Malcolm v1.8.1

Malcolm v1.8.1

idaholab/Malcolm@v1.8.0...v1.8.1

• Update to Elastic stack 7.5.1 (and fixed hopefully all the compatibility issues that arose)
• Moloch version 2.1.2
• fix issues with initial build and download of maxmind geoip database files
• documentation updates and fixes
• some improvements to help with higher bitrate capture (increasing ring buffer sizes)
• improvements to ISO for Malcolm (aggregator) and Hedgehog (sensor)

Malcolm v1.8.0

Malcolm v1.8.0

idaholab/Malcolm@v1.7.2...v1.8.0

• build scripts for network sensor OS installable and live ISO, Hedgehog Linux
• authentication against an LDAP server (tested against Microsoft Active Directory Domain Services in Windows Server 2016 and OpenLDAP, each with StartTLS, LDAPS, and unencrypted connections) (issue #77)
• minor improvements to file carving and Malcolm/Hedgehog ISO configuration
• reduced noise of auditd messages sent from Hedgehog ISO installation
• bump Moloch to 2.1.1
• bump Zeek to 3.0.1

Malcolm v1.7.2

Malcolm v1.7.2

idaholab/Malcolm@v1.7.1a...v1.7.2

• Fixes issue #86
• adds some sample configuration for sensor/forwarder usage

Malcolm v1.7.1a

Malcolm v1.7.1a

idaholab/Malcolm@v1.7.0...v1.7.1a

• redesign PCAP processing pipeline (pull request #81, issue #80) so that there is one service that watches the /data/pcap/processed directory and publishes to a ØMQ topic), then other services can subscribe to that topic and do what they want with the PCAP information they receive. This will make it much easier to add future PCAP processors, and also increases parallel-ness of the code

• move common Logstash enrichments to a separate pipeline (pull request #81, issue #78). I've made the pipelines used for processing Logstash events more modular, and I've also made it more extensible by having the startup script dynamically detect and configure new pipelines on the fly. this will make it easier to add new parsers in the future (need to document how to do that in the readme though)

• set opencontainers-compatible labels on docker containers

• fix issue #82, OUI vendor names used by Logstash don't match those used by Moloch

• split moloch container into pcap-monitor, zeek, and moloch containers

• documentation fixex

• dockerfile cleanup

• bump Moloch to 2.1.0 (see changelog and security).

• enable readTruncatedPackets for moloch's config.ini to handle more pcaps

Malcolm v1.7.0

Malcolm v1.7.0

idaholab/Malcolm@v1.6.0...v1.7.0

Malcolm v1.7.0 is a big release, with the following goodness:

• Zeek 3.0
• New parsers/analyzers, complete list:
  • Amazon.com, Inc.'s ICS protocol analyzers
  • Corelight's bro-xor-exe plugin
  • Corelight's community ID flow hashing plugin
  • J-Gras' Bro::AF_Packet plugin
  • Lexi Brent's EternalSafety plugin
  • MITRE Cyber Analytics Repository's Bro/Zeek ATT&CK-Based Analytics (BZAR) script
  • Salesforce's gQUIC analyzer
  • Salesforce's HASSH SSH fingerprinting plugin
  • Salesforce's JA3 TLS fingerprinting plugin
  • SoftwareConsultingEmporium's Bro::LDAP analyzer

• Logstash: use the cidr plugin to assign internal_source, external_source, internal_destination, external_destination tags based on srcIp and dstIp Zeek logs
• ISO installer tweaks
• hardening compliance tweaks
• Dashboards for all new protocols
• Documentation updates
• user account management (htadmin) improvements
• bump Elastic to 6.8.4-oss
• added human-readable names to types created with Moloch WISE
• use ZeroMQ-based approach for file scanning queue

Malcolm v1.6.0

Malcolm v1.6.0

idaholab/Malcolm@v1.5.2...v1.6.0

• fix issue #62, mapping of Zeek values to Moloch's http.uri
• fix issue #63, "View JSON Document" context action for ID field in Moloch
• improve Kibana filter pivot actions from Moloch to Kibana
• added Zeek support for QUIC and corresponding dashboards

Malcolm v1.5.2

Malcolm v1.5.2

idaholab/Malcolm@v1.5.1...v1.5.2

• added mechanism and example for sending email alerts via ElastAlert
• added context menu pivot from Moloch to Kibana for most field values
• Kibana can now be accessed at https://ip:5601/ (like before) or https://ip/kibana/
• updated Moloch to v2.0.1
• updated CyberChef to v9.4.0
• updated some docker images from Debian 9 (stretch) to Debian 10 (buster)

Malcolm v1.5.1

Malcolm v1.5.1

idaholab/Malcolm@v1.5.0...v1.5.1

• code fixes and documentation updates for running Malcolm successfully on Windows 10 using Docker Desktop for Windows
• map zeek's host.name (from beats) to moloch's node field
• changed mechanism by which JSON source for record in Moloch is viewed (now in the context menu options for the "ID" field)
• allow Kibana to be accessed at "localhost:443/kibana" as well as "localhost:5601"
• use named volume for autozeek text files rather than local directory
• other minor bug fixes and documentation updates

Malcolm v1.5.0

Malcolm v1.5.0

idaholab/Malcolm@v1.4.0...v1.5.0

• support multiple users and allow management of those users with web interface over port 488
• added Community ID fingerprinting for flows
• added HASSH fingerprinting for SSH
• detect and upgrade Moloch administrative tables on startup if needed
• default to faster java execution engine for Logstash
• bump versions of Zeek and Moloch and Elastic/beats
• improvements for ISO installer
• documentation improvements
• lots of bug fixes

Malcolm v1.4.0

idaholab/Malcolm@v1.3.1...v1.4.0

This release:

• adds multiple users and user account management (pull request #8/issue #39)
• improvements to the ISO installer
• bug fixes