Malcolm v26.02.0

Malcolm v26.02.0 fixes a few bugs, updates a few components, and provides some improvements to documentation.

v26.01.0...v26.02.0

• ✨ Features and enhancements
  • add SURICATA_DISABLE_SIDS to disable noisy suricata rules (#896)
  • allow "offline" Zeek (processing uploaded PCAP) to be able to skip threat intel (#876)
  • add indices:admin/create to the capture_service role for OpenSearch (#885)
• ✅ Component version updates
  • evtx to v0.11.1
  • Fluent Bit to v4.2.3
  • Logstash to v9.2.5
  • OpenSearch / OpenSearch dashboards to v3.5.0 (#898)
  • supercronic to v0.2.43
  • yq to v4.52.4
  • Zeek to v8.0.6
• 🐛 Bug fixes
  • choosing "no authentication" Malcolm still won't start due to missing htpasswd (#869)
  • filescan container processes need to handle connection timing issues more resiliently (#888)
  • filescan logs not building zeek.files.extracted_uri correctly for files hosted on Hedgehog Linux (#877)
  • IP Connections Tree left panel ("Trees Mirror") is wrong visualization (#899)
  • Remove /var/lib/suricata/cache contents when building Suricata container image (to reduce size and prevent flagging by AV scanners)
  • Fixed filescan container returning unhealthy just because the extracted file download service isn't enabledn
• 🧹 Code and project maintenance
  • document ports used in Malcolm <-> Hedgehog communicationenhancementNew feature or request (#887)
  • document "capture only without forwarding" mode for Hedgehog (#889)
  • other minor documentation improvements
  • store the originating host name in host.name in file scanning results rather than the host name of where the scan was performed (only really makes a difference for Kubernetes deployments)
  • cryptography (Python library) to v46.0.5 (addresses CVE-2026-26007)
  • Pillow (Python library) to v12.1.1 (addresses CVE-2021-25289)
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added REDIS_MAXMEMORY, REDIS_MAXMEMORY_POLICY, REDIS_AUTO_AOF_REWRITE_MIN_SIZE, REDIS_CACHE_MAXMEMORY, and REDIS_CACHE_MAXMEMORY_POLICY to redis.env for tuning the redis and redis-cache containers.
  • Added SURICATA_DISABLE_SIDS to suricata.env for #896
  • Added ZEEK_DISABLE_INTEL_LIVE to zeek-live.env and ZEEK_DISABLE_INTEL_OFFLINE to zeek-offline.env for [cisagov#876]

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v26.01.0

Malcolm v26.01.0 introduces a complete overhaul of its automatic file scanning capability, replacing its file scanning framework with Strelka, an open-source "real-time, container-based file scanning system used for threat hunting, threat detection, and incident response." This new framework offers more features and greater extensibility for developing future analytics. The release also includes several bug fixes and component version updates.

v25.12.1...v26.01.0

• ✨ Features and enhancements

  • Malcolm's automatic file scanning capability now runs on Strelka, an open-source "real-time, container-based file scanning system used for threat hunting, threat detection, and incident response," providing more features and improved extensibility for future analytics. Some settings, especially which scanners are enabled or disabled, may require manual configuration. See the documentation for details. (#485)
  • Enabled fuzzy hashing (SSDeep, TLSH), in addition to SHA256, for all Zeek-scanned files (#859)
  • Added additional health check data (Redis, etc.) to the /mapi/ready API
  • Major performance improvements to the Logstash parse pipeline:
    • Replaced the cidr filter with a custom Ruby filter
    • Changed "broadcast-and-drop" communication between pipelines to more targeted messaging
    • Reworked the "compact event" filter to remove empty/null values before indexing
  • Enabled MAC addresses in Suricata events (#866)
  • Enabled parsing of JA4D log generated by Zeek alongside dhcp.log (#870)
  • Strip out test PCAP from Zeek image (#872) to reduce image size and prevent image scanners from triggering false positives for the PCAPs' contents
  • Improvements to the IP Connections Tree dashboard

