Logo

A powerful, easily deployable network traffic analysis tool suite

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

Zeek

local.zeek

Some Zeek behavior can be tweaked without having to manually edit configuration files through the use of environment variables: search for ZEEK in the docker-compose.yml parameters section of the documentation.

Other changes to Zeek’s behavior could be made by modifying local.zeek and either using a bind mount or rebuilding the zeek Docker image with the modification. See the Zeek documentation for more information on customizing a Zeek instance. Note that changing Zeek’s behavior could result in changes to the format of the logs Zeek generates, which could break Malcolm’s parsing of those logs, so exercise caution.

Adding a new Zeek package

The easiest way to add a new Zeek package to Malcolm is to add the git URL of that package to the ZKG_GITHUB_URLS array in zeek_install_plugins.sh script and then rebuilding the zeek Docker image. This will cause your package to be installed (via the zkg command-line tool). See Parsing new Zeek logs on how to process any new .log files if your package generates them.

Zeek Intelligence Framework

See Zeek Intelligence Framework in the Malcolm README for information on how to use Zeek’s Intelligence Framework with Malcolm.