Seth Grover10h ago

Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0

  • πŸ›‘οΈ Security Remediation & Hardening (#996)
    • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
    • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
    • Password stored as MD5-crypt for SFTP (#1009)
    • Authenticated archive zip-slip file write in filebeat container (#999)
    • OpenSearch path injection via /mapi/fields?template (#1000)
    • submit.php Location: open redirect via Referer (#1007)
    • htadmin proxied with no nginx auth gate (#1003)
    • Keycloak OIDC ssl_verify always set to false (#1006)
    • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
    • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
    • Read-only Arkime deny-regex omits addtags/removetags (#1008)
    • Read-only deployment allows POST /mapi/event (#1002)
    • WISE auth path selectable by client User-Agent (#1001)
    • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
    • requests CVE bump reverted in logstash image (#1010)
    • Fix API auth errors and hide NGINX version disclosure (#989)
  • πŸ› Bug fixes
    • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
    • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
    • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
  • βœ… Component version updates
  • 🧹 Code and project maintenance
    • Fixed some incorrect links in documentation (#988, thanks @jsoref)
    • Refactored NGINX error pages configuration into its own include file and added a 401.html page
  • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Release Malcolm v26.06.0 Β· idaholab/Malcolm

Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue...

GitHub
Doug BurksMay 26

πŸš€ OhMyPCAP 4.0.0 is HERE!

The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.

New in v4.0:
β€’ Upgraded to YARA Forge Full ruleset β€” more comprehensive malware & threat detection
β€’ Exiftool + rich file metadata analysis β€” get more file information even if there are no YARA matches

All the power you love is still here:
Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).

Ideal for malware analysis, incident response, threat hunting, forensics & teaching.

Who’s pulling this version right now? Drop a ❀️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)

#PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis

@chrissanders88 @lennyzeltser

hoek πŸ’ŽMay 23

I built IT PCAP Triage - a small offline tool for people who hate digging through PCAPs manually.

It runs Zeek, Suricata, capinfos and tshark, then generates a compact HTML security report with findings, risky hosts, DNS/TLS/SMB/HTTP summaries, IDS alerts and evidence.

Still not a SIEM. Still not magic. Just automation for the boring first triage pass.

https://0ut3r.space/2026/05/23/it-pcap-analysis/

#infosec #pcap #zeek #suricata #python #security

Turning IT PCAP Pain into a Triage Report

This is going to be another chaotic article about analysing network packet captures, except this time it is not about OT, ICS, SCADA, PLCs, HMIs, or other industrial things that can break if you look

0ut3r Space
BradMay 22

2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html

cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

Seth GroverMay 19

Malcolm v26.05.2 is out?!? What, already? DΓ©jΓ  vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.2

  • ✨ Features and enhancements
  • βœ… Component version updates
  • πŸ› Bug fixes
    • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
    • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
    • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
    • Suricata's HTTP version was not being normalized to network.protocol_version.
  • 🧹 Code and project maintenance

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

BradMay 12
2026-05-11 (Monday) #Malvertizing: Another ad in Google search results leads to a page impersonating a Claude download but distributing #macOS #malware. A #pcap of the infection traffic, some of the indicators and associated files are available at https://www.malware-traffic-analysis.net/2026/05/11/index.html
BradMay 8

2026-05-08 (Friday): #macOS #ShubStealer infection

#pcap, malware files, and indicators available at https://malware-traffic-analysis.net/2026/05/08/index.html

Different file hashes and C2 server than the Shub Stealer I saw yesterday, but otherwise pretty much the same.

hoek πŸ’ŽMay 8

I hate digging through PCAPs, especially in OT/ICS environments, so I built a small offline tool that turns passive traffic captures into a triage report.

New blog post: Turning OT PCAP Pain into a Triage Report

https://0ut3r.space/2026/05/08/ot-pcap-analysis/

Enjoy or not.

#OT #ICS #SCADA #PCAP #Wireshark #tshark #CyberSecurity #IndustrialSecurity #Python #OpenSource

Turning OT PCAP Pain into a Triage Report

This is going to be a chaotic article about analysing packets collected on an OT network, with a brief mention of how much I dislike networking topics. If that sounds boring to you, don’t read any fur

0ut3r Space
Christopher IseneMay 6

My first little bit of packet analysis, where I discovered a strange Ethernet II packet type;

https://codeberg.org/cisene/UsbServer/src/branch/main/re/Ethernet-II-Discovery.md

#pcap #packetcapture #reverseengineering

UsbServer/re/Ethernet-II-Discovery.md at main

UsbServer

Codeberg.org
Seth GroverMay 5

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

  • ✨ Features and enhancements
    • #726 β€” use hierarchical structure for NetBox device roles
      • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
    • #867 β€” examine large chown'ed directories in container images and see if they can be reduced
    • #954 β€” allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
      • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
      • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
    • Added file.strings extraction/indexing/search support across Strelka β†’ Logstash β†’ OpenSearch templates (wildcard field mapping type) β†’ Arkime/WISE
    • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
    • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
    • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
  • βœ… Component version updates
  • πŸ› Bug fixes
    • #757 β€” multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
      • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
      • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
    • #827 β€” Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
      • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
      • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
      • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
    • #878 β€” Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
      • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
      • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
      • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
    • #957 β€” configuration script can disable ICS parsers unintentionally
    • #959 β€” Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
    • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
  • 🧹 Code and project maintenance
    • Documentation improvements
    • #913 β€” replace ingress-nginx which is EOL
      • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
      • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
      • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
      • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
    • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
    • #917 β€” develop IronBank (US DoD) images for Malcolm
  • πŸ“„ Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
    • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
    • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
  • ❌ Errata
    • Under NetBox β†’ Plugins β†’ NetBox HealthCheck Plugin β†’ HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL