Merge remote-tracking branch 'cisa/master' for v2.4.1 release

idaholab · Oct 20, 2020 · f2b4593 · f2b4593
2 parents 144c1e1 + 5ef8381
commit f2b4593
Show file tree

Hide file tree

Showing 18 changed files with 99 additions and 94 deletions.
diff --git a/Dockerfiles/curator.Dockerfile b/Dockerfiles/curator.Dockerfile
@@ -55,9 +55,10 @@ ENV CURATOR_SNAPSHOT_REPO $CURATOR_SNAPSHOT_REPO
 ENV CURATOR_SNAPSHOT_COMPRESSED $CURATOR_SNAPSHOT_COMPRESSED
 ENV CURATOR_SNAPSHOT_DISABLED $CURATOR_SNAPSHOT_DISABLED
 
-ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64"
+ENV SUPERCRONIC_VERSION "0.1.11"
+ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85"
+ENV SUPERCRONIC_SHA1SUM "a2e2d47078a8dafc5949491e5ea7267cc721d67c"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV CURATOR_VERSION "5.8.1"

diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
@@ -38,9 +38,10 @@ ARG FILEBEAT_NGINX_LOG_PATH="/data/nginx"
 ARG NGINX_LOG_ACCESS_AND_ERRORS=false
 ARG AUTO_TAG=true
 
-ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64"
+ENV SUPERCRONIC_VERSION "0.1.11"
+ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85"
+ENV SUPERCRONIC_SHA1SUM "a2e2d47078a8dafc5949491e5ea7267cc721d67c"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 USER root

diff --git a/Dockerfiles/kibana.Dockerfile b/Dockerfiles/kibana.Dockerfile
@@ -39,9 +39,10 @@ ENV KIBANA_OFFLINE_REGION_MAPS_PORT $KIBANA_OFFLINE_REGION_MAPS_PORT
 ENV PATH="/data:${PATH}"
 ENV ELASTICSEARCH_URL $ELASTICSEARCH_URL
 
-ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64"
+ENV SUPERCRONIC_VERSION "0.1.11"
+ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85"
+ENV SUPERCRONIC_SHA1SUM "a2e2d47078a8dafc5949491e5ea7267cc721d67c"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 USER root

diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile
@@ -100,7 +100,7 @@ ENV NGINX_LDAP_TLS_STUNNEL_CHECK_IP $NGINX_LDAP_TLS_STUNNEL_CHECK_IP
 ENV NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL $NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL
 
 # build latest nginx with nginx-auth-ldap
-ENV NGINX_VERSION=1.19.0
+ENV NGINX_VERSION=1.19.3
 ENV NGINX_AUTH_LDAP_BRANCH=master
 
 ADD https://codeload.github.com/mmguero-dev/nginx-auth-ldap/tar.gz/$NGINX_AUTH_LDAP_BRANCH /nginx-auth-ldap.tar.gz

diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
@@ -6,17 +6,17 @@ ENV DEBIAN_FRONTEND noninteractive
 
 # build zeek and plugins (spicy, additional protocol parsers, etc.)
 
-ENV BISON_VERSION "3.6.2"
+ENV BISON_VERSION "3.7.2"
 ENV CCACHE_DIR "/var/spool/ccache"
 ENV CCACHE_COMPRESS 1
 ENV CMAKE_DIR "/opt/cmake"
-ENV CMAKE_VERSION "3.17.2"
+ENV CMAKE_VERSION "3.18.4"
 ENV SPICY_DIR "/opt/spicy"
 ENV SRC_BASE_DIR "/usr/local/src"
 ENV ZEEK_DIR "/opt/zeek"
 ENV ZEEK_PATCH_DIR "${SRC_BASE_DIR}/zeek-patches"
 ENV ZEEK_SRC_DIR "${SRC_BASE_DIR}/zeek-${ZEEK_VERSION}"
-ENV ZEEK_VERSION "3.0.10"
+ENV ZEEK_VERSION "3.0.11"
 
 # using clang now instead of gcc because Spicy depends on it
 ENV LLVM_VERSION "10"
@@ -171,8 +171,8 @@ ENV PATH "${ZEEK_DIR}/bin:${SPICY_DIR}/bin:${PATH}"
 
