joek47 / malcolm-compare Goto Github PK

Malcolm is a threat investigation and detection tool

• investigation: uses more Zeek plugins so extracted Zeek logs are more detailed than TIP. Also correlates data with Moloch
• detection: leverages on open source info like AV for signature detection
• requires at least 16 gb of RAM. 16 cores for large data volume
• designed to store 10 TB of data for up to 5 years

TIP has the ability to sessionise payload and search across PCAPS.

Both

• are running on a Zeek-ELK microservice architecture
• use Kibana for investigation and visualisation
• lack a machine learning workflow to generate insights

Malcolm is a threat investigation and detection tool. Development appears to be outsourced to Battelle Energy Alliance, LLC

Can authenticate users with either local TLS-encrypted HTTP basic authentication or using a remote Lightweight Directory Access Protocol (LDAP) authentication server. Authenticate against Lightweight Directory Access Protocol (LDAP) server? (y/N): n

Create daily snapshots (backups) of Elasticsearch indices? (y/N): n

Periodically close old Elasticsearch indices? (y/N): y

Indices older than 5 years will be periodically closed. Is this OK? (Y/n): y

Periodically delete old Elasticsearch indices? (y/N): y

Indices older than 10 years will be periodically deleted. Is this OK? (Y/n): y

Periodically delete the oldest Elasticsearch indices when the database exceeds a certain size? (y/N): y

Indices will be deleted when the database exceeds 10000 gigabytes. Is this OK? (Y/n): y

Automatically analyze all PCAP files with Zeek? (Y/n): y

Perform reverse DNS lookup locally for source and destination IP addresses in Zeek logs? (y/N): y

Perform hardware vendor OUI lookups for MAC addresses? (Y/n): y

Perform string randomness scoring on some fields? (Y/n): y

Expose Logstash port to external hosts? (y/N): y

Should Logstash require SSL for Zeek logs? (Note: This requires the forwarder to be similarly configured and a corresponding copy of the client SSL files.) (Y/n): n

Forward Logstash logs to external Elasticstack instance? (y/N): n

Enable file extraction with Zeek? (y/N): y

Select file extraction behavior ('none', 'known', 'mapped', 'all', 'interesting'): all

Select file preservation behavior ('quarantined', 'all', 'none'): none

Scan extracted files with ClamAV? (y/N): y

Download updated ClamAV virus signatures periodically? (Y/n): y

Scan extracted files with Yara? (y/N): y

Scan extracted PE files with Capa? (y/N): y

Lookup extracted file hashes with VirusTotal? (y/N): n

Should Malcolm capture network traffic to PCAP files? (y/N): n