Malcolm v25.07.0

[mmguero]

Malcolm v25.07.0 includes quite a few new features and enhancements, performance improvements, bug fixes, and component version updates.

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

v25.06.0...v25.07.0

• ✨ Features and enhancements
  • Add IANA service name and description enrichment to Zeek's known_services.log (Add IANA service name and description enrichment to Zeek's known_services.log #705)
  • Improve the speed of pruning files (Improve the speed of pruning files #710)
  • allow multiple instance of Suricata in PCAP processing mode via UNIX socket (allow multiple instance of Suricata in PCAP processing mode via UNIX socket #707)
  • expose Arkime WISE tagging features to the user (expose WISE tagging features to the user #377)
  • handle comma- or semicolon-separated directories for PCAP_PROCESSED_DIRECTORY (to support new live PCAP processing method in Malcolm-Helm) (handle comma- or semicolon-separated directories for PCAP_PROCESSED_DIRECTORY #702)
  • handle new OPCUA Binary summary logs (handle new OPCUA summary logs #709)
  • incorporate new ANSI C12.22 parser and add corresponding dashboard (incorporate new ANSI C12.22 parser #708)
  • overhauled instructions for Deploying Malcolm on Amazon Web Services (AWS) including deploying Malcolm on Amazon Elastic Kubernetes Service (EKS) in Auto Mode
  • install.py script is now a bit more robust in trying to help ensure the correct packages and Python libraries are installed
• ✅ Component version updates
  • Fluent Bit to v4.0.5
  • Arkime v5.7.1
  • Supercronic v0.2.34
  • OpenSearch and OpenSearch Dashboards v3.1.0
  • Keycloak v26.2.5
  • yq v4.47.1
  • NetBox v4.3.4
    • NetBox Initializers plugin v4.3.0
    • NetBox Topology Views plugin v4.3.0
  • Zeek v7.2.2
  • Spicy v1.13.2
  • urllib3 Python Library to v2.5.0 (addresses CVE-2025-50181)
  • ICSNPP Zeek network analyzer updates
    • BACnet parser fixes for previously unsupported services (see Unsupported BACnet Services icsnpp-bacnet#50 and Adding previously unmapped services to logs icsnpp-bacnet#51)
    • Ethernet/IP various fixes (CIP service name enum is inaccurate icsnpp-enip#34 (partial); multiple_service_request event issue icsnpp-enip#35; Quick fix to address improperly labeled services icsnpp-enip#36; Set Attribute Single Service not parsed icsnpp-enip#37; Fixes for Issues #35 and #37 icsnpp-enip#38)
    • GENISYS minor updates (Refactoring enums to prevent parser erroring out icsnpp-genisys#25)
    • OPCUA Binary summary logs (Add Summary Logs icsnpp-opcua-binary#102)
    • S7comm fixes for ACK message processing (unit test failed icsnpp-s7comm#19; Fix S7Comm Installation Issues icsnpp-s7comm#20)
• 🐛 Bug fixes
  • zeek logs not cleaned by clean-processed-folder.py due to MIME type mismatch (zeek logs not cleaned by clean-processed-folder.py due to MIME type mismatch #712)
  • packet capture statistics dashboard not working in Kibana (packet capture statistics dashboard not working in Kibana #704)
  • need to adjust shared object creation script (e.g., dashboards import) for new versions of Kibana (need to adjust shared object creation script (e.g., dashboards import) for new versions of Kibana #713)
  • log fingerprinting needs to be examined to avoid unintentional collisions (log fingerprinting needs to be examined to avoid unintentional collisions #715)
  • install.py issues in Rocky Linux, Almalinux (install.py issues in Rocky Linux, Almalinux #385)
  • OpenSearch container health check issue when OpenSearch is disabled (OpenSearch container health check issue when OpenSearch is disabled #716)
  • investigate NetBox API access via Malcolm's netbox endpoint and mapi endpoint (investigate NetBox API access via Malcolm's netbox endpoint and mapi endpoint #701)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • VIEWER removed from arkime-live.env as its behavior is handled internally and should not be user-settable
    • VIEWER and WISE removed from arkime-offline.env as its behavior is handled internally and should not be user-settable
    • ARKIME_WISE_CONFIG_PIN_CODE and its default value added to arkime-secret.env, used for making changes to the WISE config in the WISE GUI
    • ARKIME_WISE_SERVICE_URL and its default value added to arkime-secret.env for specifying the connection to the WISE service
    • ARKIME_EXPOSE_WISE_GUI and ARKIME_ALLOW_WISE_GUI_CONFIG added to arkime.env to control the WISE GUI viewer/editor capability
    • LS_JAVA_OPTS in logstash.env changed its default heap size from 2500m to 3g
    • REMOTE_AUTH_HEADER, REMOTE_AUTH_USER_EMAIL, REMOTE_AUTH_USER_FIRST_NAME, and REMOTE_AUTH_USER_LAST_NAME values (not really used) changed in netbox.env as part of some reverse proxy HTTP header standardization
    • SURICATA_AUTO_ANALYZE_PCAP_PROCESSES added with its default, and the meaning and default of SURICATA_AUTO_ANALYZE_PCAP_THREADS changed in suricata-offline.env as part of allow multiple instance of Suricata in PCAP processing mode via UNIX socket #707
    • ZEEK_DISABLE_IANA_LOOKUP added to zeek.env as part of Add IANA service name and description enrichment to Zeek's known_services.log #705
    • variables related to ANSI C12.22 added to zeek.env to control analyzer and log output as part of incorporate new ANSI C12.22 parser #708
  • Hedgehog Linux
    • ARKIME_WISE_PLUGIN and ARKIME_WISE_URL added as part of expose WISE tagging features to the user #377
    • ZEEK_DISABLE_IANA_LOOKUP added as part of Add IANA service name and description enrichment to Zeek's known_services.log #705
    • variables related to ANSI C12.22 added as part of incorporate new ANSI C12.22 parser #708
• 🧹 Code and project maintenance
  • remove duplication and consolidate navigation pane content across all dashboards (remove duplication and consolidate navigation pane content across all dashboards #718)
  • standardized X-Forwarded- headers used internally by reverse proxy for RBAC
  • some cleanup/standardization of Ruby code used by Logstash to make it more idiomatic

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

---

This discussion was created from the release Malcolm v25.07.0.