DNS tunneling is easy to miss. Peter Manev walks through a real-world case using Suricata 8: detection, investigation, and reverse engineering.

Don't miss it! Register now: https://us02web.zoom.us/webinar/register/WN_fooQOVivS2i2vIA80wlhOw#/registration

#Suricata #OpenSource #FreeWebinar

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Don’t miss Victor Julien ( @inliniac ) at BSides Groningen for a talk on open source, sovereignty, and where #Suricata fits in the conversation.

He’ll dig into Suricata’s independent history, its support through OISF, and why that matters today.

More here: https://bsidesgrunn.org/2026/03/18/suricata-open-source-network-security-engine-built-with-sovereignty-in-mind/

#Opensource

One of the best parts of RSAC was the chance to talk about #Suricata and open source with so many different people.

From longtime supporters to people discovering the project for the first time, those conversations help strengthen the project, the community, and what comes next.

Wrote a little summary of some interesting learnings that have proven to be good guides but haven't led to a success story.. yet. :)

#math #sat #computerSciences #np #suricata

https://shivanibhardwaj.com/p/suricata-flowbits-dont-always-flow/

Heading to BotConf?

Don’t miss Peter Manev and Éric Leblond’s ( @Regit ) Suricata workshop on April 14 covering detection techniques, rule development, and real-world use. Learn from people who help shape Suricata.

Learn more: https://cfp.botconf.org/botconf-2026/talk/Z8H9Y9/

#Suricata #BotConf #OpenSource

Suricata CVE-2026-31932: crafted Kerberos traffic can DoS your network IDS. The tool watching your network can be knocked offline by what it monitors. Update to 7.0.15 or 8.0.4.

#suricata #IDS #vulnerability #networksecurity #infosec

Source: https://radar.offseq.com/threat/cve-2026-31932-cwe-407-inefficient-algorithmic-com-f6b065e8

#Suricata 9 is on the roadmap for Summer 2027 (July). Your feedback helps shape what comes next!

Whether it’s performance, integrations, code, or something new, your input shapes where the project goes.

Share your ideas, requests, and improvements on Discord or Discourse: suricata.io/community/