A powerful, easily deployable network traffic analysis tool suite
For a TL;DR
example of downloading, configuring, and running Malcolm on a Linux platform, see Installation example using Ubuntu 22.04 LTS.
The scripts to control Malcolm require Python 3. The install.py
script requires the requests module for Python 3, and will make use of the pythondialog module for user interaction (on Linux) if it is available.
The files required to build and run Malcolm are available on its GitHub page. Malcolm’s source code is released under the terms of a permissive open source software license (see License.txt
for the terms of its release).
The build.sh
script can build Malcolm’s Docker images from scratch. See Building from source for more information.
You must run auth_setup
prior to pulling Malcolm’s Docker images. You should also ensure your system configuration and docker-compose.yml
settings are tuned by running ./scripts/install.py
or ./scripts/install.py --configure
(see System configuration and tuning).
Malcolm’s Docker images are periodically built and hosted on Docker Hub. If you already have Docker and Docker Compose, these prebuilt images can be pulled by navigating into the Malcolm directory (containing the docker-compose.yml
file) and running docker-compose pull
like this:
$ docker-compose pull
Pulling api ... done
Pulling arkime ... done
Pulling dashboards ... done
Pulling dashboards-helper ... done
Pulling file-monitor ... done
Pulling filebeat ... done
Pulling freq ... done
Pulling htadmin ... done
Pulling logstash ... done
Pulling name-map-ui ... done
Pulling netbox ... done
Pulling netbox-postgresql ... done
Pulling netbox-redis ... done
Pulling nginx-proxy ... done
Pulling opensearch ... done
Pulling pcap-capture ... done
Pulling pcap-monitor ... done
Pulling suricata ... done
Pulling upload ... done
Pulling zeek ... done
You can then observe that the images have been retrieved by running docker images
:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
malcolmnetsec/api 23.03.0 xxxxxxxxxxxx 3 days ago 158MB
malcolmnetsec/arkime 23.03.0 xxxxxxxxxxxx 3 days ago 816MB
malcolmnetsec/dashboards 23.03.0 xxxxxxxxxxxx 3 days ago 1.02GB
malcolmnetsec/dashboards-helper 23.03.0 xxxxxxxxxxxx 3 days ago 184MB
malcolmnetsec/file-monitor 23.03.0 xxxxxxxxxxxx 3 days ago 588MB
malcolmnetsec/file-upload 23.03.0 xxxxxxxxxxxx 3 days ago 259MB
malcolmnetsec/filebeat-oss 23.03.0 xxxxxxxxxxxx 3 days ago 624MB
malcolmnetsec/freq 23.03.0 xxxxxxxxxxxx 3 days ago 132MB
malcolmnetsec/htadmin 23.03.0 xxxxxxxxxxxx 3 days ago 242MB
malcolmnetsec/logstash-oss 23.03.0 xxxxxxxxxxxx 3 days ago 1.35GB
malcolmnetsec/name-map-ui 23.03.0 xxxxxxxxxxxx 3 days ago 143MB
malcolmnetsec/netbox 23.03.0 xxxxxxxxxxxx 3 days ago 1.01GB
malcolmnetsec/nginx-proxy 23.03.0 xxxxxxxxxxxx 3 days ago 121MB
malcolmnetsec/opensearch 23.03.0 xxxxxxxxxxxx 3 days ago 1.17GB
malcolmnetsec/pcap-capture 23.03.0 xxxxxxxxxxxx 3 days ago 121MB
malcolmnetsec/pcap-monitor 23.03.0 xxxxxxxxxxxx 3 days ago 213MB
malcolmnetsec/postgresql 23.03.0 xxxxxxxxxxxx 3 days ago 268MB
malcolmnetsec/redis 23.03.0 xxxxxxxxxxxx 3 days ago 34.2MB
malcolmnetsec/suricata 23.03.0 xxxxxxxxxxxx 3 days ago 278MB
malcolmnetsec/zeek 23.03.0 xxxxxxxxxxxx 3 days ago 1GB
Once built, the malcolm_appliance_packager.sh
script can be used to create pre-packaged Malcolm tarballs for import on another machine. See Pre-Packaged Installation Files for more information.
Use the scripts in the scripts/
directory to start and stop Malcolm, view debug logs of a currently running
instance, wipe the database and restore Malcolm to a fresh state, etc.
A few minutes after starting Malcolm (probably 5 to 10 minutes for Logstash to be completely up, depending on the system), the following services will be accessible:
sftp://<username>@127.0.0.1:8022/files