Malcolm v24.09.0

Malcolm v24.09.0 contains new features and enhancements, component version updates, and bug fixes.

v24.08.0...v24.09.0

• Features and enhancements
  • When building Docker images and the Hedgehog Linux ISO, allow specifying alternate download URL for MaxMind GeoIP database files (#565)
  • Allow total index size-based pruning for opensearch-remote and elasticsearch-remote database modes (#446)
  • Allow splitting out indexes by other field values (#450)
  • Allow users to use the Arkime Lua plugin without having to create new bind volume mounts manually (#533)
  • Automatically create empty document on startup to avoid "no data" message spamming by Dashboards (#527 and #567)
  • Improvements to documentation and install.py for Linux performance tweaks (#495)
  • Include netbox-topology-views plugin by default (#553)
  • Integrate HART-IP parser (#561)
  • Add option to go backwards in Malcolm's dialog-based install.py installation and configuration script (#487)
  • Added Podman support (#407)
  • Update EtherNet/IP and CIP to account for new packet correlation ID (#558)
  • Update Network Traffic Analysis with Malcolm slides
• Component version updates
  • watchdog Python package to v5.0.x (#550)
  • supercronic to v0.2.32
  • osd_transform_vis to v2.16.0
  • Fluent Bit to v3.1.8
  • OpenSearch and OpenSearch Dashboards to v2.17.0
  • YARA to v4.5.2
  • Zeek to v7.0.1
  • Spicy to v1.11.1
  • elasticsearch-dsl Python package to v8.15.3
  • elasticsearch Python package to v8.15.1
  • Beats to v8.15.1
  • Logstath to 8.15.1
  • flask-cors Python package to v5.0.0 to address CVE-2024-6221
• Bug fixes
  • Filtering on hunt ID in Arkime not working (#554)
  • Hedgehog with OOB/VPN connection sets ARKIME_NODE_HOST incorrectly (#560 and #559, thanks @divinehawk)
  • Offline suricata Docker container does not initialize suricata.yml config file (#564)
• Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • Malcolm
    • The MALCOLM_NETWORK_INDEX_SUFFIX and MALCOLM_OTHER_INDEX_SUFFIX variables in ./config/opensearch.env now also support expanding dot-delimited field names in ｛｛ ｝｝ (e.g., ｛｛event.provider｝｝％{％y％m％d}).
    • MALCOLM_CONTAINER_RUNTIME has been added to ./config/process.env to indicate docker, podman, or kubernetes. This value only currently used in the install, configuration, and control scripts, not inside the containers themselves.
    • ZEEK_DISABLE_ICS_HART_IP has been added to ./config/zeek.env and can be set to true to disable the new HART-IP protocol parser.
  • Hedgehog Linux
    • ZEEK_DISABLE_ICS_HART_IP has been added to control_vars.conf and can be set to true to disable the new HART-IP protocol parser.

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.