Malcolm v3.2.0
List of changes in Malcolm v3.2.0:
-
New features
- "Best Guess" Fingerprinting for ICS Protocols - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a mapping table and a Zeek script to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, Grassmarlin's fingerprints and ITI/ICS-Security-Tools' list of Control Systems Ports.
-
Improvements and bug fixes
- Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (
CLAMD_MAX_REQUESTS
,YARA_MAX_REQUESTS
andCAPA_MAX_REQUESTS
) - Zeek plugins to detect CVE-2021-31166 and pingback vulnerabilities
- Move creation of custom fields and views to Arkime's config.ini
- LDAP bind credentials world readable in docker (idaholab#47 and #171)
- zeek_template index template not created if index management not enabled (idaholab#50)
- kibana offline maps server not started (idaholab#51)
- Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (
-
Version bumps
- Yara to 4.1.1
- Zeek to 4.0.3
- Spicy to 1.1.0
- Alpine to 3.14
- NGINX to 1.20.1
- Linux kernel to 5.10 (for ISO installs)
- urllib3 to 1.26.5 (#169)
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.