 # sanity check to make sure the plugins installed and copied over correctly
 # these ENVs should match the number of third party plugins installed by zeek_install_plugins.sh
-ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 22
-ENV ZEEK_THIRD_PARTY_GREP_STRING "(spicy/main|Bro_LDAP/scripts/main|Corelight/PE_XOR/main|Salesforce/GQUIC/main|Zeek_AF_Packet/scripts/init|bzar/main|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|hassh/hassh|ja3/ja3|zeek-community-id/main|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-plugin-bacnet/main|zeek-plugin-enip/main|zeek-plugin-profinet/main|zeek-plugin-s7comm/main|zeek-plugin-tds/main|zeek-sniffpass/main|CVE-2020-1350|ripple20|callstranger)\.(zeek|bro)"
+ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 25
+ENV ZEEK_THIRD_PARTY_GREP_STRING "(Bro_LDAP/scripts/main|bzar/main|callstranger|Corelight/PE_XOR/main|cve-2020-0601|CVE-2020-1350|cve-2020-13777|CVE-2020-16898|hassh/hassh|ja3/ja3|ripple20|Salesforce/GQUIC/main|spicy-noise|spicy/main|zeek-community-id/main|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-plugin-bacnet/main|zeek-plugin-enip/main|zeek-plugin-profinet/main|zeek-plugin-s7comm/main|zeek-plugin-tds/main|zeek-sniffpass/main|Zeek_AF_Packet/scripts/init|zerologon/main)\.(zeek|bro)"
 
 RUN mkdir -p /tmp/logs && \
     cd /tmp/logs && \

diff --git a/README.md b/README.md
@@ -157,22 +157,22 @@ You can then observe that the images have been retrieved by running `docker imag
 ```
 $ docker images
 REPOSITORY                                          TAG                 IMAGE ID            CREATED             SIZE
-malcolmnetsec/curator                               2.4.0               xxxxxxxxxxxx        40 hours ago        256MB
-malcolmnetsec/elastalert                            2.4.0               xxxxxxxxxxxx        40 hours ago        410MB
-malcolmnetsec/elasticsearch-oss                     2.4.0               xxxxxxxxxxxx        40 hours ago        690MB
-malcolmnetsec/file-monitor                          2.4.0               xxxxxxxxxxxx        39 hours ago        470MB
-malcolmnetsec/file-upload                           2.4.0               xxxxxxxxxxxx        39 hours ago        199MB
-malcolmnetsec/filebeat-oss                          2.4.0               xxxxxxxxxxxx        39 hours ago        555MB
-malcolmnetsec/freq                                  2.4.0               xxxxxxxxxxxx        39 hours ago        390MB
-malcolmnetsec/htadmin                               2.4.0               xxxxxxxxxxxx        39 hours ago        180MB
-malcolmnetsec/kibana-oss                            2.4.0               xxxxxxxxxxxx        40 hours ago        1.16GB
-malcolmnetsec/logstash-oss                          2.4.0               xxxxxxxxxxxx        39 hours ago        1.41GB
-malcolmnetsec/moloch                                2.4.0               xxxxxxxxxxxx        17 hours ago        683MB
-malcolmnetsec/name-map-ui                           2.4.0               xxxxxxxxxxxx        39 hours ago        137MB
-malcolmnetsec/nginx-proxy                           2.4.0               xxxxxxxxxxxx        39 hours ago        120MB
-malcolmnetsec/pcap-capture                          2.4.0               xxxxxxxxxxxx        39 hours ago        111MB
-malcolmnetsec/pcap-monitor                          2.4.0               xxxxxxxxxxxx        39 hours ago        157MB
-malcolmnetsec/zeek                                  2.4.0               xxxxxxxxxxxx        39 hours ago        887MB
+malcolmnetsec/curator                               2.4.1               xxxxxxxxxxxx        40 hours ago        256MB
+malcolmnetsec/elastalert                            2.4.1               xxxxxxxxxxxx        40 hours ago        410MB
+malcolmnetsec/elasticsearch-oss                     2.4.1               xxxxxxxxxxxx        40 hours ago        690MB
+malcolmnetsec/file-monitor                          2.4.1               xxxxxxxxxxxx        39 hours ago        470MB
+malcolmnetsec/file-upload                           2.4.1               xxxxxxxxxxxx        39 hours ago        199MB
+malcolmnetsec/filebeat-oss                          2.4.1               xxxxxxxxxxxx        39 hours ago        555MB
+malcolmnetsec/freq                                  2.4.1               xxxxxxxxxxxx        39 hours ago        390MB
+malcolmnetsec/htadmin                               2.4.1               xxxxxxxxxxxx        39 hours ago        180MB
+malcolmnetsec/kibana-oss                            2.4.1               xxxxxxxxxxxx        40 hours ago        1.16GB
+malcolmnetsec/logstash-oss                          2.4.1               xxxxxxxxxxxx        39 hours ago        1.41GB
+malcolmnetsec/moloch                                2.4.1               xxxxxxxxxxxx        17 hours ago        683MB
+malcolmnetsec/name-map-ui                           2.4.1               xxxxxxxxxxxx        39 hours ago        137MB
+malcolmnetsec/nginx-proxy                           2.4.1               xxxxxxxxxxxx        39 hours ago        120MB
+malcolmnetsec/pcap-capture                          2.4.1               xxxxxxxxxxxx        39 hours ago        111MB
+malcolmnetsec/pcap-monitor                          2.4.1               xxxxxxxxxxxx        39 hours ago        157MB
+malcolmnetsec/zeek                                  2.4.1               xxxxxxxxxxxx        39 hours ago        887MB
 ```
 
