Skip to content

Releases: cisagov/Malcolm

Malcolm v26.04.0

07 Apr 07:18
@mmguero mmguero
v26.04.0
efbbb97
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v26.04.0 Latest
Latest

Malcolm v26.04.0 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.0

  • ✨ Features and enhancements
    • implemented easier way to enable/disable Strelka scanners #935
    • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
    • index selected Strelka result fields #919
  • ✅ Component version updates
  • 🐛 Bug fixes
    • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
    • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com//issues/915]
    • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
    • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
  • 🧹 Code and project maintenance
    • swap redis out for valkey #882
    • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
    • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
    • some documentation updates
  • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
    • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
    • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
    • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
    • STRELKA_SCANNERS has been added to pipeline.env for #935
    • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Assets 13
0 Join discussion

Malcolm v26.02.0

19 Feb 22:48
@mmguero mmguero
v26.02.0
f768822
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v26.02.0

Malcolm v26.02.0 fixes a few bugs, updates a few components, and provides some improvements to documentation.

v26.01.0...v26.02.0

  • ✨ Features and enhancements
    • add SURICATA_DISABLE_SIDS to disable noisy suricata rules (#896)
    • allow "offline" Zeek (processing uploaded PCAP) to be able to skip threat intel (#876)
    • add indices:admin/create to the capture_service role for OpenSearch (#885)
  • ✅ Component version updates
  • 🐛 Bug fixes
    • choosing "no authentication" Malcolm still won't start due to missing htpasswd (#869)
    • filescan container processes need to handle connection timing issues more resiliently (#888)
    • filescan logs not building zeek.files.extracted_uri correctly for files hosted on Hedgehog Linux (#877)
    • IP Connections Tree left panel ("Trees Mirror") is wrong visualization (#899)
    • Remove /var/lib/suricata/cache contents when building Suricata container image (to reduce size and prevent flagging by AV scanners)
    • Fixed filescan container returning unhealthy just because the extracted file download service isn't enabledn
  • 🧹 Code and project maintenance
    • document ports used in Malcolm <-> Hedgehog communicationenhancementNew feature or request (#887)
    • document "capture only without forwarding" mode for Hedgehog (#889)
    • other minor documentation improvements
    • store the originating host name in host.name in file scanning results rather than the host name of where the scan was performed (only really makes a difference for Kubernetes deployments)
    • cryptography (Python library) to v46.0.5 (addresses CVE-2026-26007)
    • Pillow (Python library) to v12.1.1 (addresses CVE-2021-25289)
  • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
    • Added REDIS_MAXMEMORY, REDIS_MAXMEMORY_POLICY, REDIS_AUTO_AOF_REWRITE_MIN_SIZE, REDIS_CACHE_MAXMEMORY, and REDIS_CACHE_MAXMEMORY_POLICY to redis.env for tuning the redis and redis-cache containers.
    • Added SURICATA_DISABLE_SIDS to suricata.env for #896
    • Added ZEEK_DISABLE_INTEL_LIVE to zeek-live.env and ZEEK_DISABLE_INTEL_OFFLINE to zeek-offline.env for [#876]

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Loading
0 Join discussion

Malcolm v26.01.0

30 Jan 19:41
@mmguero mmguero
v26.01.0
9f0b2f6
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v26.01.0

Malcolm v26.01.0 introduces a complete overhaul of its automatic file scanning capability, replacing its file scanning framework with Strelka, an open-source "real-time, container-based file scanning system used for threat hunting, threat detection, and incident response." This new framework offers more features and greater extensibility for developing future analytics. The release also includes several bug fixes and component version updates.