• ✅ Component version updates

  • Beats to v9.2.4
    • Migrated log inputs to filestream
  • codeql/upload-sarif action to v4
  • evtx to v0.11.0
  • Fluent Bit to v4.2.2
  • Keycloak to v26.5.0
  • Logstash to v9.2.4
  • NetBox to v4.4.10
  • OpenSearch Dashboards to v3.4.0
  • OpenSearch to v3.4.0
  • styfle/cancel-workflow-action to 0.13.0
  • supercronic to v0.2.41
  • Suricata to v8.0.3 (#873)
  • yq to v4.50.1
  • Zeek to v8.0.5
  • urllib3 Python library to v2.6.3 (addresses CVE-2026-21441)

• 🐛 Bug fixes

  • Malcolm API Loopback Monitor was being created multiple times (#856)
  • Disabled hardware NIC timestamping for capture (#851)
  • Fixed error in stun_nat log parsing with multiple WAN addresses (#849)
  • Fixed pruning of old log files (#855)
  • zeek_intel_setup.sh could leave an orphaned lock file if the container is killed, blocking future intel pulls (#843)
  • Fixed various parsing/templating issues for uploaded Windows Event (.evtx) files
  • Added text/php to "interesting" MIME types, and added application/html, application/ocsp-response, "application/x-pem-file, application/xhtml+xml, application/xml-sitemap, text/css, text/html, text/ini to "common/plain text" MIME types for extraction/scanning decisions
  • pcap-monitor container not honoring maximum PCAP file size (#864)

• ⚰️ Breaking changes and removed or deprecated functionality

  • The VirusTotal API key (VTOT_API2_KEY) environment variable for submitting extracted file SHA sums is not longer used. This functionality can now be achieved via the Google Threat Intelligence service (VirusTotal is now part of Google Threat Intelligence) or any supported intelligence feed.
  • Adding new a new log source parsing pipeline to Logstash no longer uses LOGSTASH_PARSE_PIPELINE_ADDRESSES. The new method uses a mapping file, described in the documentation.
  • EXTRACTED_FILE_ENABLE_CAPA, EXTRACTED_FILE_ENABLE_CLAMAV, and EXTRACTED_FILE_ENABLE_YARA are no longer used; scanners are now configured via the Strelka backend config file. See the documentation.
  • The definition of a file scanner "hit" is now more nuanced. quarantine/ and preserved/ subdirectories are no longer used in the Extracted Files web interface. Extracted files are more easily browsed and downloaded from the Files or File Scanning dashboards in OpenSearch Dashboards.
  • Malcolm's Zeek container image now places Zeek-related files under /usr/local/zeek instead of /opt/zeek. Update any custom volume mounts or references to /opt/zeek.

• 🧹 Code and project maintenance

  • Moved most scripts from ./shared/bin to their respective container folders. ./shared/bin/ now only contains scripts shared across multiple containers.
  • Updated Dockerfile syntax (ENV/ARG) to recommended format
  • Updated copyright year (2025 -> 2026)
  • Based the Malcolm Zeek image on the official Zeek image instead of building a custom image

• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

  • Updated default NetBox-enriched datasets (LOGSTASH_NETBOX_ENRICHMENT_DATASETS in logstash.env): filescan.strelka, suricata.alert, zeek.conn, zeek.dce_rpc, zeek.dhcp, zeek.dns, zeek.known_hosts, zeek.known_routers, zeek.known_services, zeek.login, zeek.ntlm, zeek.notice, zeek.rdp, zeek.rfb, zeek.signatures, zeek.smb_cmd, zeek.smb_files, zeek.smb_mapping, zeek.software, zeek.ssh, zeek.weird
  • Added FILEBEAT_SCANNER_FINGERPRINT_OFFSET and FILEBEAT_SCANNER_FINGERPRINT_LENGTH in filebeat.env to customize FileBeat filestream .file_identity and .prospector.scanner.fingerprint. See here, here, and here. FILEBEAT_WATCHER_POLLING now controls native- vs. fingerprint-based file identification.
  • Added filescan.env, filescan-secret.env, and pipeline.env; added variables to redis.env for Strelka-based file scanning. zeek-secret.env has been removed, with its values now in filescan-secret.env. Many values from zeek.env are now in filescan.env or [`pipe...

Malcolm v25.12.1

Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

v25.12.0...v25.12.1

• ✨ Features and enhancements
  • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
• ✅ Component version updates
  • supercronic to v0.2.40
  • Alpine (Docker base image) to v3.23
  • NetBox to v4.4.8
  • urllib3 to v2.6.0 (CVE-2025-66471, 8.9 High, GHSA-2xpw-w6gg-jr37)
• 🐛 Bug fixes
  • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
  • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
  • self-signed certificates not accepted by Chrome (#833)
  • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
• 🧹 Code and project maintenance
  • Added new Analytics section to documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.12.0

Malcolm v25.12.0 includes a unification of the Malcolm and Hedgehog Linux ISO-installed base OS platform, component updates, other new features and improvements, and several bug fixes.

v25.11.0...v25.12.0

• ✨ Features and enhancements
  • Reduce Hedgehog Linux complexity/duplicate code by running Malcolm in "hedgehog run profile" mode
    • We're moving Hedgehog Linux toward using the same containerized architecture as the Malcolm ISO, dramatically simplifying builds, upgrades, and ongoing maintenance. Today, Hedgehog runs tools like Arkime, Zeek, and Suricata as traditional system processes, but by shifting to the standard Malcolm container-based workflow - using the existing Hedgehog run-profile - we can eliminate large amounts of duplicated code while ensuring consistent performance and feature parity. This change will also streamline configuration and installation by unifying ISO build logic and leveraging the new Malcolm installation/configuration script. Overall, this consolidation promises a significantly cleaner codebase and a simpler experience for both users and maintainers going forward.
    • A few items of note:
      • The documentation for Hedgehog Linux installation and configuration is now unified with Malcolm's. The Hedgehog-specific items for configuring communication between Hedgehog and Malcolm can be found here. Unfortunately, the YouTube videos covering installation and configuration for Hedgehog Linux are now obsolete.
      • There are still two ISOs available for download, they are just generated from the same build workflow and script with slightly different arguments to preconfigure the environment for the correct run profile.
      • Configuring network interfaces is now done using NetworkManager rather than the old configure-interfaces script. New installations of Malcolm and Hedgehog Linux will not automatically request IP addresses using DHCP.
      • There should not be any difference in performance between the old Hedgehog Linux platform and the new one, as the same tuning optimizations are available for both platforms.
      • There isn't an upgrade path from previous installations of Hedgehog Linux to the new platform. It's recommended to back up /opt/sensor/sensor_ctl/control_vars.conf and any other relevant data or system configuration from existing sensors before overwriting them with this version. For the time being, older (recent) releases of Hedgehog Linux will be able to forward to the latest version of Malcolm.
      • We're still working on the Hedgehog Linux Raspberry Pi image, so it won't be included in this release.
      • If we missed something, you encounter problems, or you have suggestions, please start a discussion or create an issue.
  • include a few more types in the default netbox enrichment log set to improve the enrichments used when tracking lateral movement (often done over protocols like rdp, vnc, ssh, etc.)
  • integrate new SMILE analytics visualizations
    • Connections Tree (update)
    • BACnet Trends (new)
    • DNP3 Trends (new)
    • Modbus Trends (new)
    • RDP Connections Tree (new)
    • SSH Connections Tree (new)
  • Improvements to how self-signed certificates are generated during auth_setup
  • Hedgehog Linux kiosk-mode server now runs as non-root user
  • Numerous documentation improvements
• ✅ Component version updates
  • Arkime to v5.8.3
  • Supercronic to v0.2.39
  • yq to v4.49.2
  • NetBox to v4.4.6
  • KeyCloak to v26.4.7
  • Fluent Bit to v4.2.0
  • Capa to v9.3.1
  • Zeek to v8.0.4
  • Python packages throughout the project:
    • beautifulsoup4 to v4.14.2
    • certifi to v2025.11.12
    • click to v8.3.0
    • cryptography to v46.0.3
    • dateparser to v1.2.2
    • distro to v1.9.0
    • elasticsearch to v8.19.2
    • Flask to v3.1.2
    • GitPython to v3.1.45
    • gunicorn to v23.0.0
    • idna to v3.11
    • MarkupSafe to v3.0.3
    • opensearch-py to v3.1.0
    • paramiko to v4.0.0
    • patool to v4.0.2
    • pillow to v12.0.0
    • psutil to v7.1.3
    • psycopg2 to v2.9.11
    • pycryptodome to v3.23.0
    • pymisp to v2.5.17.2
    • pynetbox to v7.5.0
    • python-dotenv to v1.2.1
    • pyyaml to v6.0.3
    • pyzmq to v27.1.0
    • regex to v2025.11.3
    • requests to v2.32.5
    • setuptools to v80.9.0
    • supervisor to v4.3.0
    • urllib3 to v2.5.0
    • vt-py to v0.22.0
    • wheel to v0.45.1
    • yara-python to v4.5.4
• 🐛 Bug fixes
  • HTTP 400 errors with some NetBox API operations
  • NetBox autopopulation of sites provided by remote sensors doesn't always happen correctly
  • all URL field formatters, and "extracted file downloads" visualization in Files dashboard, are broken on Kibana
  • file-monitor's prune_files.sh may get uninitialized variable
  • install.py configure script does not populate the default for exposing the opensearch port correctly
  • redis service using wrong directory for persistence
  • some configuration items are not preserved on export/import
  • fixes to how the arkime and arkime-live containers use WISE (WISE is only run in the arkime container on a Malcolm instance running the malcolm run profile; other configurations connect to the container running WISE)
  • various fixes and improvements for the Hedgehog run-profile to support the ISO platform convergence discussed above
• 🧹 Code and project maintenance
  • Removed the deprecated ./scripts/legacy_install.py installer script in favor of the new install.py.
  • Improved the GitHub build workflows for building the container images and ISOs.
  • Removed the osd_transform_vis from Dashboards, as visualizations made with it would not work for Elastic/Kibana-based Malcolm installations.
  • Removed...

