Malcolm v24.09.0
Malcolm v24.09.0 contains new features and enhancements, component version updates, and bug fixes.
- Features and enhancements
- When building Docker images and the Hedgehog Linux ISO, allow specifying alternate download URL for MaxMind GeoIP database files (idaholab#565)
- Allow total index size-based pruning for
opensearch-remote
andelasticsearch-remote
database modes (idaholab#446) - Allow splitting out indexes by other field values (idaholab#450)
- Allow users to use the Arkime Lua plugin without having to create new bind volume mounts manually (idaholab#533)
- Automatically create empty document on startup to avoid "no data" message spamming by Dashboards (idaholab#527 and idaholab#567)
- Improvements to documentation and
install.py
for Linux performance tweaks (idaholab#495) - Include netbox-topology-views plugin by default (idaholab#553)
- Integrate HART-IP parser (idaholab#561)
- Add option to go backwards in Malcolm's dialog-based
install.py
installation and configuration script (idaholab#487) - Added Podman support (idaholab#407)
- Update EtherNet/IP and CIP to account for new packet correlation ID (idaholab#558)
- Update Network Traffic Analysis with Malcolm slides
- Component version updates
- watchdog Python package to v5.0.x (idaholab#550)
- supercronic to v0.2.32
- osd_transform_vis to v2.16.0
- Fluent Bit to v3.1.8
- OpenSearch and OpenSearch Dashboards to v2.17.0
- YARA to v4.5.2
- Zeek to v7.0.1
- Spicy to v1.11.1
- elasticsearch-dsl Python package to v8.15.3
- elasticsearch Python package to v8.15.1
- Beats to v8.15.1
- Logstath to 8.15.1
- flask-cors Python package to v5.0.0 to address CVE-2024-6221
- Bug fixes
- Filtering on hunt ID in Arkime not working (idaholab#554)
- Hedgehog with OOB/VPN connection sets
ARKIME_NODE_HOST
incorrectly (idaholab#560 and idaholab#559, thanks @divinehawk) - Offline
suricata
Docker container does not initializesuricata.yml
config file (idaholab#564)
- Configuration changes (in environment variables in
./config/
) for Malcolm and incontrol_vars.conf
for Hedgehog Linux- Malcolm
- The
MALCOLM_NETWORK_INDEX_SUFFIX
andMALCOLM_OTHER_INDEX_SUFFIX
variables in./config/opensearch.env
now also support expanding dot-delimited field names in{{ }}
(e.g.,{{event.provider}}%{%y%m%d}
). MALCOLM_CONTAINER_RUNTIME
has been added to./config/process.env
to indicatedocker
,podman
, orkubernetes
. This value only currently used in the install, configuration, and control scripts, not inside the containers themselves.ZEEK_DISABLE_ICS_HART_IP
has been added to./config/zeek.env
and can be set totrue
to disable the new HART-IP protocol parser.
- The
- Hedgehog Linux
ZEEK_DISABLE_ICS_HART_IP
has been added tocontrol_vars.conf
and can be set totrue
to disable the new HART-IP protocol parser.
- Malcolm
Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.