v25.12.1...v26.01.0

  • ✨ Features and enhancements

    • Malcolm's automatic file scanning capability now runs on Strelka, an open-source "real-time, container-based file scanning system used for threat hunting, threat detection, and incident response," providing more features and improved extensibility for future analytics. Some settings, especially which scanners are enabled or disabled, may require manual configuration. See the documentation for details. (#485)
    • Enabled fuzzy hashing (SSDeep, TLSH), in addition to SHA256, for all Zeek-scanned files (#859)
    • Added additional health check data (Redis, etc.) to the /mapi/ready API
    • Major performance improvements to the Logstash parse pipeline:
      • Replaced the cidr filter with a custom Ruby filter
      • Changed "broadcast-and-drop" communication between pipelines to more targeted messaging
      • Reworked the "compact event" filter to remove empty/null values before indexing
    • Enabled MAC addresses in Suricata events (#866)
    • Enabled parsing of JA4D log generated by Zeek alongside dhcp.log (#870)
    • Strip out test PCAP from Zeek image (#872) to reduce image size and prevent image scanners from triggering false positives for the PCAPs' contents
    • Improvements to the IP Connections Tree dashboard

  • ✅ Component version updates

  • 🐛 Bug fixes

    • Malcolm API Loopback Monitor was being created multiple times (#856)
    • Disabled hardware NIC timestamping for capture (#851)
    • Fixed error in stun_nat log parsing with multiple WAN addresses (#849)
    • Fixed pruning of old log files (#855)
    • zeek_intel_setup.sh could leave an orphaned lock file if the container is killed, blocking future intel pulls (#843)
    • Fixed various parsing/templating issues for uploaded Windows Event (.evtx) files
    • Added text/php to "interesting" MIME types, and added application/html, application/ocsp-response, "application/x-pem-file, application/xhtml+xml, application/xml-sitemap, text/css, text/html, text/ini to "common/plain text" MIME types for extraction/scanning decisions
    • pcap-monitor container not honoring maximum PCAP file size (#864)

  • ⚰️ Breaking changes and removed or deprecated functionality

    • The VirusTotal API key (VTOT_API2_KEY) environment variable for submitting extracted file SHA sums is not longer used. This functionality can now be achieved via the Google Threat Intelligence service (VirusTotal is now part of Google Threat Intelligence) or any supported intelligence feed.
    • Adding new a new log source parsing pipeline to Logstash no longer uses LOGSTASH_PARSE_PIPELINE_ADDRESSES. The new method uses a mapping file, described in the documentation.
    • EXTRACTED_FILE_ENABLE_CAPA, EXTRACTED_FILE_ENABLE_CLAMAV, and EXTRACTED_FILE_ENABLE_YARA are no longer used; scanners are now configured via the Strelka backend config file. See the documentation.
    • The definition of a file scanner "hit" is now more nuanced. quarantine/ and preserved/ subdirectories are no longer used in the Extracted Files web interface. Extracted files are more easily browsed and downloaded from the Files or File Scanning dashboards in OpenSearch Dashboards.
    • Malcolm's Zeek container image now places Zeek-related files under /usr/local/zeek instead of /opt/zeek. Update any custom volume mounts or references to /opt/zeek.

  • 🧹 Code and project maintenance

    • Moved most scripts from ./shared/bin to their respective container folders. ./shared/bin/ now only contains scripts shared across multiple containers.
    • Updated Dockerfile syntax (ENV/ARG) to recommended format
    • Updated copyright year (2025 -> 2026)
    • Based the Malcolm Zeek image on the official Zeek image instead of building a custom image

  • 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

    • Updated default NetBox-enriched datasets (LOGSTASH_NETBOX_ENRICHMENT_DATASETS in logstash.env): filescan.strelka, suricata.alert, zeek.conn, zeek.dce_rpc, zeek.dhcp, zeek.dns, zeek.known_hosts, zeek.known_routers, zeek.known_services, zeek.login, zeek.ntlm, zeek.notice, zeek.rdp, zeek.rfb, zeek.signatures, zeek.smb_cmd, zeek.smb_files, zeek.smb_mapping, zeek.software, zeek.ssh, zeek.weird
    • Added FILEBEAT_SCANNER_FINGERPRINT_OFFSET and FILEBEAT_SCANNER_FINGERPRINT_LENGTH in filebeat.env to customize FileBeat filestream .file_identity and .prospector.scanner.fingerprint. See here, here, and here. FILEBEAT_WATCHER_POLLING now controls native- vs. fingerprint-based file identification.
    • Added filescan.env, filescan-secret.env, and pipeline.env; added variables to redis.env for Strelka-based file scanning. zeek-secret.env has been removed, with its values now in filescan-secret.env. Many values from zeek.env are now in filescan.env or [pipeline.env](https://gi...
Read more
Loading
0 Join discussion

Malcolm v25.12.1

17 Dec 23:11
@mmguero mmguero
v25.12.1
ecaae70
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v25.12.1

Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

idaholab/Malcolm@v25.12.0...v25.12.1

  • ✨ Features and enhancements
    • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
  • ✅ Component version updates
  • 🐛 Bug fixes
    • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
    • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
    • self-signed certificates not accepted by Chrome (#833)
    • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
  • 🧹 Code and project maintenance
    • Added new Analytics section to documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Loading
0 Join discussion

Malcolm v25.12.0

03 Dec 22:28
@mmguero mmguero
v25.12.0
579c8b5
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v25.12.0

Malcolm v25.12.0 includes a unification of the Malcolm and Hedgehog Linux ISO-installed base OS platform, component updates, other new features and improvements, and several bug fixes.

v25.11.0...v25.12.0

Read more
Loading
0 Join discussion

Malcolm v25.11.0

03 Nov 23:25
@mmguero mmguero
v25.11.0
4a9ad9a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v25.11.0

Malcolm v25.11.0 includes an overhaul of the install.py installation/configuration script, a few bug fixes, and some component version updates.

v25.09.0...v25.11.0

  • ✨ Features and enhancements
    • We're in the process of majorly overhauling our install.py script (#395) used for setting up a Linux or MacOS system to run Malcolm and for configuring Malcolm's runtime options. There are future updates still to come (#766) but for now the command-line and dialog-based interfaces' functionality and backend are in place. The step-by-step wizard has been replaced with a menu-based interface that allows for changing individual values without having to step through the whole set of questions. The Docker-based Malcolm installation example on Ubuntu and end-to-end installation example have useful information about this change, as does the command-line arguments document. We've done a lot of testing on what's a complete rewrite of this, but there is a possibility we missed something; if you find an issue with the new install/configure script, please open a discussion or log a bug and let us know. For the next release or so, we're leaving the legacy installer in place as scripts/legacy_install.py which could be used in a pinch (e.g., run scripts/legacy_install.py --configure for the old configuration menu).
    • We've incorporated a new "Connections Tree" visualization. This visualization tracks the potential of lateral movement based on the observed communications between all devices that reach a root node, identified by IP address. It gives a high-level view showing both direct and indirect connetions between the root IP and all of its destinations, regardless of time, along with enriched data for each endpoint and connection.
    • Updates to the Validated Design Architecture Review (VADR) dashboards.
    • The OpenSearch container now includes the repository-s3 plugin, useful for those who wish to configure OpenSearch's snapshots to save to S3-compatible buckets.
  • ✅ Component version updates
  • 🐛 Bug fixes
    • Double imports when restarting Malcolm (#588) (thanks @KchChr)
  • 🧹 Code and project maintenance
    • Refactored a number of Python functions to reduce cyclomatic complexity (#765, work ongoing)
  • 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml without intervention on the user's part.
    • Malcolm
      • NGINX_RESOLVER_IPV4_OFF and NGINX_RESOLVER_IPV6_OFF have been renamed to NGINX_RESOLVER_IPV4 and NGINX_RESOLVER_IPV6, respectively, and their logic reversed, in nginx.env.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Contributors

KchChr
Loading
0 Join discussion

Malcolm v25.09.0

24 Sep 20:42
@mmguero mmguero
v25.09.0
edff424
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v25.09.0

Malcolm v25.09.0 includes new features and available customizations, improvements to Threat Intelligence, component version updates, and several important bug fixes.

v25.08.1...v25.09.0

  • ✨ Features and enhancements
  • ✅ Component version updates
  • 🐛 Bug fixes
    • Python code handling X-Forwarded- headers should do case insensitive lookup (#764)
    • uploaded PCAPs that result in no filename-derived tags erroneously end up with internal tags on them (#774)
    • installer option for encrypted storage are not marking secondary data/artifact storage for encryption (#779)
    • Malcolm/Hedgehog Linux ISO-installed environments' auditd service fails to start (#761)
    • Failed shard query error on Overview dashboard (#754)
  • 🧹 Code and project maintenance
    • refactor GitHub build actions for Malcolm Docker images to reduce duplication (#717)
  • 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
    • Malcolm
      • PCAP_UPLOAD_MAX_FILE_GB added to upload-common.env to allow configuring maximum PCAP upload size (#769)
      • DASHBOARDS_TIMEPICKER_FROM and DASHBOARDS_TIMEPICKER_TO added to dashboards-helper.env to allow configuring default search time frame for OpenSearch Dashboards (#724)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Loading
0 Join discussion

Malcolm v25.08.1

28 Aug 22:11
@mmguero mmguero
v25.08.1
11fa489
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v25.08.1

Malcolm v25.08.1 consists of several major component updates and a few bug fixes.

v25.08.0...v25.08.1

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

  • ✨ Features and enhancements
  • ✅ Component version updates
  • 🐛 Bug fixes
    • Query workbench (SQL and PPL) is broken due to something to do with network index pattern field aliases (cisagov/Malcolm#746)
    • Zeek containers need to be limited in max number of open files or memory grows very large (cisagov/Malcolm#747)
    • avoid OpenSearch search shard failures by including unspecified roles in indexes during NetBox enrichment #(cisagov/Malcolm#749)
    • differences in MISP object/attribute formatting cause Malcolm to ignore some threat feed indicators (cisagov/Malcolm#753)
    • NetBox sites used for development testing included in release artifacts (cisagov/Malcolm#755)
    • wipe script no longer removes .gitignore files
  • 🧹 Code and project maintenance
    • Standardized the way Python scripts in Malcolm (both in the containers and the control scripts) do debug/informational logging (increase logging level with -v, -vv, -vvv, etc.)
    • Removed vagrant-sshfs requirement from vagrant-based ISO builds in favor of Vagrant's builtin rsync mechanism

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Loading
0 Join discussion

Malcolm v25.08.0

07 Aug 21:23
@mmguero mmguero
v25.08.0
22421bb
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v25.08.0

Malcolm v25.08.0 is a minor release fixing a regression bug inadvertently introduced in v25.07.0.

v25.07.0...v25.08.0

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

  • ✨ Features and enhancements
    • Performance improvements to the clean-processed-folder.py script in the filebeat container responsible for pruning already-processed Zeek and Suricata log files (#736)
  • 🐛 Bug fixes
    • Malcolm fields are not created in Arkime (#735)
      • Due to this commit, the order in which the Arkime fields database was initialized and the WISE service started was switched, which resulted in the initial run of capture (responsible for populating Malcolm's custom fields) failing. The order of these operations has been corrected.
  • 📄 Configuration changes (in environment variables in ./config/) for Malcolm. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
    • FILEBEAT_CLEANUP_VERBOSITY and added to filebeat.env to control the verbosity of the clean-processed-folder.py script mentioned above in relation to #736. For example, setting FILEBEAT_CLEANUP_VERBOSITY=-vvvv corresponds to the DEBUG log level, and will produce output like this once per minute:
    filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 2099 Zeek processed directory files to consider.
filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 135 Zeek live directory files to consider.
filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 2099 Zeek processed directory files at a rate of 10804 files/second.
filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 135 Zeek live directory files at a rate of 1411 files/second.
filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 161 Suricata files to consider.
filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 161 Suricata files at a rate of 18018 files/second.
filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Finished pruning files.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Loading
0 Join discussion

Malcolm v25.07.0 (see note about regression bug)

30 Jul 19:49
@mmguero mmguero
v25.07.0
8e3defc
This commit was signed with the committer’s verified signature.
mmguero Seth Grover
GPG key ID: 986055F72F110479
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Malcolm v25.07.0 (see note about regression bug)

NOTE: A regression has been found (#735) in v25.07.0 that can cause the Malcolm fields to not get populated in Arkime's fields database when a new Malcolm instance is initialized. A fix is in the works. It's recommended you wait to upgrade until v25.08.0 (which should be released 2025-08-06).