Malcolm v25.11.0

Malcolm v25.11.0 includes an overhaul of the install.py installation/configuration script, a few bug fixes, and some component version updates.

v25.09.0...v25.11.0

• ✨ Features and enhancements
  • We're in the process of majorly overhauling our install.py script (#395) used for setting up a Linux or MacOS system to run Malcolm and for configuring Malcolm's runtime options. There are future updates still to come (#766) but for now the command-line and dialog-based interfaces' functionality and backend are in place. The step-by-step wizard has been replaced with a menu-based interface that allows for changing individual values without having to step through the whole set of questions. The Docker-based Malcolm installation example on Ubuntu and end-to-end installation example have useful information about this change, as does the command-line arguments document. We've done a lot of testing on what's a complete rewrite of this, but there is a possibility we missed something; if you find an issue with the new install/configure script, please open a discussion or log a bug and let us know. For the next release or so, we're leaving the legacy installer in place as scripts/legacy_install.py which could be used in a pinch (e.g., run scripts/legacy_install.py --configure for the old configuration menu).
  • We've incorporated a new "Connections Tree" visualization. This visualization tracks the potential of lateral movement based on the observed communications between all devices that reach a root node, identified by IP address. It gives a high-level view showing both direct and indirect connetions between the root IP and all of its destinations, regardless of time, along with enriched data for each endpoint and connection.
  • Updates to the Validated Design Architecture Review (VADR) dashboards.
  • The OpenSearch container now includes the repository-s3 plugin, useful for those who wish to configure OpenSearch's snapshots to save to S3-compatible buckets.
• ✅ Component version updates
  • Arkime to v5.8.2
  • Fluent Bit to v4.1.1
  • Keycloak to v26.4.2
  • OpenResty to v1.27.1.2
  • OpenSearch Dashboards to v3.3.0
  • OpenSearch to v3.3.2
  • supercronic to v0.2.38
  • yq to v4.48.1
  • Zeek to v8.0.3
• 🐛 Bug fixes
  • Double imports when restarting Malcolm (#588) (thanks @KchChr)
• 🧹 Code and project maintenance
  • Refactored a number of Python functions to reduce cyclomatic complexity (#765, work ongoing)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml without intervention on the user's part.
  • Malcolm
    • NGINX_RESOLVER_IPV4_OFF and NGINX_RESOLVER_IPV6_OFF have been renamed to NGINX_RESOLVER_IPV4 and NGINX_RESOLVER_IPV6, respectively, and their logic reversed, in nginx.env.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.09.0

Malcolm v25.09.0 includes new features and available customizations, improvements to Threat Intelligence, component version updates, and several important bug fixes.

