Malcolm leverages the following excellent open source tools, among others.
- Arkime (formerly Moloch) – for PCAP file processing, browsing, searching, analysis, and carving/exporting; Arkime consists of two parts:
- OpenSearch - a search and analytics engine for indexing and querying network traffic session metadata
- Logstash and Filebeat - for ingesting and parsing Zeek Log Files and ingesting them into OpenSearch in a format that Arkime understands in the same way it natively understands PCAP data
- OpenSearch Dashboards - for creating additional ad-hoc visualizations and dashboards beyond that provided by Arkime viewer
- Zeek - a network analysis framework and IDS
- Suricata - an IDS and threat detection engine
- Yara - a tool used to identify and classify malware samples
- Capa - a tool for detecting capabilities in executable files
- ClamAV - an antivirus engine for scanning files extracted by Zeek
- CyberChef - a "Swiss Army Knife" data conversion tool
- jQuery File Upload - for uploading PCAP files and Zeek logs for processing
- Docker and Docker Compose - for simple, reproducible deployment of the Malcolm appliance across environments and coordination of communication between its various components
- NetBox - a suite for modeling and documenting modern networks
- PostgreSQL - a relational database for persisting NetBox's data
- Redis - an in-memory data store for caching NetBox session information
- Nginx - for HTTPS and reverse proxying Malcolm components
- nginx-auth-ldap - an LDAP authentication module for nginx
- Fluent Bit - for forwarding metrics to Malcolm from network sensors (packet capture appliances)
- Mark Baggett's freq - a tool for calculating entropy of strings
- Florian Roth's Signature-Base Yara ruleset
- Bart Blaze's Yara ruleset
- These Zeek plugins:
- some of Amazon.com, Inc.'s ICS protocol analyzers
- Andrew Klaus's Sniffpass plugin for detecting cleartext passwords in HTTP POST requests
- Andrew Klaus's zeek-httpattacks plugin for detecting noncompliant HTTP requests
- ICS protocol analyzers for Zeek published by DHS CISA and Idaho National Lab
- Corelight's "bad neighbor" (CVE-2020-16898) plugin
- Corelight's "Log4Shell" (CVE-2021-44228) plugin
- Corelight's "OMIGOD" (CVE-2021-38647) plugin
- Corelight's Apache HTTP server 2.4.49-2.4.50 path traversal/RCE vulnerability (CVE-2021-41773) plugin
- Corelight's bro-xor-exe plugin
- Corelight's callstranger-detector plugin
- Corelight's community ID flow hashing plugin
- Corelight's DCE/RPC remote code execution vulnerability (CVE-2022-26809) plugin
- Corelight's HTTP More Filenames plugin
- Corelight's HTTP protocol stack vulnerability (CVE-2021-31166) plugin
- Corelight's OpenSSL RCE buffer overrun vulnerability (CVE-2022-3602) plugin
- Corelight's pingback plugin
- Corelight's ripple20 plugin
- Corelight's SIGred plugin
- Corelight's VMware Workspace ONE Access and Identity Manager RCE vulnerability (CVE-2022-22954) plugin
- Corelight's Zerologon plugin
- Corelight's Microsoft Excel privilege escalation detection (CVE-2021-42292) plugin
- J-Gras' Zeek::AF_Packet plugin
- Johanna Amann's CVE-2020-0601 ECC certificate validation plugin and CVE-2020-13777 GnuTLS unencrypted session ticket detection plugin
- Lexi Brent's EternalSafety plugin
- MITRE Cyber Analytics Repository's Bro/Zeek ATT&CK®-Based Analytics (BZAR) script
- Salesforce's gQUIC analyzer
- Salesforce's HASSH SSH fingerprinting plugin
- Salesforce's JA3 TLS fingerprinting plugin
- Zeek's Spicy plugin framework
- GeoLite2 - Malcolm includes GeoLite2 data created by MaxMind
