cisagov · mmguero · Jan 31, 2022 · Jan 25, 2022 · Jan 26, 2022 · Jan 26, 2022
diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile
@@ -4,7 +4,7 @@ FROM debian:bullseye-slim AS build
 
 ENV DEBIAN_FRONTEND noninteractive
 
-ENV ARKIME_VERSION "3.3.0"
+ENV ARKIME_VERSION "3.3.1"
 ENV ARKIMEDIR "/opt/arkime"
 ENV ARKIME_URL "https://github.com/arkime/arkime.git"
 ENV ARKIME_LOCALELASTICSEARCH no

diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile
@@ -66,6 +66,7 @@ ADD dashboards/malcolm_template.json /data/malcolm_template.json
 ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
 ADD shared/bin/opensearch_status.sh /data/
 ADD shared/bin/opensearch_index_size_prune.py /data/
+ADD shared/bin/opensearch_read_only.py /data/
 
 RUN apk --no-cache add bash python3 py3-pip curl procps psmisc npm shadow jq && \
     npm install -g http-server && \

diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
@@ -25,7 +25,7 @@ ENV PUSER_PRIV_DROP true
 
 # for download and install
 ARG ZEEK_LTS=
-ARG ZEEK_VERSION=4.1.1-0
+ARG ZEEK_VERSION=4.2.0-0
 ARG SPICY_VERSION=1.3.0
 
 ENV ZEEK_LTS $ZEEK_LTS

diff --git a/README.md b/README.md
@@ -172,22 +172,22 @@ You can then observe that the images have been retrieved by running `docker imag
 ```
 $ docker images
 REPOSITORY                                                     TAG             IMAGE ID       CREATED      SIZE
-malcolmnetsec/api                                              5.2.2           xxxxxxxxxxxx   2 days ago   155MB
-malcolmnetsec/arkime                                           5.2.2           xxxxxxxxxxxx   2 days ago   811MB
-malcolmnetsec/dashboards                                       5.2.2           xxxxxxxxxxxx   2 days ago   970MB
-malcolmnetsec/dashboards-helper                                5.2.2           xxxxxxxxxxxx   2 days ago   154MB
-malcolmnetsec/filebeat-oss                                     5.2.2           xxxxxxxxxxxx   2 days ago   621MB
-malcolmnetsec/file-monitor                                     5.2.2           xxxxxxxxxxxx   2 days ago   586MB
-malcolmnetsec/file-upload                                      5.2.2           xxxxxxxxxxxx   2 days ago   259MB
-malcolmnetsec/freq                                             5.2.2           xxxxxxxxxxxx   2 days ago   132MB
-malcolmnetsec/htadmin                                          5.2.2           xxxxxxxxxxxx   2 days ago   242MB
-malcolmnetsec/logstash-oss                                     5.2.2           xxxxxxxxxxxx   2 days ago   1.27GB
-malcolmnetsec/name-map-ui                                      5.2.2           xxxxxxxxxxxx   2 days ago   142MB
-malcolmnetsec/nginx-proxy                                      5.2.2           xxxxxxxxxxxx   2 days ago   117MB
-malcolmnetsec/opensearch                                       5.2.2           xxxxxxxxxxxx   2 days ago   1.18GB
-malcolmnetsec/pcap-capture                                     5.2.2           xxxxxxxxxxxx   2 days ago   122MB
-malcolmnetsec/pcap-monitor                                     5.2.2           xxxxxxxxxxxx   2 days ago   214MB
-malcolmnetsec/zeek                                             5.2.2           xxxxxxxxxxxx   2 days ago   938MB
+malcolmnetsec/api                                              5.2.3           xxxxxxxxxxxx   2 days ago   155MB
+malcolmnetsec/arkime                                           5.2.3           xxxxxxxxxxxx   2 days ago   811MB
+malcolmnetsec/dashboards                                       5.2.3           xxxxxxxxxxxx   2 days ago   970MB
+malcolmnetsec/dashboards-helper                                5.2.3           xxxxxxxxxxxx   2 days ago   154MB
+malcolmnetsec/filebeat-oss                                     5.2.3           xxxxxxxxxxxx   2 days ago   621MB
+malcolmnetsec/file-monitor                                     5.2.3           xxxxxxxxxxxx   2 days ago   586MB
+malcolmnetsec/file-upload                                      5.2.3           xxxxxxxxxxxx   2 days ago   259MB
+malcolmnetsec/freq                                             5.2.3           xxxxxxxxxxxx   2 days ago   132MB
+malcolmnetsec/htadmin                                          5.2.3           xxxxxxxxxxxx   2 days ago   242MB
+malcolmnetsec/logstash-oss                                     5.2.3           xxxxxxxxxxxx   2 days ago   1.27GB
+malcolmnetsec/name-map-ui                                      5.2.3           xxxxxxxxxxxx   2 days ago   142MB
+malcolmnetsec/nginx-proxy                                      5.2.3           xxxxxxxxxxxx   2 days ago   117MB
+malcolmnetsec/opensearch                                       5.2.3           xxxxxxxxxxxx   2 days ago   1.18GB
+malcolmnetsec/pcap-capture                                     5.2.3           xxxxxxxxxxxx   2 days ago   122MB
+malcolmnetsec/pcap-monitor                                     5.2.3           xxxxxxxxxxxx   2 days ago   214MB
+malcolmnetsec/zeek                                             5.2.3           xxxxxxxxxxxx   2 days ago   938MB
 ```
 
