diff --git a/Dockerfiles/curator.Dockerfile b/Dockerfiles/curator.Dockerfile
index 3661f8a18..e29af9b5a 100644
--- a/Dockerfiles/curator.Dockerfile
+++ b/Dockerfiles/curator.Dockerfile
@@ -55,9 +55,10 @@ ENV CURATOR_SNAPSHOT_REPO $CURATOR_SNAPSHOT_REPO
ENV CURATOR_SNAPSHOT_COMPRESSED $CURATOR_SNAPSHOT_COMPRESSED
ENV CURATOR_SNAPSHOT_DISABLED $CURATOR_SNAPSHOT_DISABLED
-ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64"
+ENV SUPERCRONIC_VERSION "0.1.11"
+ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85"
+ENV SUPERCRONIC_SHA1SUM "a2e2d47078a8dafc5949491e5ea7267cc721d67c"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
ENV CURATOR_VERSION "5.8.1"
diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index 7ac032b4a..42a58c7ab 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -38,9 +38,10 @@ ARG FILEBEAT_NGINX_LOG_PATH="/data/nginx"
ARG NGINX_LOG_ACCESS_AND_ERRORS=false
ARG AUTO_TAG=true
-ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64"
+ENV SUPERCRONIC_VERSION "0.1.11"
+ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85"
+ENV SUPERCRONIC_SHA1SUM "a2e2d47078a8dafc5949491e5ea7267cc721d67c"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
USER root
diff --git a/Dockerfiles/kibana.Dockerfile b/Dockerfiles/kibana.Dockerfile
index 25446a8a9..cee96b44d 100644
--- a/Dockerfiles/kibana.Dockerfile
+++ b/Dockerfiles/kibana.Dockerfile
@@ -39,9 +39,10 @@ ENV KIBANA_OFFLINE_REGION_MAPS_PORT $KIBANA_OFFLINE_REGION_MAPS_PORT
ENV PATH="/data:${PATH}"
ENV ELASTICSEARCH_URL $ELASTICSEARCH_URL
-ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64"
+ENV SUPERCRONIC_VERSION "0.1.11"
+ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85"
+ENV SUPERCRONIC_SHA1SUM "a2e2d47078a8dafc5949491e5ea7267cc721d67c"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
USER root
diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile
index 10affc80f..a522e9269 100644
--- a/Dockerfiles/nginx.Dockerfile
+++ b/Dockerfiles/nginx.Dockerfile
@@ -100,7 +100,7 @@ ENV NGINX_LDAP_TLS_STUNNEL_CHECK_IP $NGINX_LDAP_TLS_STUNNEL_CHECK_IP
ENV NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL $NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL
# build latest nginx with nginx-auth-ldap
-ENV NGINX_VERSION=1.19.0
+ENV NGINX_VERSION=1.19.3
ENV NGINX_AUTH_LDAP_BRANCH=master
ADD https://codeload.github.com/mmguero-dev/nginx-auth-ldap/tar.gz/$NGINX_AUTH_LDAP_BRANCH /nginx-auth-ldap.tar.gz
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index 43f50ddee..2e05647a6 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -6,17 +6,17 @@ ENV DEBIAN_FRONTEND noninteractive
