added Malcolm

Vagrant/resources/malcolm/moloch/etc/user_settings.json

@@ -0,0 +1,69 @@
+{
+  "doc": {
+    "enabled": true,
+    "createEnabled": true,
+    "webEnabled": true,
+    "headerAuthEnabled": true,
+    "emailSearch": true,
+    "removeEnabled": true,
+    "packetSearch": true,
+    "hideStats": false,
+    "hideFiles": false,
+    "hidePcap": false,
+    "disablePcapDownload": false,
+    "settings": {
+      "timezone": "local",
+      "detailFormat": "last",
+      "showTimestamps": "last",
+      "sortColumn": "start",
+      "sortDirection": "desc",
+      "spiGraph": "protocol",
+      "connSrcField": "srcIp",
+      "connDstField": "dstIp",
+      "numPackets": "last",
+      "theme" : "custom1: #222222,#E2E2E2,#FFFFFF,#00789E,#004A79,#017D73,#092B40,#42b7c5,#2A7580,#ecb30a,#333333,#89ADCC,#6D6D6D,#FFE7E7,#ECFEFF",
+      "manualQuery": false
+    },
+    "views": {
+      "Public IP Addresses": {
+        "expression": "(country.dst == EXISTS!) || (country.src == EXISTS!) || (ip.dst == EXISTS! && ip.dst != 0.0.0.0/8 && ip.dst != 10.0.0.0/8 && ip.dst != 100.64.0.0/10 && ip.dst != 127.0.0.0/8 && ip.dst != 169.254.0.0/16 && ip.dst != 172.16.0.0/12 && ip.dst != 192.0.0.0/24  && ip.dst != 192.0.2.0/24 && ip.dst != 192.88.99.0/24 && ip.dst != 192.168.0.0/16 && ip.dst != 198.18.0.0/15 && ip.dst != 198.51.100.0/24 && ip.dst != 203.0.113.0/24 && ip.dst != 224.0.0.0/4 && ip.dst != 232.0.0.0/8 && ip.dst != 233.0.0.0/8 && ip.dst != 234.0.0.0/8 && ip.dst != 239.0.0.0/8 && ip.dst != 240.0.0.0/4 && ip.dst != 255.255.255.255 && ip.dst != :: && ip.dst != ::1 && ip.dst != ff00::/8 && ip.dst != fe80::/10 && ip.dst != fc00::/7 && ip.dst != fd00::/8) || (ip.src == EXISTS! && ip.src != 0.0.0.0/8 && ip.src != 10.0.0.0/8 && ip.src != 100.64.0.0/10 && ip.src != 127.0.0.0/8 && ip.src != 169.254.0.0/16 && ip.src != 172.16.0.0/12 && ip.src != 192.0.0.0/24  && ip.src != 192.0.2.0/24 && ip.src != 192.88.99.0/24 && ip.src != 192.168.0.0/16 && ip.src != 198.18.0.0/15 && ip.src != 198.51.100.0/24 && ip.src != 203.0.113.0/24 && ip.src != 224.0.0.0/4 && ip.src != 232.0.0.0/8 && ip.src != 233.0.0.0/8 && ip.src != 234.0.0.0/8 && ip.src != 239.0.0.0/8 && ip.src != 240.0.0.0/4 && ip.src != 255.255.255.255 && ip.src != :: && ip.src != ::1 && ip.src != ff00::/8 && ip.src != fe80::/10 && ip.src != fc00::/7 && ip.src != fd00::/8)"
+      },
+      "PCAP Files": {
+        "expression": "zeek.logType != EXISTS!"
+      },
+      "Zeek Logs": {
+        "expression": "zeek.logType == EXISTS!"
+      },
+      "Zeek conn.log": {
+        "expression": "zeek.logType == conn"
+      },
+      "Zeek Exclude conn.log": {
+        "expression": "zeek.logType == EXISTS! && zeek.logType != conn"
+      }
+    },
+    "tableStates": {
+      "sessionsNew": {
+        "order": [
+          [
+            "firstPacket",
+            "desc"
+          ]
+        ],
+        "visibleHeaders": [
+          "protocol",
+          "zeek.logType",
+          "firstPacket",
+          "lastPacket",
+          "src",
+          "srcPort",
+          "dst",
+          "dstPort",
+          "totPackets",
+          "dbby",
+          "tags",
+          "info"
+        ]
+      }
+    }
+  }
+}

Vagrant/resources/malcolm/moloch/etc/wise.ini

@@ -0,0 +1,16 @@
+# Arkime WISE data source config file
+# See also https://github.com/arkime/arkime/wiki/WISE
+#          https://github.com/arkime/arkime/blob/master/release/wise.ini.sample
+#
+
+[wiseService]
+port = 8081
+excludeDomains=*.bl.barracudabrts.com;*.zen.spamhaus.org;*.in-addr.arpa;*.avts.mcafee.com;*.avqs.mcafee.com;*.bl.barracuda.com;*.lbl8.mailshell.net;*.dnsbl.sorbs.net;*.s.sophosxl.net;*.metric.gstatic.com;*.ip6.arpa
+
+[zeeklogs]
+key=
+
+[right-click]
+VTIP=url:https://www.virustotal.com/en/ip-address/%TEXT%/information/;name:Virus Total IP;category:ip
+VTHOST=url:https://www.virustotal.com/en/domain/%HOST%/information/;name:Virus Total Host;category:host
+VTURL=url:https://www.virustotal.com/latest-scan/%URL%;name:Virus Total URL;category:url