO-CRATES is a single container image for analyzing pcap files, log files, and binary files. It was formerly known as OhMyPCAP.

    Here's what you can do with SO-CRATES:
    ✅analyze pcap files and then review Suricata alerts, metadata, and extracted files
    ✅import log files and then review Sigma alerts and the original log entries
    ✅import binary files and then review YARA matches and file metadata

    All of this runs in a single Docker/Podman container — perfect for air-gapped environments, malware analysis, incident response, threat hunting, forensics & teaching.

    Who’s trying it out? Drop a ❤️ and reply with your main use case!

    #DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma

    @securityonion
    @chrissanders88

  34. ----------------

    🛠️ Tool: Pcap2Timeline - Fast PCAP triage into analyst-friendly CSV output
    ===================

    Pcap2Timeline is a lightweight shell script (pcap2csv.sh) that wraps Suricata to transform raw PCAP files into structured CSV datasets. It leverages Suricata's eve.json output and converts it into multiple CSV files, one per event type, plus a chronologically merged timeline.

    🔹 Key Features

    The script extracts the following event categories from PCAP files:
    • Alerts - Suricata rule match notifications
    • DNS - Queries and responses
    • HTTP - Request and response metadata
    • TLS - SNI, certificate information
    • FTP - Commands and file transfers
    • SMB - Windows file sharing activity
    • SSH - Secure shell sessions
    • RDP - Remote desktop connections
    • Flows - Connection statistics and metadata

    Each event type gets its own CSV, and a combined capture_timeline.csv merges all events in chronological order. Custom Suricata rules can be applied via the -R flag, enabling targeted detection during triage instead of relying only on default rule sets.

    🔹 Technical Implementation

    The script is written in POSIX sh with no bashisms, meaning it runs on minimal Unix environments without requiring bash. Dependencies are intentionally sparse: suricata for packet processing and jq for JSON parsing. Standard POSIX utilities handle the rest.

    Given an input capture.pcap, the script creates a pcap2csv_output/ directory containing separate CSVs for alerts, DNS, HTTP, TLS, FTP, flows, and the merged timeline.

    This integrates cleanly with Eric Zimmerman's Timeline Explorer for interactive filtering and pivoting through the results.

    🔹 Setup

    sudo apt install suricata jq
    sudo suricata-update
    git clone github.com/mf1d3l/Pcap2Timelin
    chmod +x pcap2csv.sh

    Usage: ./pcap2csv.sh <input.pcap> [-R <rules-file.rules>]

    🔹 Considerations

    The tool fills a specific niche: rapid initial triage, not deep analysis. It does not correlate events across categories or generate findings automatically. Analysts still need to interpret the data, but having it pre-organized by event type with a unified timeline significantly reduces orientation time within a new PCAP. The extraction is bounded by what Suricata can detect, so protocols not covered by the loaded rule set will not appear in output.

    🔹 tool #PCAP #Suricata #DFIR #networkforensics

    🔗 Source: github.com/mf1d3l/Pcap2Timeline

  35. ----------------

    🛠️ Tool: Pcap2Timeline - Fast PCAP triage into analyst-friendly CSV output
    ===================

    Pcap2Timeline is a lightweight shell script (pcap2csv.sh) that wraps Suricata to transform raw PCAP files into structured CSV datasets. It leverages Suricata's eve.json output and converts it into multiple CSV files, one per event type, plus a chronologically merged timeline.

    🔹 Key Features

    The script extracts the following event categories from PCAP files:
    • Alerts - Suricata rule match notifications
    • DNS - Queries and responses
    • HTTP - Request and response metadata
    • TLS - SNI, certificate information
    • FTP - Commands and file transfers
    • SMB - Windows file sharing activity
    • SSH - Secure shell sessions
    • RDP - Remote desktop connections
    • Flows - Connection statistics and metadata

    Each event type gets its own CSV, and a combined capture_timeline.csv merges all events in chronological order. Custom Suricata rules can be applied via the -R flag, enabling targeted detection during triage instead of relying only on default rule sets.

    🔹 Technical Implementation

    The script is written in POSIX sh with no bashisms, meaning it runs on minimal Unix environments without requiring bash. Dependencies are intentionally sparse: suricata for packet processing and jq for JSON parsing. Standard POSIX utilities handle the rest.

    Given an input capture.pcap, the script creates a pcap2csv_output/ directory containing separate CSVs for alerts, DNS, HTTP, TLS, FTP, flows, and the merged timeline.

    This integrates cleanly with Eric Zimmerman's Timeline Explorer for interactive filtering and pivoting through the results.

    🔹 Setup

    sudo apt install suricata jq
    sudo suricata-update
    git clone github.com/mf1d3l/Pcap2Timelin
    chmod +x pcap2csv.sh

    Usage: ./pcap2csv.sh <input.pcap> [-R <rules-file.rules>]

    🔹 Considerations

    The tool fills a specific niche: rapid initial triage, not deep analysis. It does not correlate events across categories or generate findings automatically. Analysts still need to interpret the data, but having it pre-organized by event type with a unified timeline significantly reduces orientation time within a new PCAP. The extraction is bounded by what Suricata can detect, so protocols not covered by the loaded rule set will not appear in output.

    🔹 tool #PCAP #Suricata #DFIR #networkforensics

    🔗 Source: github.com/mf1d3l/Pcap2Timeline

  36. At the Boston Official Cybersecurity Summit, Dr. Kelley Misata closed with “Trusted by Default: The Open Source Risk Hiding in Plain Sight.”

    Her session brought OISF’s open source security perspective into the room and connected it to our work supporting #Suricata.

    Thank you to all who joined!

  37. At the Boston Official Cybersecurity Summit, Dr. Kelley Misata closed with “Trusted by Default: The Open Source Risk Hiding in Plain Sight.”

    Her session brought OISF’s open source security perspective into the room and connected it to our work supporting #Suricata.

    Thank you to all who joined!

  38. Suricata often enters the workflow before it enters the conversation through SOC distributions, training labs, alert pipelines, vendor products, or rules firing in another interface.

    To better understand what Suricata is doing under the hood, start here: suricata.io/learn/learning-lib
    #Suricata #LearningLibrary

  39. Suricata often enters the workflow before it enters the conversation through SOC distributions, training labs, alert pipelines, vendor products, or rules firing in another interface.

    To better understand what Suricata is doing under the hood, start here: suricata.io/learn/learning-lib
    #Suricata #LearningLibrary

  40. Пещера Алладина для безопасника: 754 навыка для AI-агента и что будет, если использовать их для своего NGFW

    Разбираемся с открытой библиотекой Agent Skills для кибербезопасности на 754 навыка, показываем, как она устроена, и проводим живой эксперимент: даём агенту Hermes два навыка и просим разобрать реальный IPS-лог и провести аудит правил файрвола – сначала на бесплатной модели Owl Alpha (из-за того что подобную модель при желании можно использовать локально), затем на платной Opus 4.8 (Cloude Security). Сравниваем, где проходит граница между «бесплатно» и «дорого, но качественно». Откуда взялась «пещера» В одну ночь у нас на столе оказались четыре вещи: открытый репозиторий с 754 (!) навыками по ИБ для AI-агентов, автономный агент Hermes от Nous Research, LLM-модели Owl Alpha и Opus 4.8, а также открытое API Ideco NGFW в markdown-формате и соответствующий тестовый сервер. Собрали всё вместе и проверили на что способен AI-native администратор NGFW. Ощущение от первого захода в репозиторий было ровно как у Аладдина в пещере: вокруг сундуки с готовыми playbook'ами, на каждый второй случай из жизни безопасника. Volatility3 для дампов памяти, Zeek для разбора PCAP, Sigma-правила под Kerberoasting, разбор Cobalt Strike beacon, форензика облаков на трёх провайдерах. И ключ ко всему этому богатству – почти любая LLM, которая умеет в tool calling. Проведем эксперимент: два конкретных навыка из сетевой безопасности, один агент, реальные данные. И в конце – где здесь грабли, на которые легко наступить. Что такое Agent Skills и почему это не просто очередные промпты Agent Skills – это открытый формат для расширения возможностей AI-агента специализированными знаниями и рабочими процессами. Вместо того чтобы каждый раз промтом объяснять модели, «как senior-аналитик расследует утечку через DNS-туннель », вы один раз описываете этот workflow в структурированном виде – и подкладываете агенту.

    habr.com/ru/companies/ideco/ar

    #llm #llmагент #hermes_agent #IPS #firewall #межсетевой_экран #ideco_ngfw #ideco #Suricata #информационная_безопасность

  41. CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • 🛡️ Security Remediation & Hardening (#996)
      • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
      • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
      • Password stored as MD5-crypt for SFTP (#1009)
      • Authenticated archive zip-slip file write in filebeat container (#999)
      • OpenSearch path injection via /mapi/fields?template (#1000)
      • submit.php Location: open redirect via Referer (#1007)
      • htadmin proxied with no nginx auth gate (#1003)
      • Keycloak OIDC ssl_verify always set to false (#1006)
      • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
      • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
      • Read-only Arkime deny-regex omits addtags/removetags (#1008)
      • Read-only deployment allows POST /mapi/event (#1002)
      • WISE auth path selectable by client User-Agent (#1001)
      • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
      • requests CVE bump reverted in logstash image (#1010)
      • Fix API auth errors and hide NGINX version disclosure (#989)
    • 🐛 Bug fixes
      • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
      • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
      • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
    • ✅ Component version updates
    • 🧹 Code and project maintenance
      • Fixed some incorrect links in documentation (#988, thanks @jsoref)
      • Refactored NGINX error pages configuration into its own include file and added a 401.html page
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  42. CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • 🛡️ Security Remediation & Hardening (#996)
      • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
      • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
      • Password stored as MD5-crypt for SFTP (#1009)
      • Authenticated archive zip-slip file write in filebeat container (#999)
      • OpenSearch path injection via /mapi/fields?template (#1000)
      • submit.php Location: open redirect via Referer (#1007)
      • htadmin proxied with no nginx auth gate (#1003)
      • Keycloak OIDC ssl_verify always set to false (#1006)
      • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
      • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
      • Read-only Arkime deny-regex omits addtags/removetags (#1008)
      • Read-only deployment allows POST /mapi/event (#1002)
      • WISE auth path selectable by client User-Agent (#1001)
      • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
      • requests CVE bump reverted in logstash image (#1010)
      • Fix API auth errors and hide NGINX version disclosure (#989)
    • 🐛 Bug fixes
      • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
      • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
      • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
    • ✅ Component version updates
    • 🧹 Code and project maintenance
      • Fixed some incorrect links in documentation (#988, thanks @jsoref)
      • Refactored NGINX error pages configuration into its own include file and added a 401.html page
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  43. CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • 🛡️ Security Remediation & Hardening (#996)
      • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
      • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
      • Password stored as MD5-crypt for SFTP (#1009)
      • Authenticated archive zip-slip file write in filebeat container (#999)
      • OpenSearch path injection via /mapi/fields?template (#1000)
      • submit.php Location: open redirect via Referer (#1007)
      • htadmin proxied with no nginx auth gate (#1003)
      • Keycloak OIDC ssl_verify always set to false (#1006)
      • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
      • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
      • Read-only Arkime deny-regex omits addtags/removetags (#1008)
      • Read-only deployment allows POST /mapi/event (#1002)
      • WISE auth path selectable by client User-Agent (#1001)
      • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
      • requests CVE bump reverted in logstash image (#1010)
      • Fix API auth errors and hide NGINX version disclosure (#989)
    • 🐛 Bug fixes
      • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
      • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
      • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
    • ✅ Component version updates
    • 🧹 Code and project maintenance
      • Fixed some incorrect links in documentation (#988, thanks @jsoref)
      • Refactored NGINX error pages configuration into its own include file and added a 401.html page
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  44. CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • 🛡️ Security Remediation & Hardening (#996)
      • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
      • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
      • Password stored as MD5-crypt for SFTP (#1009)
      • Authenticated archive zip-slip file write in filebeat container (#999)
      • OpenSearch path injection via /mapi/fields?template (#1000)
      • submit.php Location: open redirect via Referer (#1007)
      • htadmin proxied with no nginx auth gate (#1003)
      • Keycloak OIDC ssl_verify always set to false (#1006)
      • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
      • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
      • Read-only Arkime deny-regex omits addtags/removetags (#1008)
      • Read-only deployment allows POST /mapi/event (#1002)
      • WISE auth path selectable by client User-Agent (#1001)
      • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
      • requests CVE bump reverted in logstash image (#1010)
      • Fix API auth errors and hide NGINX version disclosure (#989)
    • 🐛 Bug fixes
      • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
      • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
      • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
    • ✅ Component version updates
    • 🧹 Code and project maintenance
      • Fixed some incorrect links in documentation (#988, thanks @jsoref)
      • Refactored NGINX error pages configuration into its own include file and added a 401.html page
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  45. CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • 🛡️ Security Remediation & Hardening (#996)
      • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
      • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
      • Password stored as MD5-crypt for SFTP (#1009)
      • Authenticated archive zip-slip file write in filebeat container (#999)
      • OpenSearch path injection via /mapi/fields?template (#1000)
      • submit.php Location: open redirect via Referer (#1007)
      • htadmin proxied with no nginx auth gate (#1003)
      • Keycloak OIDC ssl_verify always set to false (#1006)
      • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
      • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
      • Read-only Arkime deny-regex omits addtags/removetags (#1008)
      • Read-only deployment allows POST /mapi/event (#1002)
      • WISE auth path selectable by client User-Agent (#1001)
      • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
      • requests CVE bump reverted in logstash image (#1010)
      • Fix API auth errors and hide NGINX version disclosure (#989)
    • 🐛 Bug fixes
      • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
      • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
      • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
    • ✅ Component version updates
    • 🧹 Code and project maintenance
      • Fixed some incorrect links in documentation (#988, thanks @jsoref)
      • Refactored NGINX error pages configuration into its own include file and added a 401.html page
    • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

    Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

    Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL