Code Monkey home page Code Monkey logo

malcom's Introduction

Malcom - Malware Communication Analyzer

Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.

What is Malcom?

Malcom can help you:

  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is 'known-bad'

The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Check the wiki for a Quickstart with some nice screenshots and a tutorial on how to add your own feeds.

If you need some help, or want to contribute, feel free to join the mailing list or try to grab someone on IRC (#malcom on, it's pretty quiet but there's always someone around). You can also hit me up on twitter @tomchop_

Here's an example graph for host nodes-tomchop.png

Dataset view (filtered to only show IPs) dataset-view.png

Quick how-to

  • Install
  • Make sure mongodb and redis-server are running
  • Elevate your privileges to root (yeah, I know, see disclaimer)
  • Start the webserver using the default configuration with ./ -c malcom.conf (or see options with ./ --help) ** For an example configuration file, you can copy malcom.conf.example to malcom.conf ** Default port is 8080 ** Alternatively, run the feeds from celery. See the feeds section for details on how to to this.


Malcom is written in python. Provided you have the necessary libraries, you should be able to run it on any platform. I highly recommend the use of python virtual environments (virtualenv) so as not to mess up your system libraries.

The following was tested on Ubuntu server 14.04 LTS:

  • Install git, python and libevent libs, mongodb, redis, and other dependencies

      $ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv
  • Clone the Git repo:

      $ git clone malcom
  • Create your virtualenv and activate it:

      $ cd malcom
      $ virtualenv env-malcom
      $ source env-malcom/bin/activate
  • Get and install scapy:

      $ cd .. 
      $ wget
      $ tar xvzf scapy-latest.tar.gz
      $ cd scapy-2.1.0
      $ python install
  • Still from your virtualenv, install necessary python packages from the requirements.txt file:

      $ cd ../malcom
      $ pip install -r requirements.txt
  • For IP geolocation to work, you need to download the Maxmind database and extract the file to the malcom/Malcom/auxiliary/geoIP directory. You can get Maxmind's free (and thus more or less accurate) database from the following link:

      $ cd Malcom/auxiliary/geoIP
      $ wget
      $ gunzip -d GeoLite2-City.mmdb.gz
      $ mv GeoLite2-City.mmdb GeoIP2-City.mmdb
  • Launch the webserver from the malcom directory using ./ Check ./ --help for listen interface and ports.

    • For starters, you can copy the malcom.conf.example file to malcom.conf and run ./ -c malcom.conf

Configuration options


By default, Malcom will try to connect to a local mongodb instance and create its own database, named malcom. If this is OK for you, you may skip the following steps. Otherwise, you need to edit the database section of your malcom.conf file.

Set an other name for your Malcom database

By default, Malcom will use a database named malcom. You can change this behavior by editing the malcom.conf file and setting the name directive from the database section to your liking.

    name = my_malcom_database
Remote database(s)

By default, Malcom will try to connect to localhost, but your database may be on another server. To change this, just set the hosts directive. You may use hostnames or IPv4/v6 addresses (just keep in mind to enclose your IPv6 addresses between [ and ], e.g. [::1]).

If you'd like to use a standalone database on host my.mongo.server, just set:

    hosts = my.mongo.server

You can also specify the port mongod is listening on by specifying it after the name/address of your server, separated with a :

    hosts = localhost:27008

And if you're using a ReplicaSet regrouping my.mongo1.server and my.mongo2.server, just set:

    hosts = my.mongo1.server,my.mongo2.server
Use authentication

You may have configured your mongod instances to enforce authenticated connections. In that case, you have to set the username the driver will have to use to connect to your mongod instance. To do this, just add a username directive to the database section in the malcom.conf file. You may also have to set the password with the password directive. If the user does not have a password, just ignore (i.e. comment out) the password directive.

    username = my_user
    password = change_me

If the user is not linked to the malcom database but to another one (for example the admin database for a admin user), you will have to set the authentication_database directive with the name of that database.

    authentication_database = some_other_database
Case of a replica set

When using a replica set, you may need to ensure you are connected to the right one. For that, just add the replset directive to force the mongo driver to check the name of the replicaset

    replset = my_mongo_replica

By default, Malcom will try to connect to the primary node of th replica set. You may need/want to change that. In order to change that behaviour, just set the read_preference directive. See the mongo documentation for more information.

    read_preference = NEAREST

Supported read preferences are:


Docker instance

The quickest way to get you started is to pull the Docker image from the public docker repo. To pull older, more stable Docker builds, use tomchop/malcom instead of tomchop/malcom-automatic.

    $ sudo docker pull tomchop/malcom-automatic
    $ sudo docker run -p 8080:8080 -d --name malcom tomchop/malcom-automatic

Connecting to http://<docker_host>:8080/ should get you started.

Quick note on TLS interception

Malcom now supports TLS interception. For this to work, you need to generate some keys in Malcom/networking/tlsproxy/keys. See the file there for more information on how to do this.

Make sure you also have IPtables (you already should) and permissions to do some port forwarding with it (you usually need to be root for that). You can to this using the convenient script. For example, to intercept all TLS communications towards port 443, use 443 9999. You'll then have to tell malcom to run an interception proxy on port 9999.

Expect this process to be automated in future releases.


Malcom was designed and tested on a Ubuntu Server 14.04 LTS VM.

