Releases: cisagov/Malcolm
Malcolm v2.5.0
Malcolm v2.5.0 contains the following changes:
- Updated packaged Yara rules (from github.com/Neo23x0/signature-base, originally github.com/fireeye/sunburst_countermeasures) for Yara scanning of carved files to detect artifacts from the SolarWinds SUNBURST attack
- Version bumps:
- Zeek 3.0.12
- Bison, CMake and LLVM/Clang tools for building Zeek for Docker image and Hedgehog OS ISO
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.4.2
Malcolm v2.4.2 contains the following changes:
- Added code to allow periodic updates of Yara and Capa rules in addition to ClamAV rules for file scanners
- Bump to Arkime (Moloch up until recently) 2.7.1 and all possible related user-facing code/documentation changed
- Bump kernel to 5.9.0 for ISO installer
- minor bug fixes and documentation tweaks
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.4.1
Malcolm v2.4.1 contains the following changes:
-
Zeek
- added plugin to detect "bad neighbor" (CVE-2020-16898)
-
Version bumps
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.4.0.1
Malcolm v2.4.0.1 is a repack of the Malcolm v2.4.0 release with one minor fix for the ISO installers for Malcolm and Hedgehog Linux to fix idaholab#27. The rest of the code is identical. If you are deploying Malcolm with Docker rather than the ISO-installed version, you can ignore this release.
Malcolm v2.4.0
Malcolm v2.4.0 contains the following new features, improvements and bug fixes:
- Extracted file scanning
- added Capa as an optional extracted file scanner
- improvements to the way file scanners work when more than one are enabled
- Version updates
- Zeek plugins
- added Corelight's Zerologon plugin to detect CVE-2020-1472
- Tweaks and bug fixes
- Don't allow docker to mess with firewall rules in Malcolm ISO
- Fix idaholab#26, ISO installers result in blank screen when booting with BIOS
- Fix idaholab#24, install.py won't prompt to change ownership of extracted directory correctly if run as root
- Leave some development packages in place in Hedgehog ISO so that Spicy plugins can be compiled
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.3.0
Malcolm v2.3.0 contains the following new features, improvements and bug fixes:
-
Carved file scanning improvements
- Multiple file scanners can now be enabled concurrently (previously only one at a time was allowed)
- Yara added as carved file scanner feeding signatures.log with Florian Roth's Signature-Base Yara ruleset enabled by default and the ability to provide other yara signatures under
yara/rulesunder the Malcolm directory (see #148 and #14)
-
Bumped versions
- Moloch v2.4.0
-
Bug fixes
- #150 docker-compose having issues with start and logs under macOS
- Hedgehog was missing new environment variables for finer control of Zeek local policy behavior
- miscellaneous tweaks to Docker and ISO images (mainly for file size)
idaholab/Malcolm@v2.2.1...v2.3.0
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on Github, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.2.1
Malcolm v2.2.1 is a very minor bugfix release, fixing the DNP3 dashboard in Kibana (see issue #146).
idaholab/Malcolm@v2.2.0...v2.2.1
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on Github, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.2.0
Malcolm v2.2.0 is a minor feature release.
- Zeek:
- Update Zeek to 3.0.8
- Include Spicy
- Added ability to disable certain zeek features/parsers using environment variables
- Added Wireguard parser
- Added a few Corelight plugins:
- Corelight's callstranger-detector plugin
- Corelight's ripple20 plugin
- Corelight's SIGred plugin
- Logstash:
- Added parsing for Zeek Wireguard (noise.log)
- Initial work towards mapping Zeek log fields to Elastic Common Schema (see issue #79)
- Disabled by default, can be enabled with
LOGSTASH_TO_ECS : 'true'inx-logstash-variablesindocker-compose.yml - not 100% complete. Good first effort, more will be done in the future
- Disabled by default, can be enabled with
- Some fixes to the JA3 signature mapping generation
- ISOs
- Updated Hedgehog and Malcolm ISOs to use 5.6 kernel
- Get virtualbox guest VM debs from unofficial backport rather than building for VM installs
- Documentation
- Documentation, scripts, Vagrantfiles and sample configurations for using Beats to forward host logs to Malcolm
idaholab/Malcolm@v2.1.1...v2.2.0
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on Github, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.1.1
Malcolm v2.1.1 contains bug fixes and a component version update.
idaholab/Malcolm@v2.1.0...v2.1.1
-
Bug Fixes
- Fixed issue #137 (Many permission issues when run as
uid:gidother than1000:1000)
- Fixed issue #137 (Many permission issues when run as
-
Version updates
- Moloch 2.3.2
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on Github, but may be downloaded from https://malcolm.fyi/download/.
Malcolm v2.1.0
Malcolm v2.1.0 contains new features and bug fixes.
idaholab/Malcolm@v2.0.5...v2.1.0
-
Incorporated some new Zeek scripts:
- Cybera's Sniffpass plugin for detecting cleartext passwords in HTTP POST requests
- Andrew Klaus's zeek-httpattacks plugin for detecting noncompliant HTTP requests
- Johanna Amann's CVE-2020-0601 ECC certificate validation plugin
-
Kibana
- new "actions and results" dashboard
- sankey diagram
- network visualization
- general improvements and cleanup
- drilldown both directions between Kibana <-> Moloch (issue #133)
- many more links to external URLs for RFCs, port numbers, IANA, etc.
- load all known field mappings at startup
-
Parsing/enrichment
- added support for telnet/rsh/rlogin in Zeek and Logstash
- better normalization of "zeek.action" field for many protocols (esp. SNMP and DNP3)
- new normalization of success/result/status/error into "zeek.result"
-
NGINX
-
Misc bug fixes and improvements
-
Version updates
- Zeek 3.0.7
- Moloch 2.3.0
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on Github, but may be downloaded from https://malcolm.fyi/download/.