Malcolm v25.07.0 includes quite a few new features and enhancements, performance improvements, bug fixes, and component version updates.

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

v25.06.0...v25.07.0

  • ✨ Features and enhancements
    • Add IANA service name and description enrichment to Zeek's known_services.log (#705)
    • Improve the speed of pruning files (#710)
    • allow multiple instance of Suricata in PCAP processing mode via UNIX socket (#707)
    • expose Arkime WISE tagging features to the user (#377)
    • handle comma- or semicolon-separated directories for PCAP_PROCESSED_DIRECTORY (to support new live PCAP processing method in Malcolm-Helm) (#702)
    • handle new OPCUA Binary summary logs (#709)
    • incorporate new ANSI C12.22 parser and add corresponding dashboard (#708)
    • overhauled instructions for Deploying Malcolm on Amazon Web Services (AWS) including deploying Malcolm on Amazon Elastic Kubernetes Service (EKS) in Auto Mode
    • install.py script is now a bit more robust in trying to help ensure the correct packages and Python libraries are installed
  • ✅ Component version updates
  • 🐛 Bug fixes
    • zeek logs not cleaned by clean-processed-folder.py due to MIME type mismatch (#712)
    • packet capture statistics dashboard not working in Kibana (#704)
    • need to adjust shared object creation script (e.g., dashboards import) for new versions of Kibana (#713)
    • log fingerprinting needs to be examined to avoid unintentional collisions (#715)
    • install.py issues in Rocky Linux, Almalinux (#385)
    • OpenSearch container health check issue when OpenSearch is disabled (#716)
    • investigate NetBox API access via Malcolm's netbox endpoint and mapi endpoint (#701)
  • 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
    • Malcolm
      • VIEWER removed from arkime-live.env as its behavior is handled internally and should not be user-settable
      • VIEWER and WISE removed from arkime-offline.env as its behavior is handled internally and should not be user-settable
      • ARKIME_WISE_CONFIG_PIN_CODE and its default value added to arkime-secret.env, used for making changes to the WISE config in the WISE GUI
      • ARKIME_WISE_SERVICE_URL and its default value added to arkime-secret.env for specifying the connection to the WISE service
      • ARKIME_EXPOSE_WISE_GUI and ARKIME_ALLOW_WISE_GUI_CONFIG added to arkime.env to control the WISE GUI viewer/editor capability
      • LS_JAVA_OPTS in logstash.env changed its default heap size from 2500m to 3g
      • REMOTE_AUTH_HEADER, REMOTE_AUTH_USER_EMAIL, REMOTE_AUTH_USER_FIRST_NAME, and REMOTE_AUTH_USER_LAST_NAME values (not really used) changed in netbox.env as part of some reverse proxy HTTP header standardization
      • SURICATA_AUTO_ANALYZE_PCAP_PROCESSES added with its default, and the meaning and default of SURICATA_AUTO_ANALYZE_PCAP_THREADS changed in suricata-offline.env as part of #707
      • ZEEK_DISABLE_IANA_LOOKUP added to zeek.env as part of #705
      • variables related to ANSI C12.22 added to zeek.env to control analyzer and log output as part of #708
    • Hedgehog Linux
      • ARKIME_WISE_PLUGIN and ARKIME_WISE_URL added as part of #377
      • ZEEK_DISABLE_IANA_LOOKUP added as part of #705
      • variables related to ANSI C12.22 added as part of #708
  • 🧹 Code and project maintenance
    • remove duplication and consolidate navigation pane content across all dashboards (#718)
    • standardized X-Forwarded- headers used internally by reverse proxy for RBAC
    • some cleanup/standardization of Ruby code used by Logstash to make it more idiomatic

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 ([release_cleaver.sh](https://github.com/cisagov/Ma...

Read more
Loading
0 Join discussion