If you're used to doing malware analysis, you probably already have tons of virtual machines running on a host OS. Just install Malcom on a new VM, and route your other VM's connections through Malcom. Use to activate routing / NATing on the VM Malcom is running on. You'll need to add an extra network card to the guest OS.

As long as it's getting layer-3 network data, Malcom can be deployed anywhere. Although it's not recommended to use it on high-availability networks (it wasn't designed to be fast, see disclaimer), you can have it running at the end of your switch's mirror port or on your gateway.


To launch an instance of Malcom that ONLY fetches information from feeds, run Malcom with the --feeds option or tweak the configuration file.

Your database should be populated automatically. If you can dig into the code, adding feeds is pretty straightforward (assuming you're generating Evil objects). You can find an example feed in /feeds/zeustracker. A more detailed tutorial is available here.

You can also use celery to run feeds. Make sure celery is installed by running $ pip install celery from your virtualenv. You can then use celery worker -E --config=celeryconfig --loglevel=DEBUG --concurrency=12 to launch the feeding process with 12 simultaneous workers.

Technical specs

Malcom was written mostly from scratch, in Python. It uses the following frameworks to work:

  • flask - a lightweight python web framework
  • mongodb - a NoSQL database. It interfaces to python with pymongo
  • redis - An advanced in-memory key-value store
  • d3js - a JavaScript library that produces awesome force-directed graphs (
  • bootstrap - a CSS framework that will eventually kill webdesign, but makes it extremely easy to quickly "webize" applications that would only work through a command prompt.


Collaboration - The main direction I want this tool to take is to become collaborative. I have a few ideas for this, and I think it will become 100x more useful once data sharing is implemented.

Extendability - The other thing I want to include in the tool is the ability to more easily extend it. I don't have the same needs as everyone else, and this tool was conceived having my needs in mind. You can now customize Malcom by adding new feeds.

Once collaboration and extension are up and running, I think this will be helpful for more than one incident responder out there. :-)


This tool was coded during my free time. Like a huge number of tools we download and use daily, I wouldn't recommend to use it on a production environment where data stability and reliability is a MUST.

  • It may be broken, have security gaps (running it as root in uncontrolled environments is probably not a good idea), or not work at all.
  • It's written in python, so don't expect it to be ultra-fast or handle huge amounts of data easily.
  • I'm no coder, so don't expect to see beautiful pythonic code everywhere you look. Or lots of comments.

It's in early stages of development, meaning "it works for me". You're free to share it, improve it, ask for pull requests.


Malcom - Malware communications analyzer Copyright (C) 2013 Thomas Chopitea

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see

Please note that Redis, MongoDB, d3js, Maximind and Bootstrap (and other third party libraries included in Malcom) may have their own GPL compatible licences.

malcom's People


ch40s avatar crimsonglory avatar gaelmuller avatar ikoniaris avatar jipegit avatar mdeous avatar srilumpa avatar tomchop avatar y0m avatar zertrin avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

malcom's Issues

UnicodeDecodeError: 'utf8' codec can't decode bytes in position 1025-1026: invalid continuation byte

DEBUG] [2014-12-18 15:56:05.834409] - (ip analytics for
Exception in thread Thread-5:
Traceback (most recent call last):
  File "/usr/lib/python2.7/", line 810, in __bootstrap_inner
  File "/usr/lib/python2.7/", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/opt/malcom/Malcom/networking/", line 238, in run
  File "/opt/malcom/Malcom/networking/", line 215, in load_pcap
    self.sniff(stopper=self.stop_sniffing, filter=self.filter, prn=self.handlePacket, stopperTimeout=1, offline=self.engine.setup['SNIFFER_DIR']+"/"+filename)
  File "/opt/malcom/Malcom/networking/", line 658, in sniff
    r = prn(p)
  File "/opt/malcom/Malcom/networking/", line 509, in handlePacket
  File "/opt/malcom/Malcom/networking/", line 567, in send_flow_statistics
    self.engine.messenger.broadcast(bson_dumps(data), 'sniffer-data', 'flow_statistics_update')
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/bson/", line 125, in dumps
    return json.dumps(_json_convert(obj), *args, **kwargs)
  File "/usr/lib/python2.7/json/", line 243, in dumps
    return _default_encoder.encode(obj)
  File "/usr/lib/python2.7/json/", line 207, in encode
    chunks = self.iterencode(o, _one_shot=True)
  File "/usr/lib/python2.7/json/", line 270, in iterencode
    return _iterencode(o, 0)
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 1025-1026: invalid continuation byte

Add Signature Malware

This tools is really owsome, i have an idea, how if you add some tools to get the signature, country name and location for malware analysis

Thanks for you and thanks for malcom

Overflow Error while loading a 3.6GB pcap file

This happen on master (057f471) and dev (311b1e5) branches.

