As explained in this article, you can think of a prototype as a node template that can be instantiated inside the MineMeld engine config to define a new node.
In the default MineMeld installation, prototypes are stored inside prototypes libraries located in 2 different directories:
- /opt/minemeld/prototypes/current contains the standard prototypes libraries. These are automatically updated by the MineMeld auto update mechanism.
- /opt/minemeld/local/prototypes contains local prototypes libraries. This is the directory you want to put your own prototypes.
A prototype library is a YAML file with the following structure (from dshield.yml library):
# library author, optional
# URL with more details, optional
# library description, recommended
The ISC uses the DShield distributed intrusion detection system for
data collection and analysis. DShield collects data about malicious
activity from across the Internet. This data is cataloged and summarized
and can be used to discover trends in activity, confirm widespread
attacks, or assist in preparing better firewall rules.
# list of prototypes, mandatory
# prototype name, mandatory. Should be unique inside the library
# development status, recommended
# node type, recommended
# description of the prototype, recommended
description: suggested block list
# node class, mandatory
# node config, recommended
Inside the MineMeld engine config file prototypes are used inside the node definition. You can check the running config file /opt/minemeld/local/config/running-config.yml for an example:
# ... more nodes here
# ... nore nodes here
A prototype is referenced as <library name>.<prototype name>.
The easiest way to customize a prototype is creating your own local version of the prototype and then use it inside the config.
As an example we will create a local version of the malwaredomainlist.ip prototype to raise the confidence of the indicators.
Copy the original library to a new library with a new unique global name in the local prototype directory
$ sudo -u minemeld cp /opt/minemeld/prototypes/current/malwaredomainlist
.yml /opt/minemeld/local/prototypes/myownmalwaredomainl ist.yml
And override the confidence attribute (and optionally description):
description: Local version of Malware Domain List library.
description: list of active ip addresses
You may need to reload the UI in the browser to load the new prototype, there is no need to restart the engine or the web frontend.