From the course: Complete Guide to Open Source Security
Join today to access over 24,500 courses taught by industry experts.
Understanding Malcolm for threat hunting
From the course: Complete Guide to Open Source Security
Understanding Malcolm for threat hunting
- [Instructor] As part of the release of Kali Purple, the Malcolm tool, developed by the Idaho Labs for the US Department of Homeland Security, has been forwarded into a Kali Purple-friendly form. This tool provides an integrated set of tools for traffic analysis to support threat hunting. It consists of the Suricata IDS, the Zeek Session Analysis tool, and the Arkime Deep Packet Inspection tool, all feeding into an OpenSearch database. The pipeline diagram shows the main components of the Malcolm system. While it can run live, we'll be using Malcolm in its offline form, where it consumes a PCAP for file analysis. When we import the PCAP file into Malcolm, it's automatically analyzed by Suricata, and can optionally be analyzed by either or both of the Arkime Deep Packet capture tool and the Zeek Session Analysis tool. The packets are stored directly in OpenSearch, and the results of the Zeek and Suricata analysis are stored in Logstash for ingestion by OpenSearch, The Arkime viewer…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.