v25.08.1...v25.09.0

• ✨ Features and enhancements
  • improve Modbus register tracking with new modbus_detailed.log (cisagov#762)
  • add non-LVM option(s) for Malcolm/Hedgehog Linux ISO installers (cisagov#725)
  • allow configuring default search time frame for OpenSearch Dashboards (cisagov#724)
  • allow customizing maximum upload file size (cisagov#769)
  • add Arkime capture statistics to the Packet Capture Statistics dashboard (cisagov#703)
  • integrate Validated Architecture Design Review (VADR) dashboards (cisagov#780)
  • Threat Intelligence improvements
    • support Google Threat Intelligence feed for building Zeek intel source (cisagov#758)
    • renamed Zeek Intelligence dashboard to Threat Intelligence and improved it
    • links from context menu items in Arkime and Dashboards (like reference URLs for IOCs) now ask the user before navigating to external sites
  • Added icons with links to "ready" and "ingest statistics" APIs to landing page
  • Include tx-rx-secure.sh in files packaged by malcolm_appliance_packager.sh
• ✅ Component version updates
  • Arkime to v5.8.0
  • NetBox to v4.3.7
  • yq to v4.47.2
  • Fluent Bit to v4.0.10
• 🐛 Bug fixes
  • Python code handling X-Forwarded- headers should do case insensitive lookup (cisagov#764)
  • uploaded PCAPs that result in no filename-derived tags erroneously end up with internal tags on them (cisagov#774)
  • installer option for encrypted storage are not marking secondary data/artifact storage for encryption (cisagov#779)
  • Malcolm/Hedgehog Linux ISO-installed environments' auditd service fails to start (cisagov#761)
  • Failed shard query error on Overview dashboard (cisagov#754)
• 🧹 Code and project maintenance
  • refactor GitHub build actions for Malcolm Docker images to reduce duplication (cisagov#717)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • PCAP_UPLOAD_MAX_FILE_GB added to upload-common.env to allow configuring maximum PCAP upload size (cisagov#769)
    • DASHBOARDS_TIMEPICKER_FROM and DASHBOARDS_TIMEPICKER_TO added to dashboards-helper.env to allow configuring default search time frame for OpenSearch Dashboards (cisagov#724)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.08.1

Malcolm v25.08.1 consists of several major component updates and a few bug fixes.

v25.08.0...v25.08.1

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

• ✨ Features and enhancements
  • Added Redis transport protocol and dashboard
• ✅ Component version updates
  • Beats to v8.19.2
  • Debian to v13 (cisagov/Malcolm#744) for ISO installer images and Debian-based containers
  • Fluent Bit to v4.0.8
  • Logstash to v8.19.2
  • NetBox to v4.3.6
  • OpenSearch and OpenSearch Dashboards to v3.2.0 (cisagov/Malcolm#751)
  • Supervisor to v4.3.0
  • Zeek to v8.0.1 (cisagov/Malcolm#750)
• 🐛 Bug fixes
  • Query workbench (SQL and PPL) is broken due to something to do with network index pattern field aliases (cisagov/Malcolm#746)
  • Zeek containers need to be limited in max number of open files or memory grows very large (cisagov/Malcolm#747)
  • avoid OpenSearch search shard failures by including unspecified roles in indexes during NetBox enrichment #(cisagov/Malcolm#749)
  • differences in MISP object/attribute formatting cause Malcolm to ignore some threat feed indicators (cisagov/Malcolm#753)
  • NetBox sites used for development testing included in release artifacts (cisagov/Malcolm#755)
  • wipe script no longer removes .gitignore files
• 🧹 Code and project maintenance
  • Standardized the way Python scripts in Malcolm (both in the containers and the control scripts) do debug/informational logging (increase logging level with -v, -vv, -vvv, etc.)
  • Removed vagrant-sshfs requirement from vagrant-based ISO builds in favor of Vagrant's builtin rsync mechanism

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.08.0

Malcolm v25.08.0 is a minor release fixing a regression bug inadvertently introduced in v25.07.0.

v25.07.0...v25.08.0

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

• ✨ Features and enhancements
  • Performance improvements to the clean-processed-folder.py script in the filebeat container responsible for pruning already-processed Zeek and Suricata log files (cisagov#736)
• 🐛 Bug fixes
  • Malcolm fields are not created in Arkime (cisagov#735)
    • Due to this commit, the order in which the Arkime fields database was initialized and the WISE service started was switched, which resulted in the initial run of capture (responsible for populating Malcolm's custom fields) failing. The order of these operations has been corrected.
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • FILEBEAT_CLEANUP_VERBOSITY and added to filebeat.env to control the verbosity of the clean-processed-folder.py script mentioned above in relation to cisagov#736. For example, setting FILEBEAT_CLEANUP_VERBOSITY=-vvvv corresponds to the DEBUG log level, and will produce output like this once per minute:

  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 2099 Zeek processed directory files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 135 Zeek live directory files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 2099 Zeek processed directory files at a rate of 10804 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 135 Zeek live directory files at a rate of 1411 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 161 Suricata files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 161 Suricata files at a rate of 18018 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Finished pruning files.
  

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.07.0 (see note about regression bug)

NOTE: A regression has been found (cisagov#735) in v25.07.0 that can cause the Malcolm fields to not get populated in Arkime's fields database when a new Malcolm instance is initialized. A fix is in the works. It's recommended you wait to upgrade until v25.08.0 (which should be released 2025-08-06).

Malcolm v25.07.0 includes quite a few new features and enhancements, performance improvements, bug fixes, and component version updates.

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

v25.06.0...v25.07.0

• ✨ Features and enhancements
  • Add IANA service name and description enrichment to Zeek's known_services.log (cisagov#705)
  • Improve the speed of pruning files (cisagov#710)
  • allow multiple instance of Suricata in PCAP processing mode via UNIX socket (cisagov#707)
  • expose Arkime WISE tagging features to the user (cisagov#377)
  • handle comma- or semicolon-separated directories for PCAP_PROCESSED_DIRECTORY (to support new live PCAP processing method in Malcolm-Helm) (cisagov#702)
  • handle new OPCUA Binary summary logs (cisagov#709)
  • incorporate new ANSI C12.22 parser and add corresponding dashboard (cisagov#708)
  • overhauled instructions for Deploying Malcolm on Amazon Web Services (AWS) including deploying Malcolm on Amazon Elastic Kubernetes Service (EKS) in Auto Mode
  • install.py script is now a bit more robust in trying to help ensure the correct packages and Python libraries are installed
• ✅ Component version updates
  • Fluent Bit to v4.0.5
  • Arkime v5.7.1
  • Supercronic v0.2.34
  • OpenSearch and OpenSearch Dashboards v3.1.0
  • Keycloak v26.2.5
  • yq v4.47.1
  • NetBox v4.3.4
    • NetBox Initializers plugin v4.3.0
    • NetBox Topology Views plugin v4.3.0
  • Zeek v7.2.2
  • Spicy v1.13.2
  • urllib3 Python Library to v2.5.0 (addresses CVE-2025-50181)
  • ICSNPP Zeek network analyzer updates
    • BACnet parser fixes for previously unsupported services (see cisagov/icsnpp-bacnet#50 and cisagov/icsnpp-bacnet#51)
    • Ethernet/IP various fixes (cisagov/icsnpp-enip#34 (partial); cisagov/icsnpp-enip#35; cisagov/icsnpp-enip#36; cisagov/icsnpp-enip#37; cisagov/icsnpp-enip#38)
    • GENISYS minor updates (cisagov/icsnpp-genisys#25)
    • OPCUA Binary summary logs (cisagov/icsnpp-opcua-binary#102)
    • S7comm fixes for ACK message processing (cisagov/icsnpp-s7comm#19; cisagov/icsnpp-s7comm#20)
• 🐛 Bug fixes
  • zeek logs not cleaned by clean-processed-folder.py due to MIME type mismatch (cisagov#712)
  • packet capture statistics dashboard not working in Kibana (cisagov#704)
  • need to adjust shared object creation script (e.g., dashboards import) for new versions of Kibana (cisagov#713)
  • log fingerprinting needs to be examined to avoid unintentional collisions (cisagov#715)
  • install.py issues in Rocky Linux, Almalinux (cisagov#385)
  • OpenSearch container health check issue when OpenSearch is disabled (cisagov#716)
  • investigate NetBox API access via Malcolm's netbox endpoint and mapi endpoint (cisagov#701)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • VIEWER removed from arkime-live.env as its behavior is handled internally and should not be user-settable
    • VIEWER and WISE removed from arkime-offline.env as its behavior is handled internally and should not be user-settable
    • ARKIME_WISE_CONFIG_PIN_CODE and its default value added to arkime-secret.env, used for making changes to the WISE config in the WISE GUI
    • ARKIME_WISE_SERVICE_URL and its default value added to arkime-secret.env for specifying the connection to the WISE service
    • ARKIME_EXPOSE_WISE_GUI and ARKIME_ALLOW_WISE_GUI_CONFIG added to arkime.env to control the WISE GUI viewer/editor capability
    • LS_JAVA_OPTS in logstash.env changed its default heap size from 2500m to 3g
    • REMOTE_AUTH_HEADER, REMOTE_AUTH_USER_EMAIL, REMOTE_AUTH_USER_FIRST_NAME, and REMOTE_AUTH_USER_LAST_NAME values (not really used) changed in netbox.env as part of some reverse proxy HTTP header standardization
    • SURICATA_AUTO_ANALYZE_PCAP_PROCESSES added with its default, and the meaning and default of SURICATA_AUTO_ANALYZE_PCAP_THREADS changed in suricata-offline.env as part of cisagov#707
    • ZEEK_DISABLE_IANA_LOOKUP added to zeek.env as part of cisagov#705
    • variables related to ANSI C12.22 added to zeek.env to control analyzer and log output as part of cisagov#708
  • Hedgehog Linux
    • ARKIME_WISE_PLUGIN and ARKIME_WISE_URL added as part of cisagov#377
    • ZEEK_DISABLE_IANA_LOOKUP added as part of cisagov#705
    • variables related to ANSI C12.22 added as part of cisagov#708
• 🧹 Code and project maintenance
  • remove duplication and consolidate navigation pane content across all dashboards (cisagov#718)
  • standardized X-Forwarded- headers used internally by reverse proxy for RBAC
  • some cleanup/standardization of Ruby code used by Logstash to make it more idiomatic