 #### Import from pre-packaged tarballs
@@ -856,13 +856,23 @@ Run `./scripts/wipe` to stop the Malcolm instance and wipe its OpenSearch databa
 
 ### <a name="ReadOnlyUI"></a>Temporary read-only interface
 
-To temporarily set the Malcolm user interaces into a read-only configuration, run the following command from the Malcolm installation directory:
+To temporarily set the Malcolm user interaces into a read-only configuration, run the following commands from the Malcolm installation directory.
+
+First, to configure [Nginx] to disable access to the upload and other interfaces for changing Malcolm settings, and to deny HTTP methods other than `GET` and `POST`:
 
 ```
 docker-compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
 ```
 
-This command must be re-run every time you restart Malcolm.
+Second, to set the existing OpenSearch data store to read-only:
+
+```
+docker-compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster
+```
+
+These commands must be re-run every time you restart Malcolm.
+
+Note that after you run these commands you may see an increase of error messages in the Malcolm containers' output as various background processes will fail due to the read-only nature of the indices. Additionally, some features such as Arkime's [Hunt](#ArkimeHunt) and [building your own visualizations and dashboards](#BuildDashboard) in OpenSearch Dashboards will not function correctly in read-only mode.
 
 ## <a name="Upload"></a>Capture file and log archive upload
 
@@ -3270,7 +3280,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu
 
 ```
 …
-Finished, created "/malcolm-build/malcolm-iso/malcolm-5.2.2.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-5.2.3.iso"
 …
 ```
 