 #### Import from pre-packaged tarballs
@@ -235,6 +235,7 @@ Malcolm leverages the following excellent open source tools, among others.
     * Andrew Klaus's [Sniffpass](https://github.com/cybera/zeek-sniffpass) plugin for detecting cleartext passwords in HTTP POST requests
     * Andrew Klaus's [zeek-httpattacks](https://github.com/precurse/zeek-httpattacks) plugin for detecting noncompliant HTTP requests
     * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin
+    * Corelight's ["bad neighbor" (CVE-2020-16898)](https://github.com/corelight/CVE-2020-16898) plugin    
     * Corelight's [callstranger-detector](https://github.com/corelight/callstranger-detector) plugin
     * Corelight's [community ID](https://github.com/corelight/zeek-community-id) flow hashing plugin
     * Corelight's [ripple20](https://github.com/corelight/ripple20) plugin
@@ -1430,7 +1431,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu
 
 ```
 …
-Finished, created "/malcolm-build/malcolm-iso/malcolm-2.4.0.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-2.4.1.iso"
 …
 ```
 
@@ -1829,22 +1830,22 @@ Pulling zeek          ... done
 
 user@host:~/Malcolm$ docker images
 REPOSITORY                                          TAG                 IMAGE ID            CREATED             SIZE
-malcolmnetsec/curator                               2.4.0               xxxxxxxxxxxx        40 hours ago        256MB
-malcolmnetsec/elastalert                            2.4.0               xxxxxxxxxxxx        40 hours ago        410MB
-malcolmnetsec/elasticsearch-oss                     2.4.0               xxxxxxxxxxxx        40 hours ago        690MB
-malcolmnetsec/file-monitor                          2.4.0               xxxxxxxxxxxx        39 hours ago        470MB
-malcolmnetsec/file-upload                           2.4.0               xxxxxxxxxxxx        39 hours ago        199MB
-malcolmnetsec/filebeat-oss                          2.4.0               xxxxxxxxxxxx        39 hours ago        555MB
-malcolmnetsec/freq                                  2.4.0               xxxxxxxxxxxx        39 hours ago        390MB
-malcolmnetsec/htadmin                               2.4.0               xxxxxxxxxxxx        39 hours ago        180MB
-malcolmnetsec/kibana-oss                            2.4.0               xxxxxxxxxxxx        40 hours ago        1.16GB
-malcolmnetsec/logstash-oss                          2.4.0               xxxxxxxxxxxx        39 hours ago        1.41GB
-malcolmnetsec/moloch                                2.4.0               xxxxxxxxxxxx        17 hours ago        683MB
-malcolmnetsec/name-map-ui                           2.4.0               xxxxxxxxxxxx        39 hours ago        137MB
-malcolmnetsec/nginx-proxy                           2.4.0               xxxxxxxxxxxx        39 hours ago        120MB
-malcolmnetsec/pcap-capture                          2.4.0               xxxxxxxxxxxx        39 hours ago        111MB
-malcolmnetsec/pcap-monitor                          2.4.0               xxxxxxxxxxxx        39 hours ago        157MB
-malcolmnetsec/zeek                                  2.4.0               xxxxxxxxxxxx        39 hours ago        887MB
+malcolmnetsec/curator                               2.4.1               xxxxxxxxxxxx        40 hours ago        256MB
+malcolmnetsec/elastalert                            2.4.1               xxxxxxxxxxxx        40 hours ago        410MB
+malcolmnetsec/elasticsearch-oss                     2.4.1               xxxxxxxxxxxx        40 hours ago        690MB
+malcolmnetsec/file-monitor                          2.4.1               xxxxxxxxxxxx        39 hours ago        470MB
+malcolmnetsec/file-upload                           2.4.1               xxxxxxxxxxxx        39 hours ago        199MB
+malcolmnetsec/filebeat-oss                          2.4.1               xxxxxxxxxxxx        39 hours ago        555MB
+malcolmnetsec/freq                                  2.4.1               xxxxxxxxxxxx        39 hours ago        390MB
+malcolmnetsec/htadmin                               2.4.1               xxxxxxxxxxxx        39 hours ago        180MB
+malcolmnetsec/kibana-oss                            2.4.1               xxxxxxxxxxxx        40 hours ago        1.16GB
+malcolmnetsec/logstash-oss                          2.4.1               xxxxxxxxxxxx        39 hours ago        1.41GB
