search

cisagov / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
https://cisagov.github.io/Malcolm/
Other
1.95k stars 326 forks source link

"policy manager" for Malcolm and Hedgehog Linux (meta-issue) #396

Open mmguero opened 3 days ago

mmguero commented 3 days ago

@mmguero cloned issue idaholab/Malcolm#477 on 2024-05-15:

This is needs to be broken down into multiple sub-tasks, but we'll keep the high-level ideas here.

Users have requested a way to "manage sensors and rules" from Malcolm. What this has entailed in discussions is:

  • Being able to enable/disable/add/remove "rules" for Malcolm. This might include

    • Suricata rules

    • YARA rules

    • Arkime rules

    • Custom Zeek intel files

    • configuration? or anything else listed here?

  • There are other "subscriptions" that we can manage today (for example, external suricata rule sources, zeek intel feeds, etc.), do we want to have those lists be part of "policy" as well?

  • management of "rule sets" for the above

  • API calls to manage the above

  • the ability for hedgehog linux sensors to use the rules/rulesets above

  • a user interface for said policy (this is way further down the line, last priority after everything else is working)

I'm going to create a "policy" label to assign to issues associated with this one.

mmguero commented 3 days ago

@mmguero commented on 2024-08-27:

see also #430 which may be related, as well as #221