Jupyter and Suricata make a pretty good pair.

In his SuriCon 2022 talk, Jupyter Playbooks for Suricata, Markus Kont shows how jupyter notebooks can support rule exploration, threat hunting, analytics, and R&D prototyping around Suricata.

Watch here: https://youtu.be/hevTFubjlDQ?si=dKGV0GdrdxJis6Xi

#Suricata #SuriCon #OpenSource

Suricata 9 is planned for next year, and development is already well underway.

At our recent team meeting in Salzburg, we discussed priorities, next steps, and the work shaping the next version. Open source work does not wait for release season.

#OISF #Suricata #OpenSource

Most-Wanted Proof-of-Concepts:

Progress MOVEit Automation Authentication Bypass (CVE-2026-4670)

Ivanti EPMM 0day Authenticated Remote Code Execution (CVE-2026-6973)

OpenCTI User Impersonation (CVE-2026-27960)

PAN-OS Unauthenticated Buffer Overflow Vulnerability in User-ID™ Authentication Portal (CVE-2026-0300)

If you know where I can find a PCAP or proof of concept code, let me know.

#DetectionEngineering #Suricata

Community helps make open source stronger. Accessibility helps that community grow.

Our Juliana Fajardini Reichow ( @jufajardini ) brought both into her sessions with DonasSecurity and Senac São Bernardo do Campo, where she shared Suricata, Outreachy, and her open source journey.

#Suricata #OpenSource #OISF

Updated avenger.rules - Added coverage for CVE-2026-39363) - Vite Dev Server Arbitrary File Read attempt

#DetectionEngineering #Suricata #WebSocket #Exploit

https://github.com/da667/Avenger

Mastodon Incident Report / Root cause analysis:

Earlier today, users experienced timeouts with Search, Hashtags, and Autocomplete.

Root Cause: Our setup separates the Mastodon frontend VPS (Hetzner) from backend services (for example Elasticsearch) via an OPNSense firewall. Suricata (our IPS) triggered a false-positive on internal traffic and aggressively blocked the VPS IP, severing the connection to the search database.

Resolution: We identified the false-positive, added the frontend IP to the whitelist, and traffic immediately normalized. Everything is back to green!

#mastodon #mastoadmin #burningboard #elasticsearch #firewall #opnsense #suricata #oopsie

Suricata was at BotConf on April 14, with Peter Manev and Éric Leblond ( @Regit ) leading a hands-on workshop.

Good to spend time in person with people digging into the practical side of the project and working through the details together.

#Suricata #BotConf2026 #OpenSource

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL