#suricata — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #suricata, aggregated by home.social.
-
Using #suricata #IDS and #abuseipdb with manual checks using #claudecode to identify IP addresses that are attacking my reverse proxy device. I block in #nftables the IPs that tick all three boxes:
1. suricata reports attack,
2. claude code investigates and confirms attack (and we log the CVE etc.), and
3. IP is already high confidence bad actor.
A bit slow really due to manual checking. How does one extend to #IPv6 ? What measures should one add? #portscanning -
Using #suricata #IDS and #abuseipdb with manual checks using #claudecode to identify IP addresses that are attacking my reverse proxy device. I block in #nftables the IPs that tick all three boxes:
1. suricata reports attack,
2. claude code investigates and confirms attack (and we log the CVE etc.), and
3. IP is already high confidence bad actor.
A bit slow really due to manual checking. How does one extend to #IPv6 ? What measures should one add? #portscanning -
SuriCon is community-funded - sponsorships keep it self-sustaining.
Spots remain from the $800 Mob tier (for individual super fans) up to Community Partner ($10K).
And our last exclusive slot: Welcome Reception Sponsor ($6K).
Secure your spot: suricon.net/sponsorships/
-
SuriCon is community-funded - sponsorships keep it self-sustaining.
Spots remain from the $800 Mob tier (for individual super fans) up to Community Partner ($10K).
And our last exclusive slot: Welcome Reception Sponsor ($6K).
Secure your spot: suricon.net/sponsorships/
-
Got tired of mucking with these miserable #screenconnect msi's so here's a #suricata rule to catch the initial check via sni:
https://gist.github.com/silence-is-best/29afec335264313e9bf5bfa1c6e60144
https://app.any.run/tasks/73887f39-a8ac-4702-a67d-36465caca294
cc @da_667 -
Got tired of mucking with these miserable #screenconnect msi's so here's a #suricata rule to catch the initial check via sni:
https://gist.github.com/silence-is-best/29afec335264313e9bf5bfa1c6e60144
https://app.any.run/tasks/73887f39-a8ac-4702-a67d-36465caca294
cc @da_667 -
The Hunters Ledger ruleset was recently added to the #Suricata ruleset index; check it out here: https://the-hunters-ledger.com/
Thank you Joseph Harrison (https://www.linkedin.com/in/josephrharrison/)
-
The Hunters Ledger ruleset was recently added to the #Suricata ruleset index; check it out here: https://the-hunters-ledger.com/
Thank you Joseph Harrison (https://www.linkedin.com/in/josephrharrison/)
-
Suricata produces rich network telemetry, alerts, anomalies, flow data, DNS, TLS, SSH, Kerberos, and more, but raw EVE JSON isn't investigation ready on its own.
The Suricata IDS/IPS Content Pack for Graylog parses, enriches, and maps that data to the Graylog Information Model, with a dashboard built in. Setup covers Filebeat via Sidecar or syslog forwarding.
Full breakdown here: https://graylog.org/post/suricata-ids-ips-data-in-graylog/
#Graylog #Suricata #SIEM #ThreatHunting #InfoSec #NetworkSecurity -
Suricata produces rich network telemetry, alerts, anomalies, flow data, DNS, TLS, SSH, Kerberos, and more, but raw EVE JSON isn't investigation ready on its own.
The Suricata IDS/IPS Content Pack for Graylog parses, enriches, and maps that data to the Graylog Information Model, with a dashboard built in. Setup covers Filebeat via Sidecar or syslog forwarding.
Full breakdown here: https://graylog.org/post/suricata-ids-ips-data-in-graylog/
#Graylog #Suricata #SIEM #ThreatHunting #InfoSec #NetworkSecurity -
We're pleased to announce the releases of #Suricata 8.0.6 and 7.0.17! 🎉
With this, Suricata 7 series has reached its #EOL.See the release notes at https://forum.suricata.io/t/suricata-8-0-6-and-7-0-17-released/6391/1
-
We're pleased to announce the releases of #Suricata 8.0.6 and 7.0.17! 🎉
With this, Suricata 7 series has reached its #EOL.See the release notes at https://forum.suricata.io/t/suricata-8-0-6-and-7-0-17-released/6391/1
-
Are you using #wazuh and want to integrate threat intelligence today? These two posts might interest you:
https://blog.federicofantini.net/blog/2026/03/23/Wazuh-Threat-Intelligence.html
#wazuh #opencti #homelab #sysmon #suricata #threatintel #retrohunting
-
RE: https://infosec.exchange/@suricata/116844873558861550
These are cute. And cool.
And the different messages that they represent and embrace are part of why I truly love #suricata project and community.
-
Future Suricata contributors start small. These little shirts are a playful community moment, but this is how open source lasts. It stays useful today while remaining open to the people who will shape what comes next.
Some future contributors are still growing into the shirt 🧸
-
Future Suricata contributors start small. These little shirts are a playful community moment, but this is how open source lasts. It stays useful today while remaining open to the people who will shape what comes next.
Some future contributors are still growing into the shirt 🧸
-
#Suricata powers many of today’s leading network detection and response solutions, including Clear NDR Community, which is widely used by practitioners to explore what is possible with Suricata IDS/IPS/NSM and the network protocol monitoring logs and alerts it produces.
-
#Suricata powers many of today’s leading network detection and response solutions, including Clear NDR Community, which is widely used by practitioners to explore what is possible with Suricata IDS/IPS/NSM and the network protocol monitoring logs and alerts it produces.
-
Heading to BSides Porto?
Be sure to connect with
@jufajardini . She’ll be there representing Suricata on Saturday.Find her and chat about open source security, and don’t forget to ask her for some Suricata swag.
bsidesporto.org
-
Heading to BSides Porto?
Be sure to connect with
@jufajardini . She’ll be there representing Suricata on Saturday.Find her and chat about open source security, and don’t forget to ask her for some Suricata swag.
bsidesporto.org
-
🚀 SO-CRATES 1.1 is here — now with Light Mode! ☀️
The tool you loved as OhMyPCAP keeps getting better.
Your all-in-one Docker/Podman container for rapid analysis of PCAPs, logs, and binaries just leveled up.
✅ PCAPs → Suricata alerts, rich metadata, ASCII transcripts, stream carving
✅ Logs → Sigma alerts + originals
✅ Binaries → YARA matches + metadataPerfect for air-gapped environments, malware analysis, IR, threat hunting, forensics & teaching.
What’s your preference?
→ Dark Mode 🖤
→ Light Mode ☀️
→ Why not both?
→ Needs glorious 4-color CGA option lol
Comment below!#DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma #DarkMode #LightMode
-
Как работает эта ваша суриката 3 часть
Третья часть цикла статей по разбору устройства работы IDS/IPS решения Suricata. Разберём на практике уязвимость CVE‑2025‑66698 – обход аутентификации в Veda (Semantic Machines) v5.4.8. Запишем трафик с вредоносными запросами и составим suricata-правило, которое детектирует эксплуатацию уязвимости. В статье также приводятся объяснения как работают content, pcre и липкие буферы.
-
Two opportunities to learn more on Suricata this August, at BlackHat.
For those who learn best through real traffic, rules, tuning, and workflow questions, this is one to keep on the radar. Suricata’s value is clearest when you can see it in practice.
-
Two opportunities to learn more on Suricata this August, at BlackHat.
For those who learn best through real traffic, rules, tuning, and workflow questions, this is one to keep on the radar. Suricata’s value is clearest when you can see it in practice.
-
New in Suricata 9 and available in main, the `subslice` transform keyword creates a bounded window from a sticky buffer before content matching.
Jeff Lucovsky covers how it works, with URI-ending, header-skipping, and short User-Agent examples.
https://suricata.io/2026/06/16/suricata-keyword-highlight-subslice-part-1/
-
New in Suricata 9 and available in main, the `subslice` transform keyword creates a bounded window from a sticky buffer before content matching.
Jeff Lucovsky covers how it works, with URI-ending, header-skipping, and short User-Agent examples.
https://suricata.io/2026/06/16/suricata-keyword-highlight-subslice-part-1/
-
SuriCon 2026 is taking shape in Lisbon.
Sponsor support helps make the event possible. Thank you to OPNsense, Léargas Security, Stamus Networks, AWS, and Corelight for helping create space for training, technical conversations, and community work.
Become a sponsor: suricon.net/sponsorships/
-
SuriCon 2026 is taking shape in Lisbon.
Sponsor support helps make the event possible. Thank you to OPNsense, Léargas Security, Stamus Networks, AWS, and Corelight for helping create space for training, technical conversations, and community work.
Become a sponsor: suricon.net/sponsorships/
-
Как работает эта ваша суриката 2 часть
Вторая часть цикла статей о практическом применении Suricata IDS/IPS. Рассмотрим базовые модификаторы Suricata на примерах DNS-запросов и на сетевых атаках. Уделим внимание механизму threshold для предотвращения флуда алертов.
-
Как работает эта ваша суриката
Всем привет! Моя работа связана с анализом сетевого трафика и написанием детектирующих правил Suricata. Я хочу поделиться с вами опытом работы с данным инструментом. Разберёмся в тонкостях работы этого ids/ips решения, научимся писать сигнатурные правила, а также понимать, как их писать для выявления нелегитимной активности.
-
Corelight is joining SuriCon 2026 as a Community Partners sponsor.
Suricata often sits where network visibility, detection, and investigation meet. Corelight connects to that work by bringing Suricata IDS alerts together with Zeek network evidence.
Learn more: corelight.com
-
Corelight is joining SuriCon 2026 as a Community Partners sponsor.
Suricata often sits where network visibility, detection, and investigation meet. Corelight connects to that work by bringing Suricata IDS alerts together with Zeek network evidence.
Learn more: corelight.com
-
Suricata 8.0.5 out in ArchLinux AUR:
https://aur.archlinux.org/packages/suricata
#suricata -
Suricata 8.0.5 out in ArchLinux AUR:
https://aur.archlinux.org/packages/suricata
#suricata -
🚀Introducing SO-CRATES 1.0 — Security Onion Containerized Rapid Analysis of Threats, Evil, and Sus!
SO-CRATES is a single container image for analyzing pcap files, log files, and binary files. It was formerly known as OhMyPCAP.
Here's what you can do with SO-CRATES:
✅analyze pcap files and then review Suricata alerts, metadata, and extracted files
✅import log files and then review Sigma alerts and the original log entries
✅import binary files and then review YARA matches and file metadataAll of this runs in a single Docker/Podman container — perfect for air-gapped environments, malware analysis, incident response, threat hunting, forensics & teaching.
Who’s trying it out? Drop a ❤️ and reply with your main use case!
#DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma
-
🚀Introducing SO-CRATES 1.0 — Security Onion Containerized Rapid Analysis of Threats, Evil, and Sus!
SO-CRATES is a single container image for analyzing pcap files, log files, and binary files. It was formerly known as OhMyPCAP.
Here's what you can do with SO-CRATES:
✅analyze pcap files and then review Suricata alerts, metadata, and extracted files
✅import log files and then review Sigma alerts and the original log entries
✅import binary files and then review YARA matches and file metadataAll of this runs in a single Docker/Podman container — perfect for air-gapped environments, malware analysis, incident response, threat hunting, forensics & teaching.
Who’s trying it out? Drop a ❤️ and reply with your main use case!
#DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma
-
----------------
🛠️ Tool: Pcap2Timeline - Fast PCAP triage into analyst-friendly CSV output
===================Pcap2Timeline is a lightweight shell script (pcap2csv.sh) that wraps Suricata to transform raw PCAP files into structured CSV datasets. It leverages Suricata's eve.json output and converts it into multiple CSV files, one per event type, plus a chronologically merged timeline.
🔹 Key Features
The script extracts the following event categories from PCAP files:
• Alerts - Suricata rule match notifications
• DNS - Queries and responses
• HTTP - Request and response metadata
• TLS - SNI, certificate information
• FTP - Commands and file transfers
• SMB - Windows file sharing activity
• SSH - Secure shell sessions
• RDP - Remote desktop connections
• Flows - Connection statistics and metadataEach event type gets its own CSV, and a combined capture_timeline.csv merges all events in chronological order. Custom Suricata rules can be applied via the -R flag, enabling targeted detection during triage instead of relying only on default rule sets.
🔹 Technical Implementation
The script is written in POSIX sh with no bashisms, meaning it runs on minimal Unix environments without requiring bash. Dependencies are intentionally sparse: suricata for packet processing and jq for JSON parsing. Standard POSIX utilities handle the rest.
Given an input capture.pcap, the script creates a pcap2csv_output/ directory containing separate CSVs for alerts, DNS, HTTP, TLS, FTP, flows, and the merged timeline.
This integrates cleanly with Eric Zimmerman's Timeline Explorer for interactive filtering and pivoting through the results.
🔹 Setup
sudo apt install suricata jq
sudo suricata-update
git clone https://github.com/mf1d3l/Pcap2Timeline.git
chmod +x pcap2csv.shUsage: ./pcap2csv.sh <input.pcap> [-R <rules-file.rules>]
🔹 Considerations
The tool fills a specific niche: rapid initial triage, not deep analysis. It does not correlate events across categories or generate findings automatically. Analysts still need to interpret the data, but having it pre-organized by event type with a unified timeline significantly reduces orientation time within a new PCAP. The extraction is bounded by what Suricata can detect, so protocols not covered by the loaded rule set will not appear in output.
🔹 tool #PCAP #Suricata #DFIR #networkforensics
🔗 Source: https://github.com/mf1d3l/Pcap2Timeline
-
----------------
🛠️ Tool: Pcap2Timeline - Fast PCAP triage into analyst-friendly CSV output
===================Pcap2Timeline is a lightweight shell script (pcap2csv.sh) that wraps Suricata to transform raw PCAP files into structured CSV datasets. It leverages Suricata's eve.json output and converts it into multiple CSV files, one per event type, plus a chronologically merged timeline.
🔹 Key Features
The script extracts the following event categories from PCAP files:
• Alerts - Suricata rule match notifications
• DNS - Queries and responses
• HTTP - Request and response metadata
• TLS - SNI, certificate information
• FTP - Commands and file transfers
• SMB - Windows file sharing activity
• SSH - Secure shell sessions
• RDP - Remote desktop connections
• Flows - Connection statistics and metadataEach event type gets its own CSV, and a combined capture_timeline.csv merges all events in chronological order. Custom Suricata rules can be applied via the -R flag, enabling targeted detection during triage instead of relying only on default rule sets.
🔹 Technical Implementation
The script is written in POSIX sh with no bashisms, meaning it runs on minimal Unix environments without requiring bash. Dependencies are intentionally sparse: suricata for packet processing and jq for JSON parsing. Standard POSIX utilities handle the rest.
Given an input capture.pcap, the script creates a pcap2csv_output/ directory containing separate CSVs for alerts, DNS, HTTP, TLS, FTP, flows, and the merged timeline.
This integrates cleanly with Eric Zimmerman's Timeline Explorer for interactive filtering and pivoting through the results.