# build zeek and plugins (spicy, additional protocol parsers, etc.)
-ENV BISON_VERSION "3.6.2"
+ENV BISON_VERSION "3.7.2"
ENV CCACHE_DIR "/var/spool/ccache"
ENV CCACHE_COMPRESS 1
ENV CMAKE_DIR "/opt/cmake"
-ENV CMAKE_VERSION "3.17.2"
+ENV CMAKE_VERSION "3.18.4"
ENV SPICY_DIR "/opt/spicy"
ENV SRC_BASE_DIR "/usr/local/src"
ENV ZEEK_DIR "/opt/zeek"
ENV ZEEK_PATCH_DIR "${SRC_BASE_DIR}/zeek-patches"
ENV ZEEK_SRC_DIR "${SRC_BASE_DIR}/zeek-${ZEEK_VERSION}"
-ENV ZEEK_VERSION "3.0.10"
+ENV ZEEK_VERSION "3.0.11"
# using clang now instead of gcc because Spicy depends on it
ENV LLVM_VERSION "10"
@@ -171,8 +171,8 @@ ENV PATH "${ZEEK_DIR}/bin:${SPICY_DIR}/bin:${PATH}"
# sanity check to make sure the plugins installed and copied over correctly
# these ENVs should match the number of third party plugins installed by zeek_install_plugins.sh
-ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 22
-ENV ZEEK_THIRD_PARTY_GREP_STRING "(spicy/main|Bro_LDAP/scripts/main|Corelight/PE_XOR/main|Salesforce/GQUIC/main|Zeek_AF_Packet/scripts/init|bzar/main|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|hassh/hassh|ja3/ja3|zeek-community-id/main|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-plugin-bacnet/main|zeek-plugin-enip/main|zeek-plugin-profinet/main|zeek-plugin-s7comm/main|zeek-plugin-tds/main|zeek-sniffpass/main|CVE-2020-1350|ripple20|callstranger)\.(zeek|bro)"
+ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 25
+ENV ZEEK_THIRD_PARTY_GREP_STRING "(Bro_LDAP/scripts/main|bzar/main|callstranger|Corelight/PE_XOR/main|cve-2020-0601|CVE-2020-1350|cve-2020-13777|CVE-2020-16898|hassh/hassh|ja3/ja3|ripple20|Salesforce/GQUIC/main|spicy-noise|spicy/main|zeek-community-id/main|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-plugin-bacnet/main|zeek-plugin-enip/main|zeek-plugin-profinet/main|zeek-plugin-s7comm/main|zeek-plugin-tds/main|zeek-sniffpass/main|Zeek_AF_Packet/scripts/init|zerologon/main)\.(zeek|bro)"
RUN mkdir -p /tmp/logs && \
cd /tmp/logs && \
diff --git a/README.md b/README.md
index a3eb368e5..c2984c41a 100644
--- a/README.md
+++ b/README.md
@@ -157,22 +157,22 @@ You can then observe that the images have been retrieved by running `docker imag
```
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
-malcolmnetsec/curator 2.4.0 xxxxxxxxxxxx 40 hours ago 256MB
-malcolmnetsec/elastalert 2.4.0 xxxxxxxxxxxx 40 hours ago 410MB
-malcolmnetsec/elasticsearch-oss 2.4.0 xxxxxxxxxxxx 40 hours ago 690MB
-malcolmnetsec/file-monitor 2.4.0 xxxxxxxxxxxx 39 hours ago 470MB
-malcolmnetsec/file-upload 2.4.0 xxxxxxxxxxxx 39 hours ago 199MB
-malcolmnetsec/filebeat-oss 2.4.0 xxxxxxxxxxxx 39 hours ago 555MB
-malcolmnetsec/freq 2.4.0 xxxxxxxxxxxx 39 hours ago 390MB
-malcolmnetsec/htadmin 2.4.0 xxxxxxxxxxxx 39 hours ago 180MB
-malcolmnetsec/kibana-oss 2.4.0 xxxxxxxxxxxx 40 hours ago 1.16GB
-malcolmnetsec/logstash-oss 2.4.0 xxxxxxxxxxxx 39 hours ago 1.41GB
-malcolmnetsec/moloch 2.4.0 xxxxxxxxxxxx 17 hours ago 683MB
-malcolmnetsec/name-map-ui 2.4.0 xxxxxxxxxxxx 39 hours ago 137MB
-malcolmnetsec/nginx-proxy 2.4.0 xxxxxxxxxxxx 39 hours ago 120MB
-malcolmnetsec/pcap-capture 2.4.0 xxxxxxxxxxxx 39 hours ago 111MB
-malcolmnetsec/pcap-monitor 2.4.0 xxxxxxxxxxxx 39 hours ago 157MB
-malcolmnetsec/zeek 2.4.0 xxxxxxxxxxxx 39 hours ago 887MB
+malcolmnetsec/curator 2.4.1 xxxxxxxxxxxx 40 hours ago 256MB
+malcolmnetsec/elastalert 2.4.1 xxxxxxxxxxxx 40 hours ago 410MB
