Skip to content

Commit

Permalink
V502 merge (#181)
Browse files Browse the repository at this point in the history 
V502 merge

* Added Corelight's Zeek [detection script](https://github.com/corelight/cve-2021-44228) for CVE-2021-44228 ("Log4Shell" Log4J vulnerability)
* move `zeek.http.tags` field up to top-level `tags`
* Version bumps
  * Arkime to [v3.2.1](https://github.com/arkime/arkime/blob/v3.2.1/CHANGELOG#L25-L38)
  * Alpine (for `dashboards-helper`, `name-map-ui` and `nginx-proxy` Docker containers) to [v3.15.0](https://alpinelinux.org/posts/Alpine-3.15.0-released.html)
  * NGINX (for `nginx-proxy` Docker container) to [v1.20.2](https://nginx.org/en/CHANGES-1.20)
  • Loading branch information
@mmguero
mmguero authored Dec 15, 2021
1 parent b59e237 commit 3f6f71c
Show file tree
Hide file tree
Showing 17 changed files with 99 additions and 138 deletions.
2 changes: 1 addition & 1 deletion Dockerfiles/arkime.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ FROM debian:bullseye-slim AS build

ENV DEBIAN_FRONTEND noninteractive

ENV ARKIME_VERSION "3.2.0"
ENV ARKIME_VERSION "3.2.1"
ENV ARKIMEDIR "/opt/arkime"
ENV ARKIME_URL "https://github.com/arkime/arkime.git"
ENV ARKIME_LOCALELASTICSEARCH no
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/dashboards-helper.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine:3.14
FROM alpine:3.15

# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="[email protected]"
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/dashboards.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ ENV PGROUP "dashboarder"

ENV TERM xterm

ARG OPENSEARCH_VERSION="1.2.0"
ARG OPENSEARCH_VERSION="1.2.1"
ENV OPENSEARCH_VERSION $OPENSEARCH_VERSION

ARG OPENSEARCH_DASHBOARDS_VERSION="1.2.0"
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/name-map-ui.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine:3.14
FROM alpine:3.15

# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="[email protected]"
Expand Down
4 changes: 2 additions & 2 deletions Dockerfiles/nginx.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# jwilder/nginx-proxy - https://github.com/jwilder/nginx-proxy/blob/master/Dockerfile.alpine

####################################################################################
FROM alpine:3.14
FROM alpine:3.15

LABEL maintainer="[email protected]"
LABEL org.opencontainers.image.authors='[email protected]'
Expand Down Expand Up @@ -57,7 +57,7 @@ ENV NGINX_LDAP_TLS_STUNNEL_CHECK_IP $NGINX_LDAP_TLS_STUNNEL_CHECK_IP
ENV NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL $NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL

# build latest nginx with nginx-auth-ldap
ENV NGINX_VERSION=1.20.1
ENV NGINX_VERSION=1.20.2
ENV NGINX_AUTH_LDAP_BRANCH=master

ADD https://codeload.github.com/mmguero-dev/nginx-auth-ldap/tar.gz/$NGINX_AUTH_LDAP_BRANCH /nginx-auth-ldap.tar.gz
Expand Down
4 changes: 2 additions & 2 deletions Dockerfiles/zeek.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,8 +141,8 @@ ADD zeek/config/*.txt ${ZEEK_DIR}/share/zeek/site/
# these ENVs should match the number of third party scripts/plugins installed by zeek_install_plugins.sh
ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 20
ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(_Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY__OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_LDAP_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|Salesforce::GQUIC|Zeek::PROFINET|Zeek::S7comm|Zeek::TDS)"
ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 18
ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|hassh/hassh|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)"
ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 19
ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|hassh/hassh|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)"

RUN mkdir -p /tmp/logs && \
cd /tmp/logs && \
Expand Down
69 changes: 35 additions & 34 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,21 +143,21 @@ You can then observe that the images have been retrieved by running `docker imag
```
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
malcolmnetsec/arkime 5.0.1 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.0.1 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.0.1 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.0.1 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.0.1 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.0.1 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.0.1 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.0.1 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.0.1 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.0.1 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.0.1 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.0.1 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.0.1 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.0.1 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.0.1 xxxxxxxxxxxx 2 days ago 938MB
malcolmnetsec/arkime 5.0.2 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.0.2 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.0.2 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.0.2 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.0.2 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.0.2 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.0.2 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.0.2 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.0.2 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.0.2 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.0.2 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.0.2 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.0.2 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.0.2 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.0.2 xxxxxxxxxxxx 2 days ago 938MB
```

#### Import from pre-packaged tarballs
Expand Down Expand Up @@ -221,6 +221,7 @@ Malcolm leverages the following excellent open source tools, among others.
* ICS protocol analyzers for Zeek published by [DHS CISA](https://github.com/cisagov/ICSNPP) and [Idaho National Lab](https://github.com/idaholab/ICSNPP)
* Corelight's ["bad neighbor" (CVE-2020-16898)](https://github.com/corelight/CVE-2020-16898) plugin
* Corelight's ["OMIGOD" (CVE-2021-38647)](https://github.com/corelight/CVE-2021-38647) plugin
* Corelight's ["Log4Shell" (CVE-2021-44228)](https://github.com/corelight/cve-2021-44228) plugin
* Corelight's [Microsoft Excel privilege escalation detection (CVE-2021-42292)](https://github.com/corelight/CVE-2021-42292) plugin
* Corelight's [Apache HTTP server 2.4.49-2.4.50 path traversal/RCE vulnerability (CVE-2021-41773)](https://github.com/corelight/CVE-2021-41773) plugin
* Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin
Expand Down Expand Up @@ -355,15 +356,15 @@ Then, go take a walk or something since it will be a while. When you're done, yo

* `malcolmnetsec/arkime` (based on `debian:bullseye-slim`)
* `malcolmnetsec/dashboards` (based on `opensearchproject/opensearch-dashboards`)
* `malcolmnetsec/dashboards-helper` (based on `alpine:3.14`)
* `malcolmnetsec/dashboards-helper` (based on `alpine:3.15`)
* `malcolmnetsec/file-monitor` (based on `debian:bullseye-slim`)
* `malcolmnetsec/file-upload` (based on `debian:bullseye-slim`)
* `malcolmnetsec/filebeat-oss` (based on `docker.elastic.co/beats/filebeat-oss`)
* `malcolmnetsec/freq` (based on `debian:bullseye-slim`)
* `malcolmnetsec/htadmin` (based on `debian:bullseye-slim`)
* `malcolmnetsec/logstash-oss` (based on `opensearchproject/logstash-oss-with-opensearch-output-plugin`)
* `malcolmnetsec/name-map-ui` (based on `alpine:3.14`)
* `malcolmnetsec/nginx-proxy` (based on `alpine:3.14`)
* `malcolmnetsec/name-map-ui` (based on `alpine:3.15`)
* `malcolmnetsec/nginx-proxy` (based on `alpine:3.15`)
* `malcolmnetsec/opensearch` (based on `opensearchproject/opensearch`)
* `malcolmnetsec/pcap-capture` (based on `debian:bullseye-slim`)
* `malcolmnetsec/pcap-monitor` (based on `debian:bullseye-slim`)
Expand Down Expand Up @@ -1498,7 +1499,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu

```
Finished, created "/malcolm-build/malcolm-iso/malcolm-5.0.1.iso"
Finished, created "/malcolm-build/malcolm-iso/malcolm-5.0.2.iso"
```

Expand Down Expand Up @@ -1884,21 +1885,21 @@ Pulling zeek ... done
user@host:~/Malcolm$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
malcolmnetsec/arkime 5.0.1 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.0.1 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.0.1 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.0.1 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.0.1 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.0.1 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.0.1 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.0.1 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.0.1 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.0.1 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.0.1 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.0.1 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.0.1 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.0.1 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.0.1 xxxxxxxxxxxx 2 days ago 938MB
malcolmnetsec/arkime 5.0.2 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.0.2 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.0.2 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.0.2 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.0.2 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.0.2 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.0.2 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.0.2 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.0.2 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.0.2 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.0.2 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.0.2 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.0.2 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.0.2 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.0.2 xxxxxxxxxxxx 2 days ago 938MB
```

Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background.
Expand Down
10 changes: 5 additions & 5 deletions arkime/etc/config.ini
View file
Original file line number Diff line number Diff line change
Expand Up @@ -498,7 +498,7 @@ zeek.intel.file_mime_type=db:zeek.intel.file_mime_type;group:zeek_intel;kind:ter
zeek.intel.file_description=db:zeek.intel.file_description;group:zeek_intel;kind:termfield;friendly:File Description;help:File Description

# ipsec.log
# https://github.com/zeek/spicy-analyzers/blob/main/analyzer/protocol/ipsec/main.zeek
# https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek
zeek.ipsec.is_orig=db:zeek.ipsec.is_orig;group:zeek_ipsec;kind:termfield;friendly:Is Originator;help:Is Originator
zeek.ipsec.initiator_spi=db:zeek.ipsec.initiator_spi;group:zeek_ipsec;kind:termfield;friendly:Initiator SPI;help:Initiator SPI
zeek.ipsec.responder_spi=db:zeek.ipsec.responder_spi;group:zeek_ipsec;kind:termfield;friendly:Responder SPI;help:Responder SPI
Expand Down Expand Up @@ -565,7 +565,7 @@ zeek.known_certs.serial=db:zeek.known_certs.serial;group:zeek_x509;kind:termfiel
zeek.known_modbus.device_type=db:zeek.known_modbus.device_type;group:zeek_modbus;kind:termfield;friendly:Role;help:Role

# ldap.log
# https://github.com/mmguero-dev/spicy-analyzers/blob/main/analyzer/protocol/ldap/ldap.zeek
# https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
zeek.ldap.message_id=db:zeek.ldap.message_id;group:zeek_ldap;kind:termfield;friendly:Message ID;help:Message ID
zeek.ldap.version=db:zeek.ldap.version;group:zeek_ldap;kind:integer;friendly:LDAP Version;help:LDAP Version
zeek.ldap.operation=db:zeek.ldap.operation;group:zeek_ldap;kind:termfield;friendly:Operation;help:Operation
Expand All @@ -575,7 +575,7 @@ zeek.ldap.object=db:zeek.ldap.object;group:zeek_ldap;kind:termfield;friendly:Obj
zeek.ldap.argument=db:zeek.ldap.argument;group:zeek_ldap;kind:termfield;friendly:Arguments;help:Arguments

# ldap_search.log
# https://github.com/mmguero-dev/spicy-analyzers/blob/main/analyzer/protocol/ldap/ldap.zeek
# https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
zeek.ldap_search.attributes=db:zeek.ldap_search.attributes;group:zeek_ldap;kind:termfield;friendly:Attributes;help:Attributes
zeek.ldap_search.base_object=db:zeek.ldap_search.base_object;group:zeek_ldap;kind:termfield;friendly:Base Object;help:Base Object
zeek.ldap_search.deref=db:zeek.ldap_search.deref;group:zeek_ldap;kind:termfield;friendly:Dereference Alias;help:Dereference Alias
Expand Down Expand Up @@ -1081,7 +1081,7 @@ tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:t


# stun.log and stun_nat.log
# https://github.com/zeek/spicy-analyzers/tree/main/analyzer/stun
# https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek
zeek.stun.is_orig=db:zeek.stun.is_orig;group:zeek_stun;kind:termfield;friendly:Is Originator;help:Is Originator
zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;friendly:Transaction ID;help:Transaction ID
zeek.stun.method=db:zeek.stun.method;group:zeek_stun;kind:termfield;friendly:STUN Method;help:STUN Method
Expand Down Expand Up @@ -1138,7 +1138,7 @@ zeek.weird.notice=db:zeek.weird.notice;group:zeek_weird;kind:termfield;friendly:
zeek.weird.peer=db:zeek.weird.peer;group:zeek_weird;kind:termfield;friendly:Remote Peer;help:Remote Peer

# wireguard.log
# https://github.com/zeek/spicy-analyzers/tree/main/analyzer/protocol/wireguard
# https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek
zeek.wireguard.established=db:zeek.wireguard.established;group:zeek_wireguard;kind:termfield;friendly:Established;help:Established
zeek.wireguard.initiations=db:zeek.wireguard.initiations;group:zeek_wireguard;kind:integer;friendly:Initiation Packets;help:Initiation Packets
zeek.wireguard.responses=db:zeek.wireguard.responses;group:zeek_wireguard;kind:integer;friendly:Response Packets;help:Response Packets
Expand Down
51 changes: 0 additions & 51 deletions arkime/patch/fix_self_signed_ssl.patch
View file

This file was deleted.

Loading

0 comments on commit 3f6f71c

Please sign in to comment.