@@ -3657,22 +3667,22 @@ Pulling zeek              ... done
 
 user@host:~/Malcolm$ docker images
 REPOSITORY                                                     TAG             IMAGE ID       CREATED      SIZE
-malcolmnetsec/api                                              5.2.2           xxxxxxxxxxxx   2 days ago   155MB
-malcolmnetsec/arkime                                           5.2.2           xxxxxxxxxxxx   2 days ago   811MB
-malcolmnetsec/dashboards                                       5.2.2           xxxxxxxxxxxx   2 days ago   970MB
-malcolmnetsec/dashboards-helper                                5.2.2           xxxxxxxxxxxx   2 days ago   154MB
-malcolmnetsec/filebeat-oss                                     5.2.2           xxxxxxxxxxxx   2 days ago   621MB
-malcolmnetsec/file-monitor                                     5.2.2           xxxxxxxxxxxx   2 days ago   586MB
-malcolmnetsec/file-upload                                      5.2.2           xxxxxxxxxxxx   2 days ago   259MB
-malcolmnetsec/freq                                             5.2.2           xxxxxxxxxxxx   2 days ago   132MB
-malcolmnetsec/htadmin                                          5.2.2           xxxxxxxxxxxx   2 days ago   242MB
-malcolmnetsec/logstash-oss                                     5.2.2           xxxxxxxxxxxx   2 days ago   1.27GB
-malcolmnetsec/name-map-ui                                      5.2.2           xxxxxxxxxxxx   2 days ago   142MB
-malcolmnetsec/nginx-proxy                                      5.2.2           xxxxxxxxxxxx   2 days ago   117MB
-malcolmnetsec/opensearch                                       5.2.2           xxxxxxxxxxxx   2 days ago   1.18GB
-malcolmnetsec/pcap-capture                                     5.2.2           xxxxxxxxxxxx   2 days ago   122MB
-malcolmnetsec/pcap-monitor                                     5.2.2           xxxxxxxxxxxx   2 days ago   214MB
-malcolmnetsec/zeek                                             5.2.2           xxxxxxxxxxxx   2 days ago   938MB
+malcolmnetsec/api                                              5.2.3           xxxxxxxxxxxx   2 days ago   155MB
+malcolmnetsec/arkime                                           5.2.3           xxxxxxxxxxxx   2 days ago   811MB
+malcolmnetsec/dashboards                                       5.2.3           xxxxxxxxxxxx   2 days ago   970MB
+malcolmnetsec/dashboards-helper                                5.2.3           xxxxxxxxxxxx   2 days ago   154MB
+malcolmnetsec/filebeat-oss                                     5.2.3           xxxxxxxxxxxx   2 days ago   621MB
+malcolmnetsec/file-monitor                                     5.2.3           xxxxxxxxxxxx   2 days ago   586MB
+malcolmnetsec/file-upload                                      5.2.3           xxxxxxxxxxxx   2 days ago   259MB
+malcolmnetsec/freq                                             5.2.3           xxxxxxxxxxxx   2 days ago   132MB
+malcolmnetsec/htadmin                                          5.2.3           xxxxxxxxxxxx   2 days ago   242MB
+malcolmnetsec/logstash-oss                                     5.2.3           xxxxxxxxxxxx   2 days ago   1.27GB
+malcolmnetsec/name-map-ui                                      5.2.3           xxxxxxxxxxxx   2 days ago   142MB
+malcolmnetsec/nginx-proxy                                      5.2.3           xxxxxxxxxxxx   2 days ago   117MB
+malcolmnetsec/opensearch                                       5.2.3           xxxxxxxxxxxx   2 days ago   1.18GB
+malcolmnetsec/pcap-capture                                     5.2.3           xxxxxxxxxxxx   2 days ago   122MB
+malcolmnetsec/pcap-monitor                                     5.2.3           xxxxxxxxxxxx   2 days ago   214MB
+malcolmnetsec/zeek                                             5.2.3           xxxxxxxxxxxx   2 days ago   938MB
 ```
 
 Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background.

diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -422,6 +422,7 @@ zeek.files.depth=db:zeek.files.depth;group:zeek_files;kind:integer;friendly:Sour
 zeek.files.analyzers=db:zeek.files.analyzers;group:zeek_files;kind:termfield;friendly:Analyzer;help:Analyzer
 zeek.files.mime_type=db:zeek.files.mime_type;group:zeek_files;kind:termfield;friendly:File Magic;help:File Magic
 zeek.files.filename=db:zeek.files.filename;group:zeek_files;kind:termfield;friendly:Filename;help:Filename
+zeek.files.ftime=db:zeek.files.ftime;group:zeek_files;kind:termfield;friendly:File Timestamp;help:File Timestamp
 zeek.files.duration=db:zeek.files.duration;group:zeek_files;kind:termfield;friendly:Analysis Duration;help:Analysis Duration
 zeek.files.local_orig=db:zeek.files.local_orig;group:zeek_files;kind:termfield;friendly:Local Originator;help:Local Originator
 zeek.files.is_orig=db:zeek.files.is_orig;group:zeek_files;kind:termfield;friendly:Originator is Transmitter;help:Originator is Transmitter
@@ -1377,7 +1378,7 @@ zeek_ecat_foe_info=require:zeek.ecat_foe_info;title:Zeek ecat_foe_info.log;field
 zeek_ecat_soe_info=require:zeek.ecat_soe_info;title:Zeek ecat_soe_info.log;fields:zeek.ecat_soe_info.opcode,zeek.ecat_soe_info.incomplete,zeek.ecat_soe_info.error,zeek.ecat_soe_info.drive_num,zeek.ecat_soe_info.element,zeek.ecat_soe_info.index
 zeek_ecat_arp_info=require:zeek.ecat_arp_info;title:Zeek ecat_arp_info.log;fields:zeek.ecat_arp_info.arp_type,zeek.ecat_arp_info.orig_proto_addr,zeek.ecat_arp_info.orig_hw_addr,zeek.ecat_arp_info.resp_proto_addr,zeek.ecat_arp_info.resp_hw_addr
 zeek_enip=require:zeek.enip;title:Zeek enip.log;fields:zeek.enip.enip_command,zeek.enip.enip_command_code,zeek.enip.length,zeek.enip.session_handle,zeek.enip.enip_status,zeek.enip.sender_context,zeek.enip.options
-zeek_files=require:zeek.files;title:Zeek files.log;fields:zeek.files.tx_hosts,zeek.files.rx_hosts,zeek.files.conn_uids,zeek.files.source,zeek.files.depth,zeek.files.analyzers,zeek.files.mime_type,zeek.files.filename,zeek.files.duration,zeek.files.local_orig,zeek.files.is_orig,zeek.files.seen_bytes,zeek.files.total_bytes,zeek.files.missing_bytes,zeek.files.overflow_bytes,zeek.files.timedout,zeek.files.parent_fuid,zeek.files.md5,zeek.files.sha1,zeek.files.sha256,zeek.files.extracted,zeek.files.extracted_cutoff,zeek.files.extracted_size
+zeek_files=require:zeek.files;title:Zeek files.log;fields:zeek.files.tx_hosts,zeek.files.rx_hosts,zeek.files.conn_uids,zeek.files.source,zeek.files.depth,zeek.files.analyzers,zeek.files.mime_type,zeek.files.filename,zeek.files.ftime,zeek.files.duration,zeek.files.local_orig,zeek.files.is_orig,zeek.files.seen_bytes,zeek.files.total_bytes,zeek.files.missing_bytes,zeek.files.overflow_bytes,zeek.files.timedout,zeek.files.parent_fuid,zeek.files.md5,zeek.files.sha1,zeek.files.sha256,zeek.files.extracted,zeek.files.extracted_cutoff,zeek.files.extracted_size
 zeek_ftp=require:zeek.ftp;title:Zeek ftp.log;fields:zeek.ftp.command,zeek.ftp.arg,zeek.ftp.mime_type,zeek.ftp.file_size,zeek.ftp.reply_code,zeek.ftp.reply_msg,zeek.ftp.data_channel_passive,zeek.ftp.data_channel_orig_h,zeek.ftp.data_channel_resp_h,zeek.ftp.data_channel_resp_p
 zeek_gquic=require:zeek.gquic;title:Zeek gquic.log;fields:zeek.gquic.version,zeek.gquic.server_name,zeek.gquic.user_agent,zeek.gquic.tag_count,zeek.gquic.cyu,zeek.gquic.cyutags
 zeek_http=require:zeek.http;title:Zeek http.log;fields:zeek.http.trans_depth,zeek.http.method,zeek.http.host,zeek.http.uri,zeek.http.origin,zeek.http.post_password_plain,zeek.http.post_username,zeek.http.referrer,zeek.http.version,zeek.http.user_agent,zeek.http.request_body_len,zeek.http.response_body_len,zeek.http.status_code,zeek.http.status_msg,zeek.http.info_code,zeek.http.info_msg,zeek.http.tags,zeek.http.proxied,zeek.http.orig_fuids,zeek.http.orig_filenames,zeek.http.orig_mime_types,zeek.http.resp_fuids,zeek.http.resp_filenames,zeek.http.resp_mime_types

diff --git a/arkime/patch/viewer_330_large_or_xor_packet_fix_f13e9366.patch b/arkime/patch/viewer_330_large_or_xor_packet_fix_f13e9366.patch
diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
@@ -406,6 +406,7 @@ class MalcolmSource extends WISESource {
       "zeek.files.extracted_cutoff",
       "zeek.files.extracted_size",
       "zeek.files.filename",
+      "zeek.files.ftime",
       "zeek.files.is_orig",
       "zeek.files.local_orig",
       "zeek.files.md5",