Release Malcolm v25.05.0 · cisagov/Malcolm

Malcolm v25.05.0 adds support for the Emerson ROC Plus protocol (including a Zeek analyzer and corresponding dashboard), component updates, and bug fixes.

v25.04.1...v25.05.0

✨ Features and enhancements
- Added support for ROC Plus (#661)
- Make Zeek metrics port configurable (thanks to @divinehawk) (cherry-picked from #668)
- Improve ability to upload PCAP files via cURL
- Minor UI improvements to desktop environment for Malcolm and Hedgehg Linux ISO-installed instances
✅ Component version updates
- Fluent Bit to v4.0.2
- yq v4.45.4
- Zeek v7.2.0
🐛 Bug fixes
- race condition in suricata offline container between pcap processing and suricata socket (#667)
- NetBox autopopulation not working with prefixes correctly (#670) (regression)
- ensure Arkime's queryExtraIndices config.ini setting is only set when Zeek/Suricata logs are using a different index pattern
- set number_of_replicas cluster setting to 0 for embedded single-node OpenSearch instance to avoid yellow state
📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
- added ZEEK_METRICS_PORT (default blank, meaning use the default port) in zeek.env and control_vars.conf for #668
- added ZEEK_DISABLE_ICS_ROC_PLUS (default blank, meaning not disabled) in zeek.env and control_vars.conf for #661
🧹 Code and project maintenance
- minor slides and documentation updates
- Replace AWS Fargate documentation with AWS EKS Auto documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Malcolm v25.05.0

Contributors

Uh oh!