home.social

#zeek β€” Public Fediverse posts

Live and recent posts from across the Fediverse tagged #zeek, aggregated by home.social.

  1. I built IT PCAP Triage - a small offline tool for people who hate digging through PCAPs manually.

    It runs Zeek, Suricata, capinfos and tshark, then generates a compact HTML security report with findings, risky hosts, DNS/TLS/SMB/HTTP summaries, IDS alerts and evidence.

    Still not a SIEM. Still not magic. Just automation for the boring first triage pass.

    0ut3r.space/2026/05/23/it-pcap

    #infosec #pcap #zeek #suricata #python #security

  2. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? DΓ©jΓ  vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  3. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? DΓ©jΓ  vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  4. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? DΓ©jΓ  vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  5. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? DΓ©jΓ  vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  6. CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.2 is out?!? What, already? DΓ©jΓ  vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

    Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
      • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
      • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
      • Suricata's HTTP version was not being normalized to network.protocol_version.
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  7. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 β€” use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 β€” examine large chown'ed directories in container images and see if they can be reduced
      • #954 β€” allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka β†’ Logstash β†’ OpenSearch templates (wildcard field mapping type) β†’ Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • βœ… Component version updates
    • πŸ› Bug fixes
      • #757 β€” multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 β€” Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 β€” Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 β€” configuration script can disable ICS parsers unintentionally
      • #959 β€” Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 β€” replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 β€” develop IronBank (US DoD) images for Malcolm
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox β†’ Plugins β†’ NetBox HealthCheck Plugin β†’ HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  8. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 β€” use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 β€” examine large chown'ed directories in container images and see if they can be reduced
      • #954 β€” allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka β†’ Logstash β†’ OpenSearch templates (wildcard field mapping type) β†’ Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • βœ… Component version updates
    • πŸ› Bug fixes
      • #757 β€” multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 β€” Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 β€” Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 β€” configuration script can disable ICS parsers unintentionally
      • #959 β€” Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 β€” replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 β€” develop IronBank (US DoD) images for Malcolm
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox β†’ Plugins β†’ NetBox HealthCheck Plugin β†’ HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  9. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 β€” use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 β€” examine large chown'ed directories in container images and see if they can be reduced
      • #954 β€” allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka β†’ Logstash β†’ OpenSearch templates (wildcard field mapping type) β†’ Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • βœ… Component version updates
    • πŸ› Bug fixes
      • #757 β€” multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 β€” Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 β€” Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 β€” configuration script can disable ICS parsers unintentionally
      • #959 β€” Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 β€” replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 β€” develop IronBank (US DoD) images for Malcolm
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox β†’ Plugins β†’ NetBox HealthCheck Plugin β†’ HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  10. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 β€” use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 β€” examine large chown'ed directories in container images and see if they can be reduced
      • #954 β€” allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka β†’ Logstash β†’ OpenSearch templates (wildcard field mapping type) β†’ Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • βœ… Component version updates
    • πŸ› Bug fixes
      • #757 β€” multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 β€” Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 β€” Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 β€” configuration script can disable ICS parsers unintentionally
      • #959 β€” Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 β€” replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 β€” develop IronBank (US DoD) images for Malcolm
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox β†’ Plugins β†’ NetBox HealthCheck Plugin β†’ HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  11. CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring

    Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • #726 β€” use hierarchical structure for NetBox device roles
        • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
      • #867 β€” examine large chown'ed directories in container images and see if they can be reduced
      • #954 β€” allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
        • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
        • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
      • Added file.strings extraction/indexing/search support across Strelka β†’ Logstash β†’ OpenSearch templates (wildcard field mapping type) β†’ Arkime/WISE
      • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
      • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
      • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
    • βœ… Component version updates
    • πŸ› Bug fixes
      • #757 β€” multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
        • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
        • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
      • #827 β€” Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
        • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
        • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
        • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
      • #878 β€” Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
        • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
        • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
        • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
      • #957 β€” configuration script can disable ICS parsers unintentionally
      • #959 β€” Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
      • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
    • 🧹 Code and project maintenance
      • Documentation improvements
      • #913 β€” replace ingress-nginx which is EOL
        • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
        • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
        • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
        • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
      • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
      • #917 β€” develop IronBank (US DoD) images for Malcolm
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
      • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
    • ❌ Errata
      • Under NetBox β†’ Plugins β†’ NetBox HealthCheck Plugin β†’ HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  12. @da_667 i guess my only question would be how come you aren't doing pkt cap and decryption 24/7 #c2 detection #evasive #arkime #zeek #elastic #kibana #splunk #national treasure

  13. @da_667 i guess my only question would be how come you aren't doing pkt cap and decryption 24/7 #c2 detection #evasive #arkime #zeek #elastic #kibana #splunk #national treasure

  14. @da_667 i guess my only question would be how come you aren't doing pkt cap and decryption 24/7 #c2 detection #evasive #arkime #zeek #elastic #kibana #splunk #national treasure

  15. @da_667 i guess my only question would be how come you aren't doing pkt cap and decryption 24/7 #c2 detection #evasive #arkime #zeek #elastic #kibana #splunk #national treasure

  16. #Malcolm (malcolm.fyi) v26.04.1 is out with improvements to file scanning, bug fixes, and other goodness! Details @ github.com/idaholab/Malcolm/releases. Malcolm is a powerful tool suite for NSM πŸ•΅πŸ»β€β™‚οΈ. #Zeek #Arkime #NetBox #Suricata #NetworkTrafficAnalysis #networksecuritymonitoring

  17. CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    v26.02.0...v26.04.1

    Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

    • ✨ Features and enhancements
      • implemented easier way to enable/disable Strelka scanners #935
      • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
      • index selected Strelka result fields #919
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
      • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
      • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [github.com/cisagov/Malcolm/iss]
      • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
      • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
    • 🧹 Code and project maintenance
      • swap redis out for valkey #882
      • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
      • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
      • some documentation updates
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
      • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
      • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
      • STRELKA_SCANNERS has been added to pipeline.env for #935
      • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  18. CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    v26.02.0...v26.04.1

    Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

    • ✨ Features and enhancements
      • implemented easier way to enable/disable Strelka scanners #935
      • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
      • index selected Strelka result fields #919
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
      • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
      • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [github.com/cisagov/Malcolm/iss]
      • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
      • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
    • 🧹 Code and project maintenance
      • swap redis out for valkey #882
      • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
      • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
      • some documentation updates
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
      • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
      • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
      • STRELKA_SCANNERS has been added to pipeline.env for #935
      • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  19. CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    v26.02.0...v26.04.1

    Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

    • ✨ Features and enhancements
      • implemented easier way to enable/disable Strelka scanners #935
      • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
      • index selected Strelka result fields #919
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
      • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
      • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [github.com/cisagov/Malcolm/iss]
      • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
      • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
    • 🧹 Code and project maintenance
      • swap redis out for valkey #882
      • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
      • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
      • some documentation updates
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
      • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
      • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
      • STRELKA_SCANNERS has been added to pipeline.env for #935
      • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  20. CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    v26.02.0...v26.04.1

    Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

    • ✨ Features and enhancements
      • implemented easier way to enable/disable Strelka scanners #935
      • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
      • index selected Strelka result fields #919
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
      • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
      • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [github.com/cisagov/Malcolm/iss]
      • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
      • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
    • 🧹 Code and project maintenance
      • swap redis out for valkey #882
      • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
      • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
      • some documentation updates
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
      • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
      • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
      • STRELKA_SCANNERS has been added to pipeline.env for #935
      • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  21. CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

    If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

    v26.02.0...v26.04.1

    Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

    • ✨ Features and enhancements
      • implemented easier way to enable/disable Strelka scanners #935
      • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
      • index selected Strelka result fields #919
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
      • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
      • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [github.com/cisagov/Malcolm/iss]
      • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
      • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
    • 🧹 Code and project maintenance
      • swap redis out for valkey #882
      • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
      • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
      • some documentation updates
    • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
      • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
      • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
      • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
      • STRELKA_SCANNERS has been added to pipeline.env for #935
      • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  22. ----------------

    πŸ› οΈ Tool: Malcolm β€” Network Traffic Analysis Suite
    ===================

    Opening
    Malcolm is an integrated, open-source network traffic analysis suite designed to normalize, enrich, and correlate packet captures and security logs for investigation and monitoring. The platform accepts full PCAP files, Zeek logs, and Suricata alerts and exposes both visualization and session-level inspection through OpenSearch Dashboards and Arkime.