+malcolmnetsec/elasticsearch-oss 2.4.1 xxxxxxxxxxxx 40 hours ago 690MB
+malcolmnetsec/file-monitor 2.4.1 xxxxxxxxxxxx 39 hours ago 470MB
+malcolmnetsec/file-upload 2.4.1 xxxxxxxxxxxx 39 hours ago 199MB
+malcolmnetsec/filebeat-oss 2.4.1 xxxxxxxxxxxx 39 hours ago 555MB
+malcolmnetsec/freq 2.4.1 xxxxxxxxxxxx 39 hours ago 390MB
+malcolmnetsec/htadmin 2.4.1 xxxxxxxxxxxx 39 hours ago 180MB
+malcolmnetsec/kibana-oss 2.4.1 xxxxxxxxxxxx 40 hours ago 1.16GB
+malcolmnetsec/logstash-oss 2.4.1 xxxxxxxxxxxx 39 hours ago 1.41GB
+malcolmnetsec/moloch 2.4.1 xxxxxxxxxxxx 17 hours ago 683MB
+malcolmnetsec/name-map-ui 2.4.1 xxxxxxxxxxxx 39 hours ago 137MB
+malcolmnetsec/nginx-proxy 2.4.1 xxxxxxxxxxxx 39 hours ago 120MB
+malcolmnetsec/pcap-capture 2.4.1 xxxxxxxxxxxx 39 hours ago 111MB
+malcolmnetsec/pcap-monitor 2.4.1 xxxxxxxxxxxx 39 hours ago 157MB
+malcolmnetsec/zeek 2.4.1 xxxxxxxxxxxx 39 hours ago 887MB
```
#### Import from pre-packaged tarballs
@@ -235,6 +235,7 @@ Malcolm leverages the following excellent open source tools, among others.
* Andrew Klaus's [Sniffpass](https://github.com/cybera/zeek-sniffpass) plugin for detecting cleartext passwords in HTTP POST requests
* Andrew Klaus's [zeek-httpattacks](https://github.com/precurse/zeek-httpattacks) plugin for detecting noncompliant HTTP requests
* Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin
+ * Corelight's ["bad neighbor" (CVE-2020-16898)](https://github.com/corelight/CVE-2020-16898) plugin
* Corelight's [callstranger-detector](https://github.com/corelight/callstranger-detector) plugin
* Corelight's [community ID](https://github.com/corelight/zeek-community-id) flow hashing plugin
* Corelight's [ripple20](https://github.com/corelight/ripple20) plugin
@@ -1430,7 +1431,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu
```
…
-Finished, created "/malcolm-build/malcolm-iso/malcolm-2.4.0.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-2.4.1.iso"
…
```
@@ -1829,22 +1830,22 @@ Pulling zeek ... done
user@host:~/Malcolm$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
-malcolmnetsec/curator 2.4.0 xxxxxxxxxxxx 40 hours ago 256MB
-malcolmnetsec/elastalert 2.4.0 xxxxxxxxxxxx 40 hours ago 410MB
-malcolmnetsec/elasticsearch-oss 2.4.0 xxxxxxxxxxxx 40 hours ago 690MB
-malcolmnetsec/file-monitor 2.4.0 xxxxxxxxxxxx 39 hours ago 470MB
-malcolmnetsec/file-upload 2.4.0 xxxxxxxxxxxx 39 hours ago 199MB
-malcolmnetsec/filebeat-oss 2.4.0 xxxxxxxxxxxx 39 hours ago 555MB
-malcolmnetsec/freq 2.4.0 xxxxxxxxxxxx 39 hours ago 390MB
-malcolmnetsec/htadmin 2.4.0 xxxxxxxxxxxx 39 hours ago 180MB
-malcolmnetsec/kibana-oss 2.4.0 xxxxxxxxxxxx 40 hours ago 1.16GB
-malcolmnetsec/logstash-oss 2.4.0 xxxxxxxxxxxx 39 hours ago 1.41GB
-malcolmnetsec/moloch 2.4.0 xxxxxxxxxxxx 17 hours ago 683MB
-malcolmnetsec/name-map-ui 2.4.0 xxxxxxxxxxxx 39 hours ago 137MB
-malcolmnetsec/nginx-proxy 2.4.0 xxxxxxxxxxxx 39 hours ago 120MB
-malcolmnetsec/pcap-capture 2.4.0 xxxxxxxxxxxx 39 hours ago 111MB
-malcolmnetsec/pcap-monitor 2.4.0 xxxxxxxxxxxx 39 hours ago 157MB
-malcolmnetsec/zeek 2.4.0 xxxxxxxxxxxx 39 hours ago 887MB
+malcolmnetsec/curator 2.4.1 xxxxxxxxxxxx 40 hours ago 256MB
+malcolmnetsec/elastalert 2.4.1 xxxxxxxxxxxx 40 hours ago 410MB
+malcolmnetsec/elasticsearch-oss 2.4.1 xxxxxxxxxxxx 40 hours ago 690MB
+malcolmnetsec/file-monitor 2.4.1 xxxxxxxxxxxx 39 hours ago 470MB
+malcolmnetsec/file-upload 2.4.1 xxxxxxxxxxxx 39 hours ago 199MB
+malcolmnetsec/filebeat-oss 2.4.1 xxxxxxxxxxxx 39 hours ago 555MB
+malcolmnetsec/freq 2.4.1 xxxxxxxxxxxx 39 hours ago 390MB
+malcolmnetsec/htadmin 2.4.1 xxxxxxxxxxxx 39 hours ago 180MB
+malcolmnetsec/kibana-oss 2.4.1 xxxxxxxxxxxx 40 hours ago 1.16GB
+malcolmnetsec/logstash-oss 2.4.1 xxxxxxxxxxxx 39 hours ago 1.41GB
+malcolmnetsec/moloch 2.4.1 xxxxxxxxxxxx 17 hours ago 683MB
+malcolmnetsec/name-map-ui 2.4.1 xxxxxxxxxxxx 39 hours ago 137MB
+malcolmnetsec/nginx-proxy 2.4.1 xxxxxxxxxxxx 39 hours ago 120MB
+malcolmnetsec/pcap-capture 2.4.1 xxxxxxxxxxxx 39 hours ago 111MB
+malcolmnetsec/pcap-monitor 2.4.1 xxxxxxxxxxxx 39 hours ago 157MB
+malcolmnetsec/zeek 2.4.1 xxxxxxxxxxxx 39 hours ago 887MB
```
Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background.
diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 2a1343c70..b513f5114 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -126,7 +126,7 @@ x-pcap-capture-variables: &pcap-capture-variables
services:
elasticsearch:
- image: malcolmnetsec/elasticsearch-oss:2.4.0
+ image: malcolmnetsec/elasticsearch-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -161,7 +161,7 @@ services:
retries: 3
start_period: 180s
kibana:
- image: malcolmnetsec/kibana-oss:2.4.0
+ image: malcolmnetsec/kibana-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -187,7 +187,7 @@ services:
retries: 3
start_period: 210s
elastalert:
- image: malcolmnetsec/elastalert:2.4.0
+ image: malcolmnetsec/elastalert:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -215,7 +215,7 @@ services:
retries: 3
start_period: 210s
curator:
- image: malcolmnetsec/curator:2.4.0
+ image: malcolmnetsec/curator:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -234,7 +234,7 @@ services:
retries: 3
start_period: 30s
logstash:
- image: malcolmnetsec/logstash-oss:2.4.0
+ image: malcolmnetsec/logstash-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -267,7 +267,7 @@ services:
retries: 3
start_period: 600s
filebeat:
- image: malcolmnetsec/filebeat-oss:2.4.0
+ image: malcolmnetsec/filebeat-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -304,7 +304,7 @@ services:
retries: 3
start_period: 60s
moloch:
- image: malcolmnetsec/moloch:2.4.0
+ image: malcolmnetsec/moloch:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -343,7 +343,7 @@ services:
retries: 3
start_period: 210s
zeek:
- image: malcolmnetsec/zeek:2.4.0
+ image: malcolmnetsec/zeek:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -369,7 +369,7 @@ services:
retries: 3
start_period: 60s
file-monitor:
- image: malcolmnetsec/file-monitor:2.4.0
+ image: malcolmnetsec/file-monitor:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -390,7 +390,7 @@ services:
retries: 3
start_period: 60s
pcap-capture:
- image: malcolmnetsec/pcap-capture:2.4.0
+ image: malcolmnetsec/pcap-capture:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -416,7 +416,7 @@ services:
retries: 3
start_period: 60s
pcap-monitor:
- image: malcolmnetsec/pcap-monitor:2.4.0
+ image: malcolmnetsec/pcap-monitor:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -439,7 +439,7 @@ services:
retries: 3
start_period: 90s
upload:
- image: malcolmnetsec/file-upload:2.4.0
+ image: malcolmnetsec/file-upload:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -465,7 +465,7 @@ services:
retries: 3
start_period: 60s
htadmin:
- image: malcolmnetsec/htadmin:2.4.0
+ image: malcolmnetsec/htadmin:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -487,7 +487,7 @@ services:
retries: 3
start_period: 60s
freq:
- image: malcolmnetsec/freq:2.4.0
+ image: malcolmnetsec/freq:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -505,7 +505,7 @@ services:
retries: 3
start_period: 60s
name-map-ui:
- image: malcolmnetsec/name-map-ui:2.4.0
+ image: malcolmnetsec/name-map-ui:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -526,7 +526,7 @@ services:
retries: 3
start_period: 60s
nginx-proxy:
- image: malcolmnetsec/nginx-proxy:2.4.0
+ image: malcolmnetsec/nginx-proxy:2.4.1
restart: "no"
stdin_open: false
tty: true
diff --git a/docker-compose.yml b/docker-compose.yml
index 9f00df0b8..22ee36957 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -129,7 +129,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/elasticsearch.Dockerfile
- image: malcolmnetsec/elasticsearch-oss:2.4.0
+ image: malcolmnetsec/elasticsearch-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -167,7 +167,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/kibana.Dockerfile
- image: malcolmnetsec/kibana-oss:2.4.0
+ image: malcolmnetsec/kibana-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -196,7 +196,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/elastalert.Dockerfile
- image: malcolmnetsec/elastalert:2.4.0
+ image: malcolmnetsec/elastalert:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -227,7 +227,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/curator.Dockerfile
- image: malcolmnetsec/curator:2.4.0
+ image: malcolmnetsec/curator:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -251,7 +251,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/logstash.Dockerfile
- image: malcolmnetsec/logstash-oss:2.4.0
+ image: malcolmnetsec/logstash-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -289,7 +289,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/filebeat.Dockerfile
- image: malcolmnetsec/filebeat-oss:2.4.0
+ image: malcolmnetsec/filebeat-oss:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -330,7 +330,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/moloch.Dockerfile
- image: malcolmnetsec/moloch:2.4.0
+ image: malcolmnetsec/moloch:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -375,7 +375,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/zeek.Dockerfile
- image: malcolmnetsec/zeek:2.4.0
+ image: malcolmnetsec/zeek:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -405,7 +405,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/file-monitor.Dockerfile
- image: malcolmnetsec/file-monitor:2.4.0
+ image: malcolmnetsec/file-monitor:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -429,7 +429,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/pcap-capture.Dockerfile
- image: malcolmnetsec/pcap-capture:2.4.0
+ image: malcolmnetsec/pcap-capture:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -458,7 +458,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/pcap-monitor.Dockerfile
- image: malcolmnetsec/pcap-monitor:2.4.0
+ image: malcolmnetsec/pcap-monitor:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -484,7 +484,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/file-upload.Dockerfile
- image: malcolmnetsec/file-upload:2.4.0
+ image: malcolmnetsec/file-upload:2.4.1
restart: "no"
stdin_open: false
tty: true
@@ -510,7 +510,7 @@ services:
retries: 3
start_period: 60s
htadmin:
- image: malcolmnetsec/htadmin:2.4.0
+ image: malcolmnetsec/htadmin:2.4.1
build:
context: .
dockerfile: Dockerfiles/htadmin.Dockerfile
@@ -535,7 +535,7 @@ services:
retries: 3
start_period: 60s
freq:
- image: malcolmnetsec/freq:2.4.0
+ image: malcolmnetsec/freq:2.4.1
build:
context: .
dockerfile: Dockerfiles/freq.Dockerfile
@@ -556,7 +556,7 @@ services:
retries: 3
start_period: 60s
name-map-ui:
- image: malcolmnetsec/name-map-ui:2.4.0
+ image: malcolmnetsec/name-map-ui:2.4.1
build:
context: .
dockerfile: Dockerfiles/name-map-ui.Dockerfile
@@ -583,7 +583,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/nginx.Dockerfile
- image: malcolmnetsec/nginx-proxy:2.4.0
+ image: malcolmnetsec/nginx-proxy:2.4.1
restart: "no"
stdin_open: false
tty: true
diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh
index 92db518e1..1e26a329d 100755
--- a/malcolm-iso/build.sh
+++ b/malcolm-iso/build.sh
@@ -74,7 +74,7 @@ if [ -d "$WORKDIR" ]; then
echo "linux-image-$(uname -r)" > ./config/package-lists/kernel.list.chroot
echo "linux-headers-$(uname -r)" >> ./config/package-lists/kernel.list.chroot
echo "linux-compiler-gcc-8-x86=$(dpkg -s linux-compiler-gcc-8-x86 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
- echo "linux-kbuild-5.7=$(dpkg -s linux-kbuild-5.7 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
+ echo "linux-kbuild-5.8=$(dpkg -s linux-kbuild-5.8 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-linux=$(dpkg -s firmware-linux | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-linux-nonfree=$(dpkg -s firmware-linux-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-misc-nonfree=$(dpkg -s firmware-misc-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
diff --git a/malcolm-iso/vagrant/Vagrantfile b/malcolm-iso/vagrant/Vagrantfile
index 6e6045700..14e9cad16 100644
--- a/malcolm-iso/vagrant/Vagrantfile
+++ b/malcolm-iso/vagrant/Vagrantfile
@@ -37,10 +37,10 @@ Vagrant.configure("2") do |config|
echo "deb http://httpredir.debian.org/debian/ buster-backports main contrib non-free" >> /etc/apt/sources.list
echo "deb-src http://httpredir.debian.org/debian/ buster-backports main contrib non-free" >> /etc/apt/sources.list
apt-get update
- export KERNEL_VERSION=$(apt-cache search linux-image-5 | grep -Pv -- '(-(rt|cloud)-amd64|amd64-(dbg|unsigned))' | sort -r --sort=version | awk '{print $1}' | head -n 1 | sed 's/^linux-image-//' | sed 's/-amd64$//')
+ export KERNEL_VERSION=$(apt-cache search linux-image-5.8 | grep -Pv -- '(-(rt|cloud)-amd64|amd64-(dbg|unsigned))' | sort -r --sort=version | awk '{print $1}' | head -n 1 | sed 's/^linux-image-//' | sed 's/-amd64$//')
apt-get -t buster-backports install -y \
linux-image-$KERNEL_VERSION-amd64 linux-headers-$KERNEL_VERSION-amd64 linux-headers-$KERNEL_VERSION-common \
- dkms build-essential linux-kbuild-5.7 linux-compiler-gcc-8-x86 \
+ dkms build-essential linux-kbuild-5.8 linux-compiler-gcc-8-x86 \
firmware-linux firmware-linux-nonfree firmware-misc-nonfree firmware-amd-graphics
ls /dev/disk/by-id/ata-* | grep -v '\\-part' | head -n 1 | xargs -r -l grub-install
STEP1
diff --git a/scripts/build.sh b/scripts/build.sh
index 7deb433aa..3300572f8 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -101,7 +101,7 @@ FILES_IN_IMAGES=(
"/var/www/html/list.min.js;name-map-ui"
"/var/www/html/jquery.min.js;name-map-ui"
"/opt/zeek/bin/zeek;zeek"
- "/opt/spicy/lib/spicy/Zeek_Spicy/lib/Zeek-Spicy.linux-x86_64.so;zeek"
+ "/opt/spicy/lib/libspicy.so;zeek"
)
for i in ${FILES_IN_IMAGES[@]}; do
FILE="$(echo "$i" | cut -d';' -f1)"
diff --git a/sensor-iso/README.md b/sensor-iso/README.md
index 0ba6d4696..f050739f9 100644
--- a/sensor-iso/README.md
+++ b/sensor-iso/README.md
@@ -404,7 +404,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu
```
…
-Finished, created "/sensor-build/hedgehog-2.4.0.iso"
+Finished, created "/sensor-build/hedgehog-2.4.1.iso"
…
```
diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh
index d59f23eed..be4f27ed9 100755
--- a/sensor-iso/build.sh
+++ b/sensor-iso/build.sh
@@ -77,7 +77,7 @@ if [ -d "$WORKDIR" ]; then
echo "linux-image-$(uname -r)" > ./config/package-lists/kernel.list.chroot
echo "linux-headers-$(uname -r)" >> ./config/package-lists/kernel.list.chroot
echo "linux-compiler-gcc-8-x86=$(dpkg -s linux-compiler-gcc-8-x86 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
- echo "linux-kbuild-5.7=$(dpkg -s linux-kbuild-5.7 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
+ echo "linux-kbuild-5.8=$(dpkg -s linux-kbuild-5.8 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-linux=$(dpkg -s firmware-linux | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-linux-nonfree=$(dpkg -s firmware-linux-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-misc-nonfree=$(dpkg -s firmware-misc-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
@@ -140,9 +140,9 @@ if [ -d "$WORKDIR" ]; then
# clone and build custom protologbeat from github for logging temperature, etc.
mkdir -p ./config/includes.chroot/usr/local/bin/
bash "$SCRIPT_PATH/beats/build-docker-image.sh"
- bash "$SCRIPT_PATH/beats/beat-build.sh" -b "https://github.com/mmguero/protologbeat" -t "es_762_compat"
- cp github.com_mmguero_protologbeat/protologbeat ./config/includes.chroot/opt/hedgehog_install_artifacts/
- mv github.com_mmguero_protologbeat/protologbeat ./config/includes.chroot/usr/local/bin
+ bash "$SCRIPT_PATH/beats/beat-build.sh" -b "https://github.com/mmguero-dev/protologbeat" -t "es_762_compat"
+ cp github.com_mmguero-dev_protologbeat/protologbeat ./config/includes.chroot/opt/hedgehog_install_artifacts/
+ mv github.com_mmguero-dev_protologbeat/protologbeat ./config/includes.chroot/usr/local/bin
# format and copy documentation
pushd "$SCRIPT_PATH/"
diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
index 1679512a8..2eaac5445 100755
--- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
+++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
@@ -7,7 +7,7 @@ NETSNIFF_URL="https://github.com/netsniff-ng/netsniff-ng/archive/v$NETSNIFF_VER.
SPICY_DIR="/opt/spicy"
ZEEK_DIR="/opt/zeek"
-ZEEK_VER="3.0.10"
+ZEEK_VER="3.0.11"
ZEEK_URL="https://old.zeek.org/downloads/zeek-$ZEEK_VER.tar.gz"
ZEEK_PATCH_URLS=(
# nothing here for now
@@ -19,10 +19,10 @@ BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX"
BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb"
CMAKE_DIR="/opt/cmake"
-CMAKE_VER="3.17.2"
+CMAKE_VER="3.18.4"
CMAKE_URL="https://github.com/Kitware/CMake/releases/download/v${CMAKE_VER}/cmake-${CMAKE_VER}-Linux-x86_64.tar.gz"
-BISON_VER="3.6.2"
+BISON_VER="3.7.2"
BISON_URL="https://ftp.gnu.org/gnu/bison/bison-${BISON_VER}.tar.gz"
YARA_VERSION="4.0.2"
diff --git a/sensor-iso/docs/Notes.md b/sensor-iso/docs/Notes.md
index 854ce142a..adab3f0fe 100644
--- a/sensor-iso/docs/Notes.md
+++ b/sensor-iso/docs/Notes.md
@@ -113,12 +113,12 @@ $ /usr/sbin/tcpdump \
### Compiling Moloch from source
-At the time of writing, the [current stable release](https://github.com/aol/moloch/blob/master/CHANGELOG) of Moloch is [v2.4.0](https://github.com/aol/moloch/releases/tag/v2.4.0). The following bash script was used to install Moloch's build dependencies, download Moloch, build a Debian .deb package using [fpm](https://github.com/jordansissel/fpm) and install it. In building Hedgehog Linux, the building of this .deb is done inside a Docker container dedicated to that purpose.
+At the time of writing, the [current stable release](https://github.com/aol/moloch/blob/master/CHANGELOG) of Moloch is [v2.4.1](https://github.com/aol/moloch/releases/tag/v2.4.1). The following bash script was used to install Moloch's build dependencies, download Moloch, build a Debian .deb package using [fpm](https://github.com/jordansissel/fpm) and install it. In building Hedgehog Linux, the building of this .deb is done inside a Docker container dedicated to that purpose.
```bash
#!/bin/bash
-MOLOCH_VERSION="2.4.0"
+MOLOCH_VERSION="2.4.1"
MOLOCHDIR="/opt/moloch"
OUTPUT_DIR="/tmp"
diff --git a/sensor-iso/vagrant/Vagrantfile b/sensor-iso/vagrant/Vagrantfile
index de53361f6..a925b67a8 100644
--- a/sensor-iso/vagrant/Vagrantfile
+++ b/sensor-iso/vagrant/Vagrantfile
@@ -37,10 +37,10 @@ Vagrant.configure("2") do |config|
echo "deb http://httpredir.debian.org/debian/ buster-backports main contrib non-free" >> /etc/apt/sources.list
echo "deb-src http://httpredir.debian.org/debian/ buster-backports main contrib non-free" >> /etc/apt/sources.list
apt-get update
- export KERNEL_VERSION=$(apt-cache search linux-image-5 | grep -Pv -- '(-(rt|cloud)-amd64|amd64-(dbg|unsigned))' | sort -r --sort=version | awk '{print $1}' | head -n 1 | sed 's/^linux-image-//' | sed 's/-amd64$//')
+ export KERNEL_VERSION=$(apt-cache search linux-image-5.8 | grep -Pv -- '(-(rt|cloud)-amd64|amd64-(dbg|unsigned))' | sort -r --sort=version | awk '{print $1}' | head -n 1 | sed 's/^linux-image-//' | sed 's/-amd64$//')
apt-get -t buster-backports install -y \
linux-image-$KERNEL_VERSION-amd64 linux-headers-$KERNEL_VERSION-amd64 linux-headers-$KERNEL_VERSION-common \
- dkms build-essential linux-kbuild-5.7 linux-compiler-gcc-8-x86 \
+ dkms build-essential linux-kbuild-5.8 linux-compiler-gcc-8-x86 \
firmware-linux firmware-linux-nonfree firmware-misc-nonfree firmware-amd-graphics
ls /dev/disk/by-id/ata-* | grep -v '\\-part' | head -n 1 | xargs -r -l grub-install
STEP1
diff --git a/shared/bin/zeek_carve_utils.py b/shared/bin/zeek_carve_utils.py
index 7cd937ee8..49e554a54 100644
--- a/shared/bin/zeek_carve_utils.py
+++ b/shared/bin/zeek_carve_utils.py
@@ -218,7 +218,7 @@ def dictsearch(d, target):
# └----------------┘ └---------------┘└------------------------------------------------------------------------------------------┘
# UID FID subst_string(smb_name, "\\", "_"))
#
-# (see https://github.com/mitre-attack/bzar/blob/master/scripts/bzar_files.bro#L50)
+# (see https://github.com/mitre-attack/bzar/blob/master/scripts/bzar_files.zeek#L50)
def extracted_filespec_to_fields(filespec):
baseFileSpec = os.path.basename(filespec)
match = re.search(r'^(?P.*)-(?P.*)-(?P.*)-(?P