Friday, January 27, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Networking

How to deploy the Malcolm network traffic analysis tool with Ubuntu Server 22.04

Researcher by Researcher
September 6, 2022
in Networking
0
How to deploy the Malcolm network traffic analysis tool with Ubuntu Server 22.04
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Jack Wallen walks you through the steps of deploying a powerful, easy-to-use network analysis tool on Ubuntu Server 22.04.

Shot of Data Center With Multiple Rows of Fully Operational Server Racks. Modern Telecommunications, Cloud Computing, Artificial Intelligence, Database, Super Computer Technology Concept.
Image: Gorodenkoff/Adobe Stock

Malcolm is an open-source network traffic analysis tool that uses a framework of tools to create a robust analysis tool for network admins. Malcolm accepts network traffic data in the form of PCAP (full packet capture) files and Zeek logs.

SEE: Hiring Kit: Network Engineer (TechRepublic Premium)

Malcolm includes two different interfaces:

  • OpenSearch Dashboards: A flexible data visualization plugin with dozens of prebuilt dashboards.
  • Arkime: A powerful tool for finding and identifying network sessions made up of suspected security incidents.

Malcolm is easy to use, containerized, secure and in very active development. I want to walk you through the process of deploying this tool on Ubuntu Server 22.04.

What you’ll need for Malcolm

To get Malcolm up and running, you’ll need an instance of Ubuntu Server 22.10 and a user with sudo privileges. That’s it: Let’s get to work.

How to create a new user

The first thing we’ll do is create a new user. SSH or log in to your Ubuntu Server instance and issue the command:

Open source: Must-read coverage

sudo useradd -m -d /opt/malcolm -s /bin/bash -G sudo malcolm

Change the password for the new user with:

sudo passwd malcolm

Log in as that user with:

su - malcolm

How to clone Malcolm and run the installer

Using git, clone the latest release of Malcolm with:

git clone https://github.com/idaholab/Malcolm

Change into the newly created directory with:

cd Malcolm

Run the installer with:

sudo ./scripts/install.py

During this first stage of the installation, you’ll be asked a few questions. For every Y/N question, answer with Y. The only non-Y/N question is:

Enter user account:

To that, answer with:

malcolm

How to configure Malcolm

Once you’ve answered the installer questions, you need to configure Malcolm. Open the configuration file with:

sudo ./scripts/install.py –configure

Once again, you’ll be asked several questions. Here are the questions and the answers you should give:

  • Malcolm processes will run as UID 1000 and GID 1000. Is this OK? (Y/n): Y
  • Setting 10g for OpenSearch and 3g for Logstash. Is this OK? yes
  • Setting 3 workers for Logstash pipelines. Is this OK? (Y/n): yes
  • Restart Malcolm upon system or Docker daemon restart: Yes — make sure to choose the default option, unless-stopped.
  • Choose whether to set up Malcolm with HTTPS: Yes
  • Choose whether Malcolm will run behind any proxy: No
  • Choose networking: Hit Enter
  • Choose LDAP: No
  • Store OpenSearch index snapshosts locally in /opt/malcolm/Malcom/opensearch-backup? Yes
  • Choose to Compress OpenSearch index snapshots: Yes
  • Automatically analyze all PCAP files with Suricata: Yes
  • Download updated Suricata signatures periodically: Yes
  • Automatically analyze all PCAP files with Zeek: Yes
  • Whether you want to delete the oldest indices when the database exceeds a certain size: No
  • Reverse DNS lookup locally for source and destination IP addresses in logs: No
  • Hardware vendor OUI lookups for MAC addresses: Yes
  • Perform string randomness scoring on some fields: yes
  • Expose OpenSearch port to external hosts: no
  • Expose Logstash port to external hosts: no
  • Forward Logstash logs to external OpenSearch instance: no
  • Expose Filebeat TCP port to external hosts: no
  • Expose SFTP server (for PCAP upload) to external hosts: No
  • Enable file extraction with Zeek: yes
  • Choose interesting as the extraction behavior (Figure A).
  • Choose file preservation method: quarantine
  • Scan extracted files/PE files with ClamAV: yes
  • Scan extracted files/PE files with Yara: yes
  • Scan extracted files/PE files with Capa: yes
  • Lookup extracted file hashes with VirusTotal: no
  • Download updated scanner signatures periodically: yes
  • Should Malcolm capture network traffic to PCAP files for analysis with Arkime: yes
  • Specify capture interface(s) (comma-separated) on which Malcolm will use to network traffic: eth0
  • Capture packets using netsniff-ng (Y/n): yes
  • Capture packets using tcpdump (y/N): no
  • Should Malcolm analyze traffic with Suricata: No
  • Capture filter (tcpdump-like filter expression; leave blank to capture all traffic) NOTE: You can disable traffic related to Elasticsearch (port 9200), Logstash (5044), Arkime(8005): not port 9200 and not port 5044 and not port 8005
  • Disable capture interface hardware offloading and adjust ring buffer sizes: (y/N): n

Figure A

The Malcolm configuration process is a ncurses-based UI that should be familiar to most Linux admins.

Once you’ve done this, reboot the system with:

sudo reboot

How to create an admin account for Malcolm

Once the system has rebooted, log back in and change into the Malcolm account with:

su – malcolm

Change into the Malcolm directory for the user:

cd ~/Malcolm

Run the admin account setup script with:

./scripts/auth_setup

Answer all of the required questions as such:

  • Store administrator username/password for local Malcolm access? yes
  • Create a new admin user and give that user a password.
  • (Re)generate self-signed SSL certs for web traffic HTTPS: yes
  • (Re)generate self-signed certificates for a remote log forwarder: yes
  • Store username/password for forwarding Logstash events to a secondary, external OpenSearch instance: no
  • Store username/password for email alert sender account: no

How to pull the required Docker image

Malcolm is deployed with Docker, so first, we must pull the official image with:

docker-compose pull

The pull will take some time, so sit back and enjoy the passing output or go do something else. Give between two to 10 minutes for this to complete.

How to start and access Malcolm

To start the Malcolm service, issue the command:

./scripts/start

The above command will deploy the Docker container. Give the containers enough time to deploy and you’re ready to go. Malcolm has a few different URLs for different tasks. For each component, make sure to log in with the admin account you created during the configuration step.

  • For the OpenSearch Dashboard, the address is https://SERVER/dashbaords, where SERVER is the IP address of the hosting server.
  • For the Malcolm Capture File and Log Archive Upload screen, the address is https://SERVER/upload, where SERVER is the IP address of the hosting server.
  • For the Host and Subnet Mapping Editor, the address is https://SERVER/name-map-ui, where SERVER is the IP address of the hosting server.
  • For the Account Management screen, the address is https://SERVER:488, where SERVER is the IP address of the hosting server.

And that’s all there is to deploying the Malcolm Network Traffic Analyzer. Hopefully, you’ll get plenty of use from this powerful tool.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.



Source link

Related articles

Multicast Domain Name System (mDNS) – Still Flooding?

Multicast Domain Name System (mDNS) – Still Flooding?

January 27, 2023
Securing IoT with Microsoft Defender for IoT sensors

Securing IoT with Microsoft Defender for IoT sensors

January 27, 2023
Tags: AnalysisDeployMalcolmNetworkServertooltrafficUbuntu
Share76Tweet47

Related Posts

Multicast Domain Name System (mDNS) – Still Flooding?

Multicast Domain Name System (mDNS) – Still Flooding?

January 27, 2023
0

“Most likely”, said John with frustration and despair as he grappled with the daunting task of stabilizing the performance of...

Securing IoT with Microsoft Defender for IoT sensors

Securing IoT with Microsoft Defender for IoT sensors

January 27, 2023
0

Image: putilov_denis/Adobe Stock Securing the Internet of Things is increasingly important. IoT hardware is at the heart of much modern...

Common Database Infrastructure in Cisco IOS XE Software Simplifies 160+ Enterprise Devices

Common Database Infrastructure in Cisco IOS XE Software Simplifies 160+ Enterprise Devices

January 26, 2023
0

Developed by a global team of more than 3000 software engineers, Cisco IOS XE Software powers more than 160 Cisco...

How to force Portainer to use HTTPS and upload your SSL certificates

How to force Portainer to use HTTPS and upload your SSL certificates

January 26, 2023
0

If Portainer is your go-to GUI for Docker and Kubernetes, you should consider adding a bit of extra security to...

Enforcing Zero Trust Access with Cisco SD-WAN

Enforcing Zero Trust Access with Cisco SD-WAN

January 25, 2023
0

As applications become distributed across clouds, data centers, SaaS, and to the edge, enterprises need to enable secure access to...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Multicast Domain Name System (mDNS) – Still Flooding?

Multicast Domain Name System (mDNS) – Still Flooding?

January 27, 2023
Industry Reactions to Hive Ransomware Takedown: Feedback Friday

Industry Reactions to Hive Ransomware Takedown: Feedback Friday

January 27, 2023
Why your data is more valuable than you may realize

Why your data is more valuable than you may realize

January 27, 2023
Learn cutting-edge ethical hacking techniques for just $39.99

Learn cutting-edge ethical hacking techniques for just $39.99

January 27, 2023

Recent Posts

Multicast Domain Name System (mDNS) – Still Flooding?

Multicast Domain Name System (mDNS) – Still Flooding?

January 27, 2023
Industry Reactions to Hive Ransomware Takedown: Feedback Friday

Industry Reactions to Hive Ransomware Takedown: Feedback Friday

January 27, 2023
Why your data is more valuable than you may realize

Why your data is more valuable than you may realize

January 27, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Finds Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved