components.md

Components

Malcolm leverages the following excellent open source tools, among others.

• Arkime (formerly Moloch) – for PCAP file processing, browsing, searching, analysis, and carving/exporting; Arkime consists of two parts:
  • capture – a tool for traffic capture, as well as offline PCAP parsing and metadata insertion into OpenSearch
  • viewer - a browser-based interface for data visualization
• OpenSearch - a search and analytics engine for indexing and querying network traffic session metadata
• Logstash and Filebeat - for ingesting and parsing Zeek Log Files and ingesting them into OpenSearch in a format that Arkime understands in the same way it natively understands PCAP data
• OpenSearch Dashboards - for creating additional ad-hoc visualizations and dashboards beyond that provided by Arkime viewer
• Zeek - a network analysis framework and IDS
• Suricata - an IDS and threat detection engine
• Yara - a tool used to identify and classify malware samples
• Capa - a tool for detecting capabilities in executable files
• ClamAV - an antivirus engine for scanning files extracted by Zeek
• CyberChef - a "Swiss Army Knife" data conversion tool
• jQuery File Upload - for uploading PCAP files and Zeek logs for processing
• Providing application containerization and orchestration for simple, reproducible deployment of Malcolm across environments and coordination of communication between its various components, either of the following may be used:
  • Docker
  • Podman
    • It should be noted that if rootless Podman is used, Malcolm itself cannot perform traffic capture on local network interfaces, although it can accept network traffic metadata forwarded from a a network sensor appliance.
• NetBox - a suite for modeling and documenting modern networks
• PostgreSQL - a relational database for persisting NetBox's data
• Redis - an in-memory data store for caching NetBox session information
• Nginx - for HTTPS and reverse proxying Malcolm components
• nginx-auth-ldap - an LDAP authentication module for nginx
• Fluent Bit - for forwarding metrics to Malcolm from network sensors (packet capture appliances)
• Mark Baggett's freq - a tool for calculating entropy of strings
• Florian Roth's Signature-Base Yara ruleset
• Bart Blaze's Yara ruleset
• ReversingLabs' Yara ruleset
• These [Zeek packages]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/zeek_install_plugins.sh):
  • some of Amazon.com, Inc.'s ICS protocol analyzers
  • Andrew Klaus's Sniffpass plugin for detecting cleartext passwords in HTTP POST requests
  • Andrew Klaus's zeek-httpattacks plugin for detecting noncompliant HTTP requests
  • ICS protocol analyzers for Zeek published by DHS CISA and Idaho National Lab
  • Many packages developed by Corelight, Inc.
  • FoxIO's JA4+ network fingerprinting plugin
  • J-Gras' Zeek::AF_Packet plugin
  • Johanna Amann's CVE-2020-0601 ECC certificate validation plugin and CVE-2020-13777 GnuTLS unencrypted session ticket detection plugin
  • Lexi Brent's EternalSafety plugin
  • MITRE Cyber Analytics Repository's Bro/Zeek ATT&CK®-Based Analytics (BZAR) script
  • ATT&CK-based Control-system Indicator Detection (ACID) indicators published by DHS and MITRE
  • Salesforce's gQUIC analyzer
  • Zeek's Spicy plugin framework
• GeoLite2 - Malcolm includes GeoLite2 data created by MaxMind