+malcolmnetsec/moloch                                2.4.1               xxxxxxxxxxxx        17 hours ago        683MB
+malcolmnetsec/name-map-ui                           2.4.1               xxxxxxxxxxxx        39 hours ago        137MB
+malcolmnetsec/nginx-proxy                           2.4.1               xxxxxxxxxxxx        39 hours ago        120MB
+malcolmnetsec/pcap-capture                          2.4.1               xxxxxxxxxxxx        39 hours ago        111MB
+malcolmnetsec/pcap-monitor                          2.4.1               xxxxxxxxxxxx        39 hours ago        157MB
+malcolmnetsec/zeek                                  2.4.1               xxxxxxxxxxxx        39 hours ago        887MB
 ```
 
 Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background.

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
@@ -126,7 +126,7 @@ x-pcap-capture-variables: &pcap-capture-variables
 
 services:
   elasticsearch:
-    image: malcolmnetsec/elasticsearch-oss:2.4.0
+    image: malcolmnetsec/elasticsearch-oss:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -161,7 +161,7 @@ services:
       retries: 3
       start_period: 180s
   kibana:
-    image: malcolmnetsec/kibana-oss:2.4.0
+    image: malcolmnetsec/kibana-oss:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -187,7 +187,7 @@ services:
       retries: 3
       start_period: 210s
   elastalert:
-    image: malcolmnetsec/elastalert:2.4.0
+    image: malcolmnetsec/elastalert:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -215,7 +215,7 @@ services:
       retries: 3
       start_period: 210s
   curator:
-    image: malcolmnetsec/curator:2.4.0
+    image: malcolmnetsec/curator:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -234,7 +234,7 @@ services:
       retries: 3
       start_period: 30s
   logstash:
-    image: malcolmnetsec/logstash-oss:2.4.0
+    image: malcolmnetsec/logstash-oss:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -267,7 +267,7 @@ services:
       retries: 3
       start_period: 600s
   filebeat:
-    image: malcolmnetsec/filebeat-oss:2.4.0
+    image: malcolmnetsec/filebeat-oss:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -304,7 +304,7 @@ services:
       retries: 3
       start_period: 60s
   moloch:
-    image: malcolmnetsec/moloch:2.4.0
+    image: malcolmnetsec/moloch:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -343,7 +343,7 @@ services:
       retries: 3
       start_period: 210s
   zeek:
-    image: malcolmnetsec/zeek:2.4.0
+    image: malcolmnetsec/zeek:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -369,7 +369,7 @@ services:
       retries: 3
       start_period: 60s
   file-monitor:
-    image: malcolmnetsec/file-monitor:2.4.0
+    image: malcolmnetsec/file-monitor:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -390,7 +390,7 @@ services:
       retries: 3
       start_period: 60s
   pcap-capture:
-    image: malcolmnetsec/pcap-capture:2.4.0
+    image: malcolmnetsec/pcap-capture:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -416,7 +416,7 @@ services:
       retries: 3
       start_period: 60s
   pcap-monitor:
-    image: malcolmnetsec/pcap-monitor:2.4.0
+    image: malcolmnetsec/pcap-monitor:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -439,7 +439,7 @@ services:
       retries: 3
       start_period: 90s
   upload:
-    image: malcolmnetsec/file-upload:2.4.0
+    image: malcolmnetsec/file-upload:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -465,7 +465,7 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: malcolmnetsec/htadmin:2.4.0
+    image: malcolmnetsec/htadmin:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -487,7 +487,7 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: malcolmnetsec/freq:2.4.0
+    image: malcolmnetsec/freq:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -505,7 +505,7 @@ services:
       retries: 3
       start_period: 60s
   name-map-ui:
-    image: malcolmnetsec/name-map-ui:2.4.0
+    image: malcolmnetsec/name-map-ui:2.4.1
     restart: "no"
     stdin_open: false
     tty: true
@@ -526,7 +526,7 @@ services:
       retries: 3
       start_period: 60s
   nginx-proxy:
-    image: malcolmnetsec/nginx-proxy:2.4.0
+    image: malcolmnetsec/nginx-proxy:2.4.1
     restart: "no"
     stdin_open: false
     tty: true