Skip to content

Malcolm v26.02.0

Latest
Latest

Choose a tag to compare

View all tags
@mmguero mmguero released this 19 Feb 22:48
v26.02.0
a5c6c91
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Malcolm v26.02.0 fixes a few bugs, updates a few components, and provides some improvements to documentation.

v26.01.0...v26.02.0

  • ✨ Features and enhancements
    • add SURICATA_DISABLE_SIDS to disable noisy suricata rules (#896)
    • allow "offline" Zeek (processing uploaded PCAP) to be able to skip threat intel (#876)
    • add indices:admin/create to the capture_service role for OpenSearch (#885)
  • ✅ Component version updates
  • 🐛 Bug fixes
    • choosing "no authentication" Malcolm still won't start due to missing htpasswd (#869)
    • filescan container processes need to handle connection timing issues more resiliently (#888)
    • filescan logs not building zeek.files.extracted_uri correctly for files hosted on Hedgehog Linux (#877)
    • IP Connections Tree left panel ("Trees Mirror") is wrong visualization (#899)
    • Remove /var/lib/suricata/cache contents when building Suricata container image (to reduce size and prevent flagging by AV scanners)
    • Fixed filescan container returning unhealthy just because the extracted file download service isn't enabledn
  • 🧹 Code and project maintenance
    • document ports used in Malcolm <-> Hedgehog communicationenhancementNew feature or request (#887)
    • document "capture only without forwarding" mode for Hedgehog (#889)
    • other minor documentation improvements
    • store the originating host name in host.name in file scanning results rather than the host name of where the scan was performed (only really makes a difference for Kubernetes deployments)
    • cryptography (Python library) to v46.0.5 (addresses CVE-2026-26007)
    • Pillow (Python library) to v12.1.1 (addresses CVE-2021-25289)
  • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
    • Added REDIS_MAXMEMORY, REDIS_MAXMEMORY_POLICY, REDIS_AUTO_AOF_REWRITE_MIN_SIZE, REDIS_CACHE_MAXMEMORY, and REDIS_CACHE_MAXMEMORY_POLICY to redis.env for tuning the redis and redis-cache containers.
    • Added SURICATA_DISABLE_SIDS to suricata.env for #896
    • Added ZEEK_DISABLE_INTEL_LIVE to zeek-live.env and ZEEK_DISABLE_INTEL_OFFLINE to zeek-offline.env for [cisagov#876]

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Assets 14
Loading