    Key Features
    β€’ Ingestion: supports PCAP, Zeek logs, and Suricata alerts from uploads or lightweight forwarders.
    β€’ Normalization & Enrichment: automatic parsing and enrichment of network artifacts to aid correlation.
    β€’ Dual interfaces: OpenSearch Dashboards for aggregated visualizations and prebuilt dashboards, and Arkime for session search and packet-level review.
    β€’ Deployment model: containerized components isolate functions and allow modular scaling.
    β€’ Security & licensing: communications are encrypted via industry-standard protocols and the suite is distributed under the Apache License, version 2.0.

    Technical Implementation
    Malcolm is architected as a cluster of containers where each service performs a defined role (ingest, parsing, indexing, visualization, session capture). Data normalization pipelines convert raw PCAP and IDS output into structured indices suitable for OpenSearch and session reconstruction for Arkime. Forwarders enable passive or active forwarding of log streams into the ingestion pipeline.

    Use Cases
    β€’ Long-term SOC network monitoring with searchable dashboards and session retrieval.
    β€’ Incident response: rapid ingestion of PCAP evidence and session-level triage via Arkime.
    β€’ Forensic analysis where correlation between IDS alerts, Zeek metadata, and raw packets is required.
    β€’ Extensible parsing for specialized environments, including planned expansion for ICS protocol visibility.

    Limitations & Considerations
    β€’ Malcolm aggregates several existing open-source projects; operational behavior depends on each component's constraints (indexing scale, storage needs, and retention policies).
    β€’ Large PCAP volumes and high-throughput environments require careful sizing of indexing and storage layers.
    β€’ Ongoing development focus on ICS protocol parsers indicates current industrial control systems visibility is limited compared to general network traffic analysis.

    Conclusion
    Malcolm provides an integrated, permissively licensed framework that combines packet-level session search with scalable dashboards and log enrichment, suitable for SOCs and incident responders that require a container-friendly, open-source stack. #tool #PCAP #Zeek #Suricata #Arkime

    πŸ”— Source: github.com/idaholab/Malcolm

  23. Built a production SOC for my home/mobile infra. Sharing it.

    #AEGIS is a unified threat intelligence platform running on a single Linux server:

    β†’ DNS sinkhole (port 53, custom blocklists)
    β†’ Suricata IDS in AF-packet passive mode + ClamAV on filestore
    β†’ Zeek NSM (http, ssl, dns, conn, weird, notice)
    β†’ ModSecurity WAF β€” OWASP CRS 4.22, full enforcement
    β†’ Fail2Ban + auditd
    β†’ Rust orchestrator aggregating all event sources into one REST/WS API

    Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

    One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE β€” passive only. No inline mode that can brick SSH access.

    aegis.centurialabs.pl

    #infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

  24. Built a production SOC for my home/mobile infra. Sharing it.

    #AEGIS is a unified threat intelligence platform running on a single Linux server:

    β†’ DNS sinkhole (port 53, custom blocklists)
    β†’ Suricata IDS in AF-packet passive mode + ClamAV on filestore
    β†’ Zeek NSM (http, ssl, dns, conn, weird, notice)
    β†’ ModSecurity WAF β€” OWASP CRS 4.22, full enforcement
    β†’ Fail2Ban + auditd
    β†’ Rust orchestrator aggregating all event sources into one REST/WS API

    Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

    One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE β€” passive only. No inline mode that can brick SSH access.

    aegis.centurialabs.pl

    #infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

  25. Built a production SOC for my home/mobile infra. Sharing it.

    #AEGIS is a unified threat intelligence platform running on a single Linux server:

    β†’ DNS sinkhole (port 53, custom blocklists)
    β†’ Suricata IDS in AF-packet passive mode + ClamAV on filestore
    β†’ Zeek NSM (http, ssl, dns, conn, weird, notice)
    β†’ ModSecurity WAF β€” OWASP CRS 4.22, full enforcement
    β†’ Fail2Ban + auditd
    β†’ Rust orchestrator aggregating all event sources into one REST/WS API

    Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

    One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE β€” passive only. No inline mode that can brick SSH access.

    aegis.centurialabs.pl

    #infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

  26. Built a production SOC for my home/mobile infra. Sharing it.

    #AEGIS is a unified threat intelligence platform running on a single Linux server:

    β†’ DNS sinkhole (port 53, custom blocklists)
    β†’ Suricata IDS in AF-packet passive mode + ClamAV on filestore
    β†’ Zeek NSM (http, ssl, dns, conn, weird, notice)
    β†’ ModSecurity WAF β€” OWASP CRS 4.22, full enforcement
    β†’ Fail2Ban + auditd
    β†’ Rust orchestrator aggregating all event sources into one REST/WS API

    Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

    One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE β€” passive only. No inline mode that can brick SSH access.

    aegis.centurialabs.pl

    #infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

  27. Built a production SOC for my home/mobile infra. Sharing it.

    #AEGIS is a unified threat intelligence platform running on a single Linux server:

    β†’ DNS sinkhole (port 53, custom blocklists)
    β†’ Suricata IDS in AF-packet passive mode + ClamAV on filestore
    β†’ Zeek NSM (http, ssl, dns, conn, weird, notice)
    β†’ ModSecurity WAF β€” OWASP CRS 4.22, full enforcement
    β†’ Fail2Ban + auditd
    β†’ Rust orchestrator aggregating all event sources into one REST/WS API

    Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

    One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE β€” passive only. No inline mode that can brick SSH access.

    aegis.centurialabs.pl

    #infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

  28. @da_667 you need a ssl/tls proxy to really see more of the traffic, don't categorize it as some sort of thing that is optional when all the big guys lean heavily on it to more fully inspect traffic flows #dpi #cert #zeek #suricata #framing

    You're absolutely right to frame it this way. The "TLS kills IDS/IPS" argument is one of those oversimplifications that sounds clever but misses the point entirely. Encryption doesn't make threats invisible - it just changes where and how you look for them.
    The Proxy Reality Check

    @da_667 hits the nail on the head - SSL/TLS inspection isn't optional if you want visibility, it's foundational. The "big guys" (Cisco, Palo Alto, Zscaler) aren't running proxies because they have money to burn - they're doing it because you can't inspect what you can't see.

    But here's where Chapter 10 can really shine - showing that inspection exists on a spectrum:
    Invasive Approaches (The Proxy Path)

    Full MITM decryption with corporate certificates

    What you gain: Complete visibility into application-layer threats, data exfiltration attempts, hidden C2 channels

    What you sacrifice: Performance overhead, privacy considerations, certificate management headaches

    The reality check: This is how enterprises actually catch advanced threats

    Non-Invasive Approaches (Metadata & Behavior)

    Zeek: Still extracts certificates, SNI, JA3 fingerprints, tunnel durations - even from encrypted flows

    Suricata: Can match on encrypted traffic patterns, detect known C2 fingerprints without decryption

    Flow data: Connection patterns tell stories - beaconing intervals, data asymmetries, strange destination patterns

    TLS handshake analysis: Cipher suite choices, certificate chains, extensions - all potential indicators

    The Real Takeaway

    The "TLS kills visibility" crowd forgets that threats still have to:

    Establish connections (handshake analysis)

    Talk to specific infrastructure (reputation/feeds)

    Behave like threats (behavioral analysis)

    Leave metadata trails (Zeek logs don't lie)

    Your Chapter 10 should hammer home that visibility is a spectrum, not binary. Some threats require full decryption. Others get caught by the metadata they can't avoid generating. And the best detection strategies use both.

    What specific angle are you taking with the invasive vs non-invasive comparison? Are you showing them as complementary layers or competing approaches?

  29. Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts

    Check βœ…οΈ it out:
    github.com/idaholab/Malcolm

    #cybersecurity #infosec #threathunting #suricata #zeek #pcapanalysis #networktrafficanalysis

  30. Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts

    Check βœ…οΈ it out:
    github.com/idaholab/Malcolm

    #cybersecurity #infosec #threathunting #suricata #zeek #pcapanalysis #networktrafficanalysis

  31. Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts

    Check βœ…οΈ it out:
    github.com/idaholab/Malcolm

    #cybersecurity #infosec #threathunting #suricata #zeek #pcapanalysis #networktrafficanalysis

  32. Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts

    Check βœ…οΈ it out:
    github.com/idaholab/Malcolm

    #cybersecurity #infosec #threathunting #suricata #zeek #pcapanalysis #networktrafficanalysis

  33. Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts

    Check βœ…οΈ it out:
    github.com/idaholab/Malcolm

    #cybersecurity #infosec #threathunting #suricata #zeek #pcapanalysis #networktrafficanalysis

  34. πŸ”§ Malcolm Integration
    bash

    # Malcolm's zeekctl.cfg or local.zeek
    redef SSL::root_certs += {
    ["PolarProxy Root CA"] = "/opt/polarproxy/certs/rootCA.pem"
    };

    # In Malcolm's docker-compose.yml, ensure port mapping:
    # zeek:
    # ports:
    # - "57012:57012/tcp" # For PolarProxy PCAP feed

    30 protocols but what about hashcat - how many protocols now?

    Hashcat Protocol Support Count - As of hashcat v6.2.6 (latest stable), here are the current protocol/hash mode counts:
    Total Protocols/Hash Modes: 423+

    (This number grows with nearly every release) #hashcat,net #zeek

  35. Made a transparent network bridge on which sits between router & switch, monitoring traffic for , and capture and analyze packets β†’ ships β†’ with ingest pipeline β†’ setup of dashboard to visualise data is defined in flake itself so using the flake will give the same dashboard. details here codeberg.org/adingbatponder/re
    Hardware: HP EliteDesk 800 G1 SFF 16Gb RAM & jacob.de/produkte/Intel-Ethern

  36. Made a transparent network bridge on #NixOS which sits between router & #LAN switch, monitoring traffic for #IDS #intrusiondetection , #Suricata and #Zeek capture and analyze packets β†’ #Filebeat ships #logs β†’ #Elasticsearch with #GeoIP ingest pipeline β†’ #Grafana setup of dashboard to visualise data is defined in flake itself so using the flake will give the same dashboard. #flake details here codeberg.org/adingbatponder/re
    Hardware: HP EliteDesk 800 G1 SFF 16Gb RAM & jacob.de/produkte/Intel-Ethern #i350t4

  37. Made a transparent network bridge on #NixOS which sits between router & #LAN switch, monitoring traffic for #IDS #intrusiondetection , #Suricata and #Zeek capture and analyze packets β†’ #Filebeat ships #logs β†’ #Elasticsearch with #GeoIP ingest pipeline β†’ #Grafana setup of dashboard to visualise data is defined in flake itself so using the flake will give the same dashboard. #flake details here codeberg.org/adingbatponder/re
    Hardware: HP EliteDesk 800 G1 SFF 16Gb RAM & jacob.de/produkte/Intel-Ethern #i350t4

  38. Made a transparent network bridge on #NixOS which sits between router & #LAN switch, monitoring traffic for #IDS #intrusiondetection , #Suricata and #Zeek capture and analyze packets β†’ #Filebeat ships #logs β†’ #Elasticsearch with #GeoIP ingest pipeline β†’ #Grafana setup of dashboard to visualise data is defined in flake itself so using the flake will give the same dashboard. #flake details here codeberg.org/adingbatponder/re
    Hardware: HP EliteDesk 800 G1 SFF 16Gb RAM & jacob.de/produkte/Intel-Ethern #i350t4

  39. Made a transparent network bridge on #NixOS which sits between router & #LAN switch, monitoring traffic for #IDS #intrusiondetection , #Suricata and #Zeek capture and analyze packets β†’ #Filebeat ships #logs β†’ #Elasticsearch with #GeoIP ingest pipeline β†’ #Grafana setup of dashboard to visualise data is defined in flake itself so using the flake will give the same dashboard. #flake details here codeberg.org/adingbatponder/re
    Hardware: HP EliteDesk 800 G1 SFF 16Gb RAM & jacob.de/produkte/Intel-Ethern #i350t4

  40. CW: Release notes for v25.12.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
      • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
      • self-signed certificates not accepted by Chrome (#833)
      • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  41. CW: Release notes for v25.12.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
      • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
      • self-signed certificates not accepted by Chrome (#833)
      • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  42. CW: Release notes for v25.12.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
      • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
      • self-signed certificates not accepted by Chrome (#833)
      • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

  43. CW: Release notes for v25.12.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring

    Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

    github.com/idaholab/Malcolm/co

    • ✨ Features and enhancements
      • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
    • βœ… Component version updates
    • πŸ› Bug fixes
      • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
      • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
      • self-signed certificates not accepted by Chrome (#833)
      • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
    • 🧹 Code and project maintenance

    Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

    Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

    Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

    As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

    #Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL