Amplification Attacks, SYN Floods, Ping Sweeps, Port Scans, Duplicate IP Addresses, Segment Gaps, ARP Request Storms, Extraneous Data …

Are they lurking in your capture files? Find out with Capture File Forensics version 4.0
apple.co/4onAVxD

#pcap #packetcapture #forensics #security #monitoring #Wireshark

Amplification Attacks, SYN Floods, Ping Sweeps, Port Scans, Duplicate IP Addresses, Segment Gaps, ARP Request Storms, Extraneous Data …

Are they lurking in your capture files? Find out with Capture File Forensics.
apple.co/4onAVxD

#pcap #packetcapture #forensics #security #monitoring #Wireshark

Amplification Attacks, SYN Floods, Ping Sweeps, Port Scans, Duplicate IP Addresses, Segment Gaps, ARP Request Storms, Extraneous Data ...

Are they lurking in your capture files? Find out with Capture File Forensics.
apple.co/4onAVxD

#pcap #packetcapture #forensics #security #monitoring #Wireshark

Malcolm v25.11.0 includes an overhaul of the install.py installation/configuration script, a few bug fixes, and some component version updates.

https://github.com/idaholab/Malcolm/compare/v25.09.0...v25.11.0

• ✨ Features and enhancements
  • We're in the process of majorly overhauling our install.py script (#395) used for setting up a Linux or MacOS system to run Malcolm and for configuring Malcolm's runtime options. There are future updates still to come (#766) but for now the command-line and dialog-based interfaces' functionality and backend are in place. The step-by-step wizard has been replaced with a menu-based interface that allows for changing individual values without having to step through the whole set of questions. The Docker-based Malcolm installation example on Ubuntu and end-to-end installation example have useful information about this change, as does the command-line arguments document. We've done a lot of testing on what's a complete rewrite of this, but there is a possibility we missed something; if you find an issue with the new install/configure script, please open a discussion or log a bug and let us know. For the next release or so, we're leaving the legacy installer in place as scripts/legacy_install.py which could be used in a pinch (e.g., run scripts/legacy_install.py --configure for the old configuration menu).
  • We've incorporated a new "Connections Tree" visualization. This visualization tracks the potential of lateral movement based on the observed communications between all devices that reach a root node, identified by IP address. It gives a high-level view showing both direct and indirect connetions between the root IP and all of its destinations, regardless of time, along with enriched data for each endpoint and connection.
  • Updates to the Validated Design Architecture Review (VADR) dashboards.
  • The OpenSearch container now includes the repository-s3 plugin, useful for those who wish to configure OpenSearch's snapshots to save to S3-compatible buckets.
• ✅ Component version updates
  • Arkime to v5.8.2
  • Fluent Bit to v4.1.1
  • Keycloak to v26.4.2
  • OpenResty to v1.27.1.2
  • OpenSearch Dashboards to v3.3.0
  • OpenSearch to v3.3.2
  • supercronic to v0.2.38
  • yq to v4.48.1
  • Zeek to v8.0.3
• 🐛 Bug fixes
  • Double imports when restarting Malcolm (#588) (thanks @KchChr)
• 🧹 Code and project maintenance
  • Refactored a number of Python functions to reduce cyclomatic complexity (#765, work ongoing)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml without intervention on the user's part.
  • Malcolm
    • NGINX_RESOLVER_IPV4_OFF and NGINX_RESOLVER_IPV6_OFF have been renamed to NGINX_RESOLVER_IPV4 and NGINX_RESOLVER_IPV6, respectively, and their logic reversed, in nginx.env.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Introduction to Network Threat Detection with @suricata by Lukas Sismis at @openalt in Brno.

Perfect start of the conference day with analysis of #pcap from #anyrun and @malware_traffic

#weekend #education #networkforensics #BlueTeam

2025-10-08 (Wednesday): #Kongtuke campaign fake CAPTCHA page with #ClickFix instructions.

I got a full infection chain this time!

During this infection I saw a 205MB zip download, which makes the #pcap take a while to load in Wireshark.

Some IOCs with the associated #malware and artifacts are available at https://www.malware-traffic-analysis.net/2025/10/08/index.html

i was just made aware, that a #wireshark dissector for sphinx protocol messages exists (in private so far, but still)

#passwordmanager #pcap