[DEBUG] - [-] No TLS interception
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/", line 508, in handle_one_response
File "/usr/local/lib/python2.7/dist-packages/geventwebsocket/", line 84, in run_application
return super(WebSocketHandler, self).run_application()
File "/usr/local/lib/python2.7/dist-packages/gevent/", line 494, in run_application
self.result = self.application(self.environ, self.start_response)
File "/home/user/dir/aplics/malcom/Malcom/web/", line 76, in malcom_app
return app(environ, start_response)
File "/usr/lib/python2.7/dist-packages/flask/", line 1836, in call
return self.wsgi_app(environ, start_response)
File "/usr/lib/python2.7/dist-packages/flask/", line 1820, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/usr/lib/python2.7/dist-packages/flask/", line 1403, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/", line 1461, in dispatch_request
return self.view_functionsrule.endpoint
File "/home/user/dir/aplics/malcom/Malcom/web/", line 401, in sniffer
Malcom.sniffer_sessions[session_name].pcap =
OverflowError: requested number of bytes is more than a Python string can hold
{'CONTENT_LENGTH': '3884500716',
'CONTENT_TYPE': 'multipart/form-data; boundary=----WebKitFormBoundaryDuuQMOS7h3fOpAHu',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip,deflate,sdch',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.8,es;q=0.6',
'HTTP_CACHE_CONTROL': 'max-age=0',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_HOST': '',
'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36',
'PATH_INFO': '/sniffer/',
'REMOTE_PORT': '48701',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '8080',
'SERVER_SOFTWARE': 'gevent/1.0 Python/2.7',
'werkzeug.request': <Request '' [POST]>,
'wsgi.errors': <open file '', mode 'w' at 0xb748c0d0>,
'wsgi.input': <gevent.pywsgi.Input object at 0xa7ed3fac>,
'wsgi.multiprocess': False,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)} failed with OverflowError

Error mongodb


After run this command ./ -c malcom.conf I have this error

Detected interfaces:
eth2: Not defined
[+] Starting sniffer...
[+] Successfully loaded sniffer directory: /root/malcom/Malcom/sniffer
[+] Starting TLS proxy on port 9000
Traceback (most recent call last):
File "./", line 79, in
setup.sniffer_engine = netsniffer.SnifferEngine(setup, yara_rules=yara_rules)
File "/root/malcom/Malcom/networking/", line 56, in init
self.model = Model()
File "/root/malcom/Malcom/model/", line 39, in init
self._connection = MongoClient()
File "/root/malcom/env-malcom/local/lib/python2.7/site-packages/pymongo/", line 377, in init
raise ConnectionFailure(str(e))
pymongo.errors.ConnectionFailure: [Errno 111] Connection refused

Compile error running: pip install flask pymongo pygeoip gevent-websocket python-dateutil netifaces


i got this error when try to compile and run the last command from the guide:

Running install for netifaces

Running command /root/tomchop/malcom/env-malcom/bin/python -c "import setuptools;__file__=$
running install
running build
running build_ext
checking for getifaddrs... not found. (cached)

checking for getnameinfo... not found. (cached)

checking for socket IOCTLs... not found. (cached)

checking for optional header files... none found. (cached)

checking whether struct sockaddr has a length field... no. (cached)

checking which sockaddr_xxx structs are defined... none! (cached)

building 'netifaces' extension

gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC $

netifaces.c:1:20: error: Python.h: No such file or directory

netifaces.c:143:6: error: #error You need to add code for your platform.

netifaces.c: In function 'our_getnameinfo':

netifaces.c:200: warning: implicit declaration of function 'sprintf'

netifaces.c:200: warning: incompatible implicit declaration of built-in function 'sprintf'

netifaces.c:203: warning: implicit declaration of function 'strncpy'

netifaces.c:203: warning: incompatible implicit declaration of built-in function 'strncpy'

netifaces.c:225: warning: incompatible implicit declaration of built-in function 'sprintf'

Max Upload Pcap


Can you tell me, what max size pcap that can i analize?
And how to modify script to resize max upload pcap?


Malcom crashes when starting a sniffing session

I have an issue when trying to create a sniffing session.

When I create a sniffer, whether a live one or through a pcap file, the following log appears and no result is shown through the web interface.

Exception in thread Thread-5:
Traceback (most recent call last):
  File "/usr/lib/python2.7/", line 810, in __bootstrap_inner
  File "/usr/lib/python2.7/", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/home/mad/Documents/dev/malcom_perso/Malcom/sniffer/", line 250, in run
  File "/home/mad/Documents/dev/malcom_perso/Malcom/sniffer/", line 227, in load_pcap
    self.sniff(stopper=self.stop_sniffing, filter=self.filter, prn=self.handlePacket, stopperTimeout=1, offline=self.engine.setup['SNIFFER_DIR']+"/"+filename)
  File "/home/mad/Documents/dev/malcom_perso/Malcom/sniffer/", line 653, in sniff
    sel = select([s], [], [], remainStopper)
TypeError: 'module' object is not callable

I'm probably missing something but can't see what. Does an additional module is needed for this to work?

API: Retrieve data from sniffing session

Use the API to retreive data from a sniffing session given its ID to:

  • Retreive all data regarding it (nodes, edges, flows, etc.)
  • Retreive all elements associated to it (hostnames, ips, urls)
  • Retreive only the evil elements associated to it

ImportError: No module named flask_restful

I get the following error, do you think something goes wrong with flash? I have Flash 0.10.1 installed.

Traceback (most recent call last):
  File "./", line 112, in <module>
    from Malcom.web.webserver import MalcomWeb
  File "/opt/malcom/Malcom/web/", line 120, in <module>
    from Malcom.web.api import malcom_api
  File "/opt/malcom/Malcom/web/", line 7, in <module>
    from flask_restful import Resource, reqparse, Api
ImportError: No module named flask_restful

Change the way elements are associated to a sniffing session

Elements are associated to a sniffing session via tags: the name of a sniffing session will be added as a tag to the element. This is not flexible.

Enhancement: add a new field to the element containing an array to all sniffing session IDs it is present in. When a sniffing session is created and an element is added to the database from this sniffing session, it will add its own ID to the array.

Database configuration


I have just downloaded malcom to test it but I am unable to launch it simply because:

  1. my database is on another computer than the one I want to run malcom on
  2. I have configured authentication on my MongoDB

I see you have created a db_local section in the malcom.conf file but, as my comprehension of the code goes, it does not seem to be used when creating the database sessions (at least in the Model and UserManagement classes)

Are you working on it (since the db_local section exists) or would you prefer a pull request?

errors on startup

I installed Malcom as a Docker container in a new, stock Ubuntu 14.04 VM (& also from github, same result). When I try to run it using the syntax from the Docker part of the (docker run -p 8080:8080 -d --name malcom tomchop/malcom-automatic (I also tried tomchop/malcom, same result)) I get this set of errors:

  • Starting database mongodb
    Starting redis-server: redis-server.
    TERM environment variable not set.
    ===== Malcom 1.3a - Malware Communications Analyzer =====

Detected interfaces:
WARNING: Failed to execute tcpdump. Check it is installed and in the PATH
WARNING: No route found for IPv6 destination :: (no default route?)
[+] Starting sniffer...
[+] Successfully loaded sniffer directory: /opt/malcom/Malcom/sniffer/captures
[+] Starting TLS proxy on port 9000
Traceback (most recent call last):
File "./", line 79, in
setup.sniffer_engine = netsniffer.SnifferEngine(setup)
File "/opt/malcom/Malcom/sniffer/", line 51, in init
self.model = Model(self.setup)
File "/opt/malcom/Malcom/model/", line 46, in init
read_preference=read_pref[db_setup.get('READ_PREF', 'PRIMARY')])
File "/usr/local/lib/python2.7/dist-packages/pymongo/", line 377, in init
raise ConnectionFailure(str(e))
pymongo.errors.ConnectionFailure: [Errno 111] Connection refused

Consider Removing GeoLiteCity.dat

in /Malcom/auxiliary/GeoIP there is an 18mb file GeoLiteCity.dat. For licensing etc, you may want to include explicit instructions on how users can download that file, but not include it in the git. It will also make the package much smaller. Corresponding with that, perhaps if it doesn't exist there, there can be some clear and concise warnings on it should be installed.

ARP support

Inclusion of ARP requests / replies in network capture

Browse dataset error: "AttributeError: 'NoneType' object has no attribute 'lower'"

Whenever I visit the "Browse dataset" page, the page shows "Populating table..." without bringing any data and throws the following error:

Traceback (most recent call last):
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/gevent/", line 508, in handle_one_response
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/geventwebsocket/", line 88, in run_application
    return super(WebSocketHandler, self).run_application()
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/gevent/", line 494, in run_application
    self.result = self.application(self.environ, self.start_response)
  File "/opt/malcom/Malcom/web/", line 647, in malcom_app
    return app(environ, start_response)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1836, in __call__
    return self.wsgi_app(environ, start_response)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1820, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask_restful/", line 265, in error_router
    return original_handler(e)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1403, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask_restful/", line 262, in error_router
    return self.handle_error(e)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask_restful/", line 265, in error_router
    return original_handler(e)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask_restful/", line 262, in error_router
    return self.handle_error(e)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask_restful/", line 446, in wrapper
    resp = resource(*args, **kwargs)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/", line 755, in decorated_view
    return func(*args, **kwargs)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 84, in view
    return self.dispatch_request(*args, **kwargs)
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask_restful/", line 550, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/opt/malcom/Malcom/web/", line 121, in get
  File "/opt/malcom/Malcom/model/", line 414, in add_to_history
    if query.lower().strip() != '':
AttributeError: 'NoneType' object has no attribute 'lower'

Continuous Analysis of a URL - how to stop/clear it?

I routed traffic from a host through malcom to and now everytime I start it the app keeps analyzing for hours and never stops. Any idea what it going on here and how to clear it out? Here is an example of the logs:

[DEBUG] [2015-08-18 02:06:26.625670] - [Worker 1 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] ANALYTICS DONE (1 NEW) (0:00:00.000148)
[DATA] [2015-08-18 02:06:26.626643] - (linked 55d1291216320e5e2191b827 to 55d268b816320e0eba95bc16 [host])
[DATA] [2015-08-18 02:06:26.627141] - (added url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.627571] - [Worker 8 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] NEW PROCESSED
[DATA] [2015-08-18 02:06:26.627857] - (updated hostname
[DEBUG] [2015-08-18 02:06:26.628009] - Finished analyzing,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& in 0:00:00.071657
[DATA] [2015-08-18 02:06:26.628501] - (linked 55d1291216320e5e2191b818 to 55d268b816320e0eba95bc16 [host])
[DEBUG] [2015-08-18 02:06:26.647026] - [Worker 8 | PID 4523] WAITING FOR NEW ELT (size: 9329)
[ANALYTICS] [2015-08-18 02:06:26.647317] - [Worker 8 | PID 4523] Started work on url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& Queue size: 9328
[DEBUG] [2015-08-18 02:06:26.647373] - (url analytics for,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.647485] - [Worker 8 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] ANALYTICS DONE (1 NEW) (0:00:00.000114)
[DATA] [2015-08-18 02:06:26.648265] - (added url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.660044] - [Worker 6 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] NEW PROCESSED
[DEBUG] [2015-08-18 02:06:26.660094] - Finished analyzing,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& in 0:00:00.373860
[DEBUG] [2015-08-18 02:06:26.675471] - [Worker 6 | PID 4523] WAITING FOR NEW ELT (size: 9328)
[DATA] [2015-08-18 02:06:26.660674] - (added url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[ANALYTICS] [2015-08-18 02:06:26.675995] - [Worker 6 | PID 4523] Started work on url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& Queue size: 9327
[DEBUG] [2015-08-18 02:06:26.676036] - (url analytics for,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.676126] - [Worker 6 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] ANALYTICS DONE (1 NEW) (0:00:00.000093)
[DEBUG] [2015-08-18 02:06:26.676792] - [Worker 5 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] NEW PROCESSED
[DEBUG] [2015-08-18 02:06:26.676853] - Finished analyzing,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& in 0:00:00.304551
[DEBUG] [2015-08-18 02:06:26.676885] - [Worker 5 | PID 4523] WAITING FOR NEW ELT (size: 9327)
[ANALYTICS] [2015-08-18 02:06:26.677048] - [Worker 5 | PID 4523] Started work on url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& Queue size: 9326
[DEBUG] [2015-08-18 02:06:26.677080] - (url analytics for,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.677149] - [Worker 5 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] ANALYTICS DONE (1 NEW) (0:00:00.000068)
[DATA] [2015-08-18 02:06:26.677506] - (updated hostname
[DATA] [2015-08-18 02:06:26.677993] - (linked 55d1291216320e5e2191b826 to 55d268b816320e0eba95bc16 [host])
[DATA] [2015-08-18 02:06:26.678493] - (added url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.690445] - [Worker 10 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] NEW PROCESSED
[DEBUG] [2015-08-18 02:06:26.690516] - Finished analyzing,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& in 0:00:00.635254
[DEBUG] [2015-08-18 02:06:26.690562] - [Worker 10 | PID 4523] WAITING FOR NEW ELT (size: 9326)
[ANALYTICS] [2015-08-18 02:06:26.690844] - [Worker 10 | PID 4523] Started work on url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& Queue size: 9325
[DEBUG] [2015-08-18 02:06:26.690888] - (url analytics for,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.691002] - [Worker 10 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] ANALYTICS DONE (1 NEW) (0:00:00.000115)
[DATA] [2015-08-18 02:06:26.691468] - (updated hostname
[DATA] [2015-08-18 02:06:26.692093] - (updated hostname
[DATA] [2015-08-18 02:06:26.692718] - (linked 55d1291216320e5e2191b82b to 55d268b816320e0eba95bc16 [host])
[DATA] [2015-08-18 02:06:26.693218] - (added url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.707912] - [Worker 1 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] NEW PROCESSED
[DEBUG] [2015-08-18 02:06:26.708014] - Finished analyzing,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& in 0:00:00.082997
[DEBUG] [2015-08-18 02:06:26.708063] - [Worker 1 | PID 4523] WAITING FOR NEW ELT (size: 9325)
[ANALYTICS] [2015-08-18 02:06:26.708297] - [Worker 1 | PID 4523] Started work on url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& Queue size: 9324
[DEBUG] [2015-08-18 02:06:26.708400] - (url analytics for,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.718631] - [Worker 1 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] ANALYTICS DONE (1 NEW) (0:00:00.010180)
[DATA] [2015-08-18 02:06:26.709180] - (updated hostname
[DATA] [2015-08-18 02:06:26.723196] - (linked 55d1291216320e5e2191b822 to 55d268b816320e0eba95bc16 [host])
[DATA] [2015-08-18 02:06:26.723815] - (added url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.724190] - [Worker 2 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] NEW PROCESSED
[DEBUG] [2015-08-18 02:06:26.724528] - Finished analyzing,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& in 0:00:00.243934
[DEBUG] [2015-08-18 02:06:26.724584] - [Worker 2 | PID 4523] WAITING FOR NEW ELT (size: 9324)
[ANALYTICS] [2015-08-18 02:06:26.724819] - [Worker 2 | PID 4523] Started work on url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& Queue size: 9323
[DEBUG] [2015-08-18 02:06:26.724886] - (url analytics for,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.737812] - [Worker 2 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] ANALYTICS DONE (1 NEW) (0:00:00.012908)
[DATA] [2015-08-18 02:06:26.724466] - (updated hostname
[DATA] [2015-08-18 02:06:26.739943] - (linked 55d1291216320e5e2191b82d to 55d268b816320e0eba95bc16 [host])
[DATA] [2015-08-18 02:06:26.740547] - (added url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.740967] - [Worker 6 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&] NEW PROCESSED
[DEBUG] [2015-08-18 02:06:26.741017] - Finished analyzing,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& in 0:00:00.065573
[DEBUG] [2015-08-18 02:06:26.741049] - [Worker 6 | PID 4523] WAITING FOR NEW ELT (size: 9323)
[ANALYTICS] [2015-08-18 02:06:26.741305] - [Worker 6 | PID 4523] Started work on url,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home& Queue size: 9322
[DEBUG] [2015-08-18 02:06:26.741343] - (url analytics for,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&
[DEBUG] [2015-08-18 02:06:26.741429] - [Worker 6 | PID 4523 | elt:,fmcglobal/1/H.27.2-D56N/s26457567405722?AQB=1&ndh=1&t=17%2F7%2F2015%203%3A20%3A37%201%20-180&fid=6CB2D10F7041870D-328BC81CEDC4C791&vmt=4A43B06B&ns=ford&pageName=fv%3A%20home&^CKeyboardInterrupt

Api & account settings not available ?


