Malcolm is a powerful suite of network analytics tools designed with network security in mind.
Although all of Malcolm's open source tools are now available and in general use, it provides an interface framework that makes it larger than the sum of its parts. While there are many other solutions for network analytics, from all Linux distributions such as Security Onion to licensed products such as Splunk Enterprise Security, Malcolm creators are optimistic that its powerful toolkit will fill a gap in network security that will make network traffic analysis accessible to many in both the public and private sectors, as well as to individual users.
- Easy to use- Malcolm receives packages (PCAP) and Zeek logs (formerly Bro). These items can be downloaded via a simple browser-based interface or recorded live and forwarded to. In both cases, the data are automatically normalized, enriched and correlated for analysis.
- Powerful network analyzer- Visibility in network communications is provided through two intuitive interfaces: Kibana, a flexible data visualization plugin with dozens of predefined control panels that provide a quick overview of network protocols. And Moloch, a powerful tool for locating and detecting network sessions that contain suspicious security incidents.
- Improved growth- Malcolm acts as a Docker cluster, serving a specific system function. This Docker-based deployment model, combined with a few simple scripts for setting up and managing runtime, makes Malcolm suitable for fast deployment across platforms and applications, whether it is long-term deployment on a Linux server, a security function center (SOC) ) or to respond to events on a Macbook for individual use.
- Secure in communications All communications with Malcolm, both from the user interface and from remote logging forwarders, are secured with industry standard encryption protocols.
- Open source program Malcolm is made up of many well-known open source tools, making it an attractive alternative to security solutions that require paid licenses.
- Visibility of the control systemWhile Malcolm is ideal for general purpose network traffic analysis, its creators see a particular need in the community for tools that provide information about protocols used in industrial control systems (ICS) environments. The continued development of Malcolm aims to provide additional analyzers for common ICS protocols.
In short, Malcolm provides an easy-to-use suite of network analysis tools for complete packet collection (PCAP files) and Zeek logs. While internet access is required to create it, it is not required when running it.
You will find the program installation guide as well as user functions here