Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 40 million developers.Sign up
- code fixes and documentation updates for running Malcolm successfully on Windows 10 using Docker Desktop for Windows
- map zeek's host.name (from beats) to moloch's node field
- changed mechanism by which JSON source for record in Moloch is viewed (now in the context menu options for the "ID" field)
- allow Kibana to be accessed at "localhost:443/kibana" as well as "localhost:5601"
- use named volume for autozeek text files rather than local directory
- other minor bug fixes and documentation updates
- support multiple users and allow management of those users with web interface over port 488
- added Community ID fingerprinting for flows
- added HASSH fingerprinting for SSH
- detect and upgrade Moloch administrative tables on startup if needed
- default to faster java execution engine for Logstash
- bump versions of Zeek and Moloch and Elastic/beats
- improvements for ISO installer
- documentation improvements
- lots of bug fixes
- mostly focuses on improvements to the ISO installer
- fixes a couple of bugs
- adds the ability to configure snapshots (backups) of the Elasticsearch indices
- includes some code cleanup/refactoring to reduce duplicated code and the size of the moloch container
This release contains the index curation feature, bug fixes and improvements to documentation.
- Added index curation (close/delete indexes based on age and/or size); see Elasticsearch index curation in README.md
- Improvements to documentation
This release contains bug fixes and improvements to documentation.
- Modernize some Python 2 code to be compatible with Python 3
- Fixed an issue with filebeat-clean-zeeklogs-processed-folder.py not running
- Fix Elastalert container (issue #17)
- Fix Elastalert sample rule
- Fix Filebeat not starting up with unexpected filebeat.yml permissions (issue #24)
- Other minor documentation fixes
- Improved documentation for live analysis
- Added step-by-step installation instructions for Malcolm installation on Ubuntu to README
The Department of Homeland Security and the Bureau of Reclamation with Battelle Energy Alliance are releasing an easily deployable network traffic analysis tool suite. Named Malcolm, the software platform is an open source solution that provides IT network administrators and industrial control system owners with greater visibility into their computer network traffic and improves their capability to detect abnormal system behavior.
Although all of the tools which make up Malcolm are open source and in general use, Malcolm provides an interconnected framework that makes it greater than the sum of its parts. Malcolm's easy, flexible deployment and robust combination of tools fill a void in the network security space and make advanced network traffic analysis accessible to many in both the public and private sectors as well as individual enthusiasts. Malcolm will continue to be developed and improved with a focus on providing visibility into the security of personal, enterprise and industrial control systems networks.
Malcolm was developed with DHS and Reclamation funding at the Idaho National Laboratory. It leverages open source network analysis and data management tools including Moloch (https://molo.ch), Zeek (formerly Bro; https://www.zeek.org), CyberChef (https://github.com/gchq/CyberChef), the Elastic Stack (https://www.elastic.co/products) and Docker (https://www.docker.com) to name a few.
The files required to build and run Malcolm are available at the Idaho National Lab's GitHub page at
https://github.com/idaholab/malcolm. Malcolm's source code is released under the terms of a
permissive open source software license.