Malcolm v24.12.0 contains several improvements to the Malcolm configuration script, the Malcolm user interface, and the Malcolm API, as well as component version updates and bug fixes. This release also corresponds with the release of malcolm-test
(cisagov#486), a Malcolm system testing framework.
- Features and enhancements
- Creation of a Malcolm systems testing framework (cisagov#486)
- Added a number of Zeek packages to detect various CVEs
- Improvements to the Indices, Ready, and Document Ingest Statistics APIs
- Use new arkime tag-hiding feature to hide
netbox
tag from UI (cisagov#495) - Provide configuration script options for pulling from threat intel feeds (cisagov#532)
- Prompt during configuration whether to enable capture statistics (cisagov#504)
- Add additional EVTX fields to index template (cisagov#525) and minor improvements to normalization
- Add simple readiness indicator to upload page (cisagov#528)
- Add option to upload page to disable NetBox enrichment for the currently-uploaded batch of PCAPs
- Expose more of the Logstash API passthrough to the Malcolm API
- Component version updates
- Arkime to v5.5.1
- capa to v8.0.1
- elasticearch-dsl Python library to v8.17.0
- elasticsearch Python library to v8.17.0
- Fluent Bit to v3.2.2
- NetBox to v4.1.8 (major update from the v4.0.x series, see cisagov#496)
- opensearch-py Python library to v2.8.0
- yq to v4.44.6
- Zeek to v7.0.5 (security and bugfix release)
- Bug fixes
- Zeek DNS records don't open correctly in Arkime sessions (cisagov#509)
- Fixes to some Zeek
dns.log
parsing conflicts between ECS's DNS fields and what the Arkime schema is expecting
- Fixes to some Zeek
- Mandiant threat intel source doesn't get split correctly when using JSON zeek log format (cisagov#494)
- Set
indices.query.bool.max_clause_count
to 8192 to reflect maximum number of fields - Increase Java stack size (
-Xss
) for Logstash from1536k
to2048k
- Minor fixes for parsing Zeek
intel.log
(some fields not named correctly with Zeek JSON-formatted logs) - Fixed setting the
Signature
event severity tags
- Zeek DNS records don't open correctly in Arkime sessions (cisagov#509)
- Code and project maintenance
- Replaced hard-coded Malcolm version number in documentation markdown files with variable-based replacer populated during generation
- Documentation and screenshot updates
Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.