I'm trying 1.2 alpha and it find very light and visual, especially compare to alternatives :)
My current problem, it seems the api links are not available

$ curl
This page does not exist

$ curl
$ curl
{"nodes": [], "edges": []}
$ curl
Internal Server Error
= ValueError: View function did not return a response

and grepping account inside source just returns one line
$ grep -rin account *
web/static/jquery/jquery-ui.js:13781: // into account and update option properly.
= No /account/settings to generate API key

unreleased stuff? or I missed a doc/code ?

Thanks Tom

[Honeynet GSoC 2015] Malcom - Malware communications analyzer


Malcom & GSoC 2015

Malcom is a platform that allows to cross-reference network traffic with different malware feeds (or any other source of data)
Malcom is participating as part of the Honeynet Project in the Google Summer of Code 2015. There are a few ideas I think would be interesting to see included in Malcom. Feel free to comment below and suggest your own ideas or improvements!

This issue is for students that would be interested in contributing to Malcom as part of their participation in GSoC, so that they can have any questions on Malcom or GSoC answered easily.

Main project goals

  • Build additional traffic-analysis features: DNS request timeline, Suricata or Bro alerts, or find some other way to ID the traffic and write specific decoders for malware protocols;
  • Share Malcom's data and build an web API that can be queried from other services (FIR, CRITS, MISP)
    • Secondary objective: adjust the data model so that it always uses the web API, even locally. This would allow for querying remote Malcom instances as if they were local in total transparency.
  • Less interesting, but still needs to be done: improving the UI, adding details and tags to elements, improve performance, code clean-up, etc. (this is the part I will probably end-up coding if I get help on any of the points above)


1- What background is necessary to contribute to this project?

  • Solid Python skills;
  • a working knowledge of current network traffic analysis tools and tech (scapy, dpkt, Bro IDS, Suricata, etc.) so as to leverage them in Malcom;
  • experience with the Flask framework, d3js and mongodb is definitely a plus.

2- How do I get started?

  • Download Malcom, play around with it. There's a Docker instance to get you started, but you're encouraged to read through the code, too ๐Ÿ˜‰
  • Feel free to fork and to pull-request
  • If you feel like Malcom is a project you could and would like to contribute to, submit a project proposal.

Don't hesitate to contact me if you have additional questions (Twitter or email works fine). There's also a Honeynet GSoC mailing list and a malcom-users Google Group. Feel free to ping me whenever you want.

Project proposal

You'll need to write a project proposal before final approval of your participation. This is mainly a document stating your approach to work on one of the points listed in the project goals (or any other ideas you'd like to work on). Apparently, a rough timeline is needed (knowing you will have around 12 weeks to make the magic happen!).


have encountered problem during install!
ommand "/root/malcom/env-malcom/bin/python2 -u -c "import setuptools, tokenize;file='/tmp/pip-build-PX89Xx/cryptography/';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-tybGJc-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/malcom/env-malcom/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-PX89Xx/cryptography/

System Kali Linux Rolling 2016.2

Bug when no HTTP payload is found over port 80

Exception in thread Thread-4:
Traceback (most recent call last):
  File "/usr/lib/python2.7/", line 810, in __bootstrap_inner
  File "/usr/lib/python2.7/", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/opt/malcom/Malcom/networking/", line 238, in run
  File "/opt/malcom/Malcom/networking/", line 215, in load_pcap
    self.sniff(stopper=self.stop_sniffing, filter=self.filter, prn=self.handlePacket, stopperTimeout=1, offline=self.engine.setup['SNIFFER_DIR']+"/"+filename)
  File "/opt/malcom/Malcom/networking/", line 658, in sniff
    r = prn(p)
  File "/opt/malcom/Malcom/networking/", line 509, in handlePacket
  File "/opt/malcom/Malcom/networking/", line 563, in send_flow_statistics
    data['flow'] = flow.get_statistics(self.engine.yara_rules)
  File "/opt/malcom/Malcom/networking/", line 299, in get_statistics
    self.decoded_flow = Decoder.decode_flow(self)
  File "/opt/malcom/Malcom/networking/", line 23, in decode_flow
    data = Decoder.HTTP_request(flow.payload)
  File "/opt/malcom/Malcom/networking/", line 97, in HTTP_request
    host ='Host: (?P<host>[.\w-]+)(:(?P<port>[\d]{1,5}))?', payload).groupdict()
AttributeError: 'NoneType' object has no attribute 'groupdict'

Got this error while processing this pcap:
It might not be related to the previous, so feel free to track it as a separate issue.

problem when running malcom

when I try to run malcom, I get this error message. I used the default configuration file

./ -c malcom.conf
===== Malcom 1.3a - Malware Communications Analyzer =====

Traceback (most recent call last):
  File "./", line 59, in <module>
  File "~/Malcom/config/", line 13, in load_config
  File "~/Malcom/config/", line 30, in parse_command_line
  File "~/Malcom/config/", line 73, in parse_config_file
    self['MODULES_DIR'] = config.get('sniffer', 'modules_dir')
  File "/usr/lib/python2.7/", line 618, in get
    raise NoOptionError(option, section)
ConfigParser.NoOptionError: No option 'modules_dir' in section: 'sniffer'

Stealth mode

Add a switch to make sure Malcom does not communicate with external infrastructure:

  • Prevent rDNS when sniffing and detecting IPs
  • Prevent DNS resolutions in analytics module
  • Prevent IP to AS resolutions
  • Make all the above configurable?

API: Edit tags and evil attributes through the API


Be able to tag an element (add / remove)
Be able to edit an element's evil attribute (by selecting an already existing attribute or adding a new one)

Sniffing sessions

Be able to tag sniffing sessions (add / remove)

FT, Hide nodes in graph view based on filter

It will be also nice, if it could be possible to hide things based on the filter selection.
For example to quickly remove all google stuff, a things like "not google" which hide google ip's and hosts

Play/Cancel/Start/Stop buttons with --public

Above mentionned buttons are not printed when malcom is launched with --public parameter.

This occurs because of this line:
{% if not g.config['PUBLIC'] %}

in sniffer html templates.

KeyError: 'FEEDS_DIR'

I get the following error when running ./ in env-malcom :

===== Malcom 1.3a - Malware Communications Analyzer =====

Traceback (most recent call last):
File "./", line 59, in
File "/home/erbu/malcom/Malcom/config/", line 14, in load_config
File "/home/erbu/malcom/Malcom/config/", line 22, in sanitize_paths
if not self['FEEDS_DIR'].startswith('/'):
KeyError: 'FEEDS_DIR'


In dev (311b1e5)

I should say that I modify the file Malcom/networking/ and changed the line
self.filter = "ip and not host and not host %s %s" % (remote_addr, filter_ifaces)
self.filter = ""

So I can sniff my own traffic.

[MODEL] - (updated hostname
[MODEL] - (updated hostname
[DEBUG] - Caught DNS question:
[DEBUG] - [+] DNS replies caught (1 answers)
[DEBUG] - No relevant records in reply
[DEBUG] - [+] DNS replies caught (1 answers)
[DEBUG] - No relevant records in reply
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python2.7/", line 810, in __bootstrap_inner
File "/usr/lib/python2.7/", line 763, in run
self.__target(_self.__args, *_self.__kwargs)
File "/home/user/dir/aplics/malcom/Malcom/networking/", line 90, in run
self.pkts += self.sniff(stopper=self.stop_sniffing, filter=self.filter, prn=self.handlePacket, stopperTimeout=1)
File "/home/user/dir/aplics/malcom/Malcom/networking/", line 513, in sniff
r = prn(p)
File "/home/user/dir/aplics/malcom/Malcom/networking/", line 382, in handlePacket
new_elts, new_edges = self.checkHTTP(flow)
File "/home/user/dir/aplics/malcom/Malcom/networking/", line 323, in checkHTTP
if url['value'] not in self.nodes_values:
TypeError: list indices must be integers, not str

My struggles with malcom

First off Tom this is a great app. I really enjoy it and it's very unique. That being said here are my struggles with it currently.

So, my setup is this is behind a firewall and IDS...and as soon as Malcom starts with feeds my IDS lights up all over the place. So, ultimately, my goal is to have Malcom without the feeds options. Things I've tried:

  1. From source. The first sticking point is cryptography==0.7.2 on debian/ubuntu won't install at all. Removing the line and running the pip command auto installs cryptography-2.0.3. After changing feeds = false here's what I get after the run:
{'MAX_WORKERS': '12', 'SKIP_TAGS': 'whitelisted', 'ACTIVATED': 'true'}
{'WEB': True, 'LISTEN_PORT': 8080, 'ANALYTICS': True, 'ACTIVATED': 'true', 'AUTH': False, 'MAX_WORKERS': 12, 'SKIP_TAGS': ['whitelisted'], 'VERSION': '1.3a', 'LISTEN_INTERFACE': ''}
Detected interfaces:
WARNING: Failed to execute tcpdump. Check it is installed and in the PATH
WARNING: No route found for IPv6 destination :: (no default route?)
[+] Starting sniffer...
[+] Successfully loaded sniffer directory: /opt/malcom/Malcom/sniffer/captures
Traceback (most recent call last):
  File "./", line 79, in <module>
    setup.sniffer_engine = netsniffer.SnifferEngine(setup)
  File "/opt/malcom/Malcom/sniffer/", line 41, in __init__
    from Malcom.sniffer.tlsproxy.tlsproxy import MalcomTLSProxy
  File "/opt/malcom/Malcom/sniffer/tlsproxy/", line 9, in <module>
    from twisted.internet import defer, ssl
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/twisted/internet/", line 59, in <module>
    from OpenSSL import SSL
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/OpenSSL/", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/OpenSSL/", line 11, in <module>
    from OpenSSL._util import (
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/OpenSSL/", line 3, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/", line 13, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
AttributeError: 'module' object has no attribute '_init_cffi_1_0_external_module'

after this you can't even run pip anymore:

Traceback (most recent call last):
  File "/opt/malcom/env-malcom/bin/pip", line 7, in <module>
    from pip import main
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/pip/", line 21, in <module>
    from pip._vendor.requests.packages.urllib3.exceptions import DependencyWarning
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/pip/_vendor/", line 64, in <module>
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/pip/_vendor/", line 36, in vendored
    __import__(modulename, globals(), locals(), level=0)
  File "/opt/malcom/env-malcom/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/", line 9, in <module>
  File "/opt/malcom/env-malcom/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/", line 1, in <module>
  File "/opt/malcom/env-malcom/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/", line 4, in <module>
  File "/opt/malcom/env-malcom/share/python-wheels/requests-2.12.4-py2.py3-none-any.whl/requests/", line 52, in <module>
  File "/opt/malcom/env-malcom/share/python-wheels/requests-2.12.4-py2.py3-none-any.whl/requests/packages/", line 59, in <module>
  File "/opt/malcom/env-malcom/share/python-wheels/requests-2.12.4-py2.py3-none-any.whl/requests/packages/", line 32, in vendored
  File "/opt/malcom/env-malcom/share/python-wheels/urllib3-1.19.1-py2.py3-none-any.whl/urllib3/contrib/", line 47, in <module>
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/OpenSSL/", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/OpenSSL/", line 11, in <module>
    from OpenSSL._util import (
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/OpenSSL/", line 3, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/", line 13, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
AttributeError: 'module' object has no attribute '_init_cffi_1_0_external_module'

the entire virtual-env seems destroyed.

  1. Docker. So the docker image works fine, however, again, as soon as it's fired up it sprays all over the IDS causing a lot of issues. I've tried: routing all the traffic over tor, blocking dns. What I'd LIKE to do is modify the malcom.conf file within the but I haven't been successful.

Tom, is there any way you can add a feature in the web page configuration to disable feeds? Just...SOMETHING that will stop the feeds. Thank you

Stop the uploading of a pcap.

It would be nice to have some way of stopping the uploading of a pcap. Sometimes it is too big and you don't want to wait so long. Or maybe it is just too big.


i cant access my home page in malcom

hi guys,

i installed malcom using docker. but, i cant access my home page of malcom, it directly going into dataset and in feeds all my running services are in "NO". Please guide me in this.

Thanks in advance.

pcapng support?

Gave a try to honeynet14 pcapng but it doesn't seem to load. I suppose pcapng is not supported ?

Errors - Ubuntu 14.04

I am on Ubuntu server 14.04 LTS VM with python 2.7.6 installed. I needed to install libssl-dev and libffi-dev using apt-get in order pyopenssl and all the rest to be installed without errors. I also installed service_identity using pip to avoid a warning when running malcom. I think I don't forget something else... :)

I guess something is still missing because I get the following when I run malcom:

./ -a
[DEBUG] - Could not send message: 'NoneType' object has no attribute 'send'


./ -f
[DEBUG] - Starting thread for feed TorExitNodes...
[DEBUG] - Could not send message: 'NoneType' object has no attribute 'send'
Exception in thread Thread-5:
Traceback (most recent call last):
File "/usr/lib/python2.7/", line 810, in __bootstrap_inner
File "/usr/lib/python2.7/", line 763, in run
self.__target(_self.__args, *_self.__kwargs)
File "/opt/malcom/Malcom/feeds/", line 62, in run
status = self.update()
File "/opt/malcom/Malcom/feeds/", line 23, in update
File "/opt/malcom/Malcom/feeds/", line 40, in analyze
ip, status =, with_status=True)
File "/opt/malcom/Malcom/analytics/", line 81, in save_element
return, with_status=with_status)
File "/opt/malcom/Malcom/model/", line 123, in save
status = self.elements.update({'value': element['value']}, {"$set" : element, "$addToSet": {'tags' : {'$each': tags}}}, upsert=True)
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/pymongo/", line 561, in update
check_keys, self.uuid_subtype), safe)
InvalidDocument: Cannot encode object: {'refresh_period': 259200, 'type': 'ip', 'value': ''}

When trying to delete a session:

Traceback (most recent call last):
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/gevent/", line 508, in handle_one_response
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/geventwebsocket/", line 88, in run_application
return super(WebSocketHandler, self).run_application()
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/gevent/", line 494, in run_application
self.result = self.application(self.environ, self.start_response)
File "/opt/malcom/Malcom/web/", line 76, in malcom_app
return app(environ, start_response)
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1836, in call
return self.wsgi_app(environ, start_response)
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1820, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1403, in handle_exception
reraise(exc_type, exc_value, tb)
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/malcom/env-malcom/local/lib/python2.7/site-packages/flask/", line 1461, in dispatch_request
return self.view_functionsrule.endpoint
File "/opt/malcom/Malcom/web/", line 448, in sniffer_session_delete
File "/opt/malcom/Malcom/model/", line 99, in del_sniffer_session
filename = session['name'] + ".pcap"
TypeError: 'NoneType' object has no attribute 'getitem'

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.