Malcolm v25.09.0

[mmguero]

Malcolm v25.09.0 includes new features and available customizations, improvements to Threat Intelligence, component version updates, and several important bug fixes.

v25.08.1...v25.09.0

• ✨ Features and enhancements
  • improve Modbus register tracking with new modbus_detailed.log (update modbus_detailed.log #762)
  • add non-LVM option(s) for Malcolm/Hedgehog Linux ISO installers (add non-LVM option(s) for ISO installer #725)
  • allow configuring default search time frame for OpenSearch Dashboards (allow configuring default search time frame in Dashboards #724)
  • allow customizing maximum upload file size (allow customizing maximum upload file size #769)
  • add Arkime capture statistics to the Packet Capture Statistics dashboard (Add arkime capture statistics to the packet capture statistics dashboard #703)
  • integrate Validated Architecture Design Review (VADR) dashboards (integrate VADR dashboards #780)
  • Threat Intelligence improvements
    • support Google Threat Intelligence feed for building Zeek intel source (support Google Threat Intelligence feed for building Zeek intel source #758)
    • renamed Zeek Intelligence dashboard to Threat Intelligence and improved it
    • links from context menu items in Arkime and Dashboards (like reference URLs for IOCs) now ask the user before navigating to external sites
  • Added icons with links to "ready" and "ingest statistics" APIs to landing page
  • Include tx-rx-secure.sh in files packaged by malcolm_appliance_packager.sh
• ✅ Component version updates
  • Arkime to v5.8.0
  • NetBox to v4.3.7
  • yq to v4.47.2
  • Fluent Bit to v4.0.10
• 🐛 Bug fixes
  • Python code handling X-Forwarded- headers should do case insensitive lookup (python code handling X-Forwarded- headers should do case insensitive lookups #764)
  • uploaded PCAPs that result in no filename-derived tags erroneously end up with internal tags on them (Uploaded PCAPs that result in no filename-derived tags will erroneously end up with internal tags on them #774)
  • installer option for encrypted storage are not marking secondary data/artifact storage for encryption (installer option for encrypted drive not setting flag for encrypting data/artifact storage correctly #779)
  • Malcolm/Hedgehog Linux ISO-installed environments' auditd service fails to start (sensor/malcolm ISO-installed environments auditd fails to start #761)
  • Failed shard query error on Overview dashboard (malcolm ISO install results in one failed opensearch shard (arkime / null_pointer_exception) #754)
• 🧹 Code and project maintenance
  • refactor GitHub build actions for Malcolm Docker images to reduce duplication (refactor GitHub build actions to reduce duplication #717)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • PCAP_UPLOAD_MAX_FILE_GB added to upload-common.env to allow configuring maximum PCAP upload size (allow customizing maximum upload file size #769)
    • DASHBOARDS_TIMEPICKER_FROM and DASHBOARDS_TIMEPICKER_TO added to dashboards-helper.env to allow configuring default search time frame for OpenSearch Dashboards (allow configuring default search time frame in Dashboards #724)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

---

This discussion was created from the release Malcolm v25.09.0.