Yesterday I led a half-day workshop for a group of high school students. The content was purely practical: a lot of labs and hands-on exercises and challenges about computer networks, #networktrafficanalysis and #cybersecurity.

Girls made their own Ethernet cables to connect to our lab network. Then they analyzed common network protocols and their privacy issues and how the browser settings can affect the amount of sensitive information in the network traffic.

Pro tip: together with HTTPS-Only Mode in all windows, also enable DNS over HTTPS using Increased Protection or Max Protection.
Pro tip 2: even with those hardened settings, it is often possible to see which websites the user visits, because of TLS SNI or TLS Certificates

After that, the girls had the opportunity to try CTF-like activity in the lab network full of old #MikroTik and #Ubiquiti devices and virtual machines with various services exposed.

A little bit off-topic: This was the first workshop I completely led using my old #ThinkPad with #FreeBSD

#MayTheSourceBeWithYou
#PCAPorItDidntHappen

#education #womeninstem #womenintech #SecurityGirl #AjTyvIT #wireshark #CTF #handsonlearning #learningbydoing

Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts

Check ✅️ it out:
https://github.com/idaholab/Malcolm

#cybersecurity #infosec #threathunting #suricata #zeek #pcapanalysis #networktrafficanalysis

Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

https://github.com/idaholab/Malcolm/compare/v25.12.0...v25.12.1

• ✨ Features and enhancements
  • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
• ✅ Component version updates
  • supercronic to v0.2.40
  • Alpine (Docker base image) to v3.23
  • NetBox to v4.4.8
  • urllib3 to v2.6.0 (CVE-2025-66471, 8.9 High, GHSA-2xpw-w6gg-jr37)
• 🐛 Bug fixes
  • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
  • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
  • self-signed certificates not accepted by Chrome (#833)
  • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
• 🧹 Code and project maintenance
  • Added new Analytics section to documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.11.0 includes an overhaul of the install.py installation/configuration script, a few bug fixes, and some component version updates.

https://github.com/idaholab/Malcolm/compare/v25.09.0...v25.11.0

• ✨ Features and enhancements
  • We're in the process of majorly overhauling our install.py script (#395) used for setting up a Linux or MacOS system to run Malcolm and for configuring Malcolm's runtime options. There are future updates still to come (#766) but for now the command-line and dialog-based interfaces' functionality and backend are in place. The step-by-step wizard has been replaced with a menu-based interface that allows for changing individual values without having to step through the whole set of questions. The Docker-based Malcolm installation example on Ubuntu and end-to-end installation example have useful information about this change, as does the command-line arguments document. We've done a lot of testing on what's a complete rewrite of this, but there is a possibility we missed something; if you find an issue with the new install/configure script, please open a discussion or log a bug and let us know. For the next release or so, we're leaving the legacy installer in place as scripts/legacy_install.py which could be used in a pinch (e.g., run scripts/legacy_install.py --configure for the old configuration menu).
  • We've incorporated a new "Connections Tree" visualization. This visualization tracks the potential of lateral movement based on the observed communications between all devices that reach a root node, identified by IP address. It gives a high-level view showing both direct and indirect connetions between the root IP and all of its destinations, regardless of time, along with enriched data for each endpoint and connection.
  • Updates to the Validated Design Architecture Review (VADR) dashboards.
  • The OpenSearch container now includes the repository-s3 plugin, useful for those who wish to configure OpenSearch's snapshots to save to S3-compatible buckets.
• ✅ Component version updates
  • Arkime to v5.8.2
  • Fluent Bit to v4.1.1
  • Keycloak to v26.4.2
  • OpenResty to v1.27.1.2
  • OpenSearch Dashboards to v3.3.0
  • OpenSearch to v3.3.2
  • supercronic to v0.2.38
  • yq to v4.48.1
  • Zeek to v8.0.3
• 🐛 Bug fixes
  • Double imports when restarting Malcolm (#588) (thanks @KchChr)
• 🧹 Code and project maintenance
  • Refactored a number of Python functions to reduce cyclomatic complexity (#765, work ongoing)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml without intervention on the user's part.
  • Malcolm
    • NGINX_RESOLVER_IPV4_OFF and NGINX_RESOLVER_IPV6_OFF have been renamed to NGINX_RESOLVER_IPV4 and NGINX_RESOLVER_IPV6, respectively, and their logic reversed, in nginx.env.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.09.0 includes new features and available customizations, improvements to Threat Intelligence, component version updates, and several important bug fixes.