🔹 Setup
sudo apt install suricata jq
sudo suricata-update
git clone https://github.com/mf1d3l/Pcap2Timeline.git
chmod +x pcap2csv.shUsage: ./pcap2csv.sh <input.pcap> [-R <rules-file.rules>]
🔹 Considerations
The tool fills a specific niche: rapid initial triage, not deep analysis. It does not correlate events across categories or generate findings automatically. Analysts still need to interpret the data, but having it pre-organized by event type with a unified timeline significantly reduces orientation time within a new PCAP. The extraction is bounded by what Suricata can detect, so protocols not covered by the loaded rule set will not appear in output.
🔹 tool #PCAP #Suricata #DFIR #networkforensics
🔗 Source: https://github.com/mf1d3l/Pcap2Timeline
-
At the Boston Official Cybersecurity Summit, Dr. Kelley Misata closed with “Trusted by Default: The Open Source Risk Hiding in Plain Sight.”
Her session brought OISF’s open source security perspective into the room and connected it to our work supporting #Suricata.
Thank you to all who joined!
-
At the Boston Official Cybersecurity Summit, Dr. Kelley Misata closed with “Trusted by Default: The Open Source Risk Hiding in Plain Sight.”
Her session brought OISF’s open source security perspective into the room and connected it to our work supporting #Suricata.
Thank you to all who joined!
-
Suricata often enters the workflow before it enters the conversation through SOC distributions, training labs, alert pipelines, vendor products, or rules firing in another interface.
To better understand what Suricata is doing under the hood, start here: https://suricata.io/learn/learning-library/
#Suricata #LearningLibrary -
Suricata often enters the workflow before it enters the conversation through SOC distributions, training labs, alert pipelines, vendor products, or rules firing in another interface.
To better understand what Suricata is doing under the hood, start here: https://suricata.io/learn/learning-library/
#Suricata #LearningLibrary -
Пещера Алладина для безопасника: 754 навыка для AI-агента и что будет, если использовать их для своего NGFW
Разбираемся с открытой библиотекой Agent Skills для кибербезопасности на 754 навыка, показываем, как она устроена, и проводим живой эксперимент: даём агенту Hermes два навыка и просим разобрать реальный IPS-лог и провести аудит правил файрвола – сначала на бесплатной модели Owl Alpha (из-за того что подобную модель при желании можно использовать локально), затем на платной Opus 4.8 (Cloude Security). Сравниваем, где проходит граница между «бесплатно» и «дорого, но качественно». Откуда взялась «пещера» В одну ночь у нас на столе оказались четыре вещи: открытый репозиторий с 754 (!) навыками по ИБ для AI-агентов, автономный агент Hermes от Nous Research, LLM-модели Owl Alpha и Opus 4.8, а также открытое API Ideco NGFW в markdown-формате и соответствующий тестовый сервер. Собрали всё вместе и проверили на что способен AI-native администратор NGFW. Ощущение от первого захода в репозиторий было ровно как у Аладдина в пещере: вокруг сундуки с готовыми playbook'ами, на каждый второй случай из жизни безопасника. Volatility3 для дампов памяти, Zeek для разбора PCAP, Sigma-правила под Kerberoasting, разбор Cobalt Strike beacon, форензика облаков на трёх провайдерах. И ключ ко всему этому богатству – почти любая LLM, которая умеет в tool calling. Проведем эксперимент: два конкретных навыка из сетевой безопасности, один агент, реальные данные. И в конце – где здесь грабли, на которые легко наступить. Что такое Agent Skills и почему это не просто очередные промпты Agent Skills – это открытый формат для расширения возможностей AI-агента специализированными знаниями и рабочими процессами. Вместо того чтобы каждый раз промтом объяснять модели, «как senior-аналитик расследует утечку через DNS-туннель », вы один раз описываете этот workflow в структурированном виде – и подкладываете агенту.
https://habr.com/ru/companies/ideco/articles/1043130/
#llm #llmагент #hermes_agent #IPS #firewall #межсетевой_экран #ideco_ngfw #ideco #Suricata #информационная_безопасность
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)