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 ([release_cleaver.sh]...

Malcolm v25.06.0

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

v25.05.0...v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

• ✨ Features and enhancements
  • This release adds role-based access control (RBAC) to Malcolm (cisagov#460).
    • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
      1. Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm, for example:
         • OpenSearch (provided by the OpenSearch Security plugin)
           • Configuring the Security backend
           • Modifying the YAML files
           • Predefined roles
         • Arkime
           • Note: As per @awick, until Arkime v6.0.0 is out, not all of the Arkime permissions can be set on roles. For now, then, Malcolm's Arkime roles are going to be handled purely based on URI path in the NGINX stuff as described below.
         • NetBox
           • Authentication & Permissions
           • Object-Based Permissions
           • Mastering NetBox User Access with Permission Constraints
      2. For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
    • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
    • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
    • See the role-based access control documentation for more information on this feature.
  • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
  • Allow user to specify subnet filters for NetBox autopopulation (cisagov#634)
    • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
  • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (cisagov#692)
  • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (cisagov#502)
    • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in cisagov#695.
  • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (#630)
  • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
  • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
  • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
  • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
  • NGINX now generates a robots.txt file to avoid web crawlers
• ✅ Component version updates
  • Alpine base Docker image to v3.22.0
  • Arkime to v5.7.0
  • capa to v9.2.1
  • flask-cors Python library to v6.0.0 to address CVE-2024-6839, CVE-2024-6844, and CVE-2024-6866
  • OpenSearch and OpenSearch Dashboards to v3.0.0
    • What To Expect
    • Announcing OpenSearch 3.0
    • Performance Improvements
  • opensearch-py Python library to v3.0.0
  • osd_transform_vis Dashboards visualization library to v3.0.0
  • requests Python library to v2.32.4 to address CVE-2024-47081
  • YARA to v4.5.3
  • Zeek to v7.2.1
• 🐛 Bug fixes
  • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov#699)
  • documentation served at /readme is trying to pull fonts from use.fontawesome.com (cisagov#694)
  • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
  • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • arkime.env's OPENSEARCH_MAX_SHARDS_PER_NODE has been moved to opensearch.env and renamed to CLUSTER_MAX_SHARDS_PER_NODE
  • auth-common.env's NGINX_LDAP_TLS_… variables have been moved to nginx.env
  • [auth-common.env](https://github.com...