https://github.com/idaholab/Malcolm/compare/v25.08.1...v25.09.0

• ✨ Features and enhancements
  • improve Modbus register tracking with new modbus_detailed.log (cisagov/Malcolm#762)
  • add non-LVM option(s) for Malcolm/Hedgehog Linux ISO installers (cisagov/Malcolm#725)
  • allow configuring default search time frame for OpenSearch Dashboards (cisagov/Malcolm#724)
  • allow customizing maximum upload file size (cisagov/Malcolm#769)
  • add Arkime capture statistics to the Packet Capture Statistics dashboard (cisagov/Malcolm#703)
  • integrate Validated Architecture Design Review (VADR) dashboards (cisagov/Malcolm#780)
  • Threat Intelligence improvements
    • support Google Threat Intelligence feed for building Zeek intel source (cisagov/Malcolm#758)
    • renamed Zeek Intelligence dashboard to Threat Intelligence and improved it
    • links from context menu items in Arkime and Dashboards (like reference URLs for IOCs) now ask the user before navigating to external sites
  • Added icons with links to "ready" and "ingest statistics" APIs to landing page
  • Include tx-rx-secure.sh in files packaged by malcolm_appliance_packager.sh
• ✅ Component version updates
  • Arkime to v5.8.0
  • NetBox to v4.3.7
  • yq to v4.47.2
  • Fluent Bit to v4.0.10
• 🐛 Bug fixes
  • Python code handling X-Forwarded- headers should do case insensitive lookup (cisagov/Malcolm#764)
  • uploaded PCAPs that result in no filename-derived tags erroneously end up with internal tags on them (cisagov/Malcolm#774)
  • installer option for encrypted storage are not marking secondary data/artifact storage for encryption (cisagov/Malcolm#779)
  • Malcolm/Hedgehog Linux ISO-installed environments' auditd service fails to start (cisagov/Malcolm#761)
  • Failed shard query error on Overview dashboard (cisagov/Malcolm#754)
• 🧹 Code and project maintenance
  • refactor GitHub build actions for Malcolm Docker images to reduce duplication (cisagov/Malcolm#717)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • PCAP_UPLOAD_MAX_FILE_GB added to upload-common.env to allow configuring maximum PCAP upload size (cisagov/Malcolm#769)
    • DASHBOARDS_TIMEPICKER_FROM and DASHBOARDS_TIMEPICKER_TO added to dashboards-helper.env to allow configuring default search time frame for OpenSearch Dashboards (cisagov/Malcolm#724)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Building a network traffic analysis system: Deploying Malcolm on Amazon EC2

This is the first of two blog posts on the AWS Public Sector Blog about deploying Malcolm on Amazon AWS. It covers installing Malcolm on a single EC2 instance. The next post will cover deploying Malcolm on EKS.

For those of you more interested in scaling Malcolm using Kubernetes, you can check out our "still-in-beta" Helm chart and share your feedback in the issue tracker on that repo.

#AWS #EC2 #Malcolm #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Malcolm v25.07.0 includes quite a few new features and enhancements, performance improvements, bug fixes, and component version updates.

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

• ✨ Features and enhancements
  • Add IANA service name and description enrichment to Zeek's known_services.log (#705)
  • Improve the speed of pruning files (#710)
  • allow multiple instance of Suricata in PCAP processing mode via UNIX socket (#707)
  • expose Arkime WISE tagging features to the user (#377)
  • handle comma- or semicolon-separated directories for PCAP_PROCESSED_DIRECTORY (to support new live PCAP processing method in Malcolm-Helm) (#702)
  • handle new OPCUA Binary summary logs (#709)
  • incorporate new ANSI C12.22 parser and add corresponding dashboard (#708)
  • overhauled instructions for Deploying Malcolm on Amazon Web Services (AWS) including deploying Malcolm on Amazon Elastic Kubernetes Service (EKS) in Auto Mode
  • install.py script is now a bit more robust in trying to help ensure the correct packages and Python libraries are installed
• ✅ Component version updates
  • Fluent Bit to v4.0.5
  • Arkime v5.7.1
  • Supercronic v0.2.34
  • OpenSearch and OpenSearch Dashboards v3.1.0
  • Keycloak v26.2.5
  • yq v4.47.1
  • NetBox v4.3.4
    • NetBox Initializers plugin v4.3.0
    • NetBox Topology Views plugin v4.3.0
  • Zeek v7.2.2
  • Spicy v1.13.2
  • urllib3 Python Library to v2.5.0 (addresses CVE-2025-50181)
  • ICSNPP Zeek network analyzer updates
    • BACnet parser fixes for previously unsupported services (see cisagov/icsnpp-bacnet#50 and cisagov/icsnpp-bacnet#51)
    • Ethernet/IP various fixes (cisagov/icsnpp-enip#34 (partial); cisagov/icsnpp-enip#35; cisagov/icsnpp-enip#36; cisagov/icsnpp-enip#37; cisagov/icsnpp-enip#38)
    • GENISYS minor updates (cisagov/icsnpp-genisys#25)
    • OPCUA Binary summary logs (cisagov/icsnpp-opcua-binary#102)
    • S7comm fixes for ACK message processing (cisagov/icsnpp-s7comm#19; cisagov/icsnpp-s7comm#20)
• 🐛 Bug fixes
  • zeek logs not cleaned by clean-processed-folder.py due to MIME type mismatch (#712)
  • packet capture statistics dashboard not working in Kibana (#704)
  • need to adjust shared object creation script (e.g., dashboards import) for new versions of Kibana (#713)
  • log fingerprinting needs to be examined to avoid unintentional collisions (#715)
  • install.py issues in Rocky Linux, Almalinux (#385)
  • OpenSearch container health check issue when OpenSearch is disabled (#716)
  • investigate NetBox API access via Malcolm's netbox endpoint and mapi endpoint (#701)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Hey, y'all, if you have anything to do with the Zeek network security monitor (as a user, script/plugin developer, researcher, whatever), would you please take 10 minutes to fill out the Zeek Project Survey 2025. This is your chance to help the Zeek team know how you feel about the project and help shape its direction moving forward.

#Zeek #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #CyberSecurity #Cyber #Infosec