on 02-03-201601:59 AM - edited on 05-22-202008:33 AM by Retired Member
As explained in this article, you can think of a prototype as a node template that can be instantiated inside the MineMeld engine config to define a new node.
In the default MineMeld installation, prototypes are stored inside prototypes libraries located in 2 different directories:
- /opt/minemeld/prototypes/current contains the standard prototypes libraries. These are automatically updated by the MineMeld auto update mechanism.
- /opt/minemeld/local/prototypes contains local prototypes libraries. This is the directory you want to put your own prototypes.
A prototype library is a YAML file with the following structure (from dshield.yml library):
# library author, optional author: lmori # URL with more details, optional url: https://www.dshield.org/xml.html # library description, recommended description: > The ISC uses the DShield distributed intrusion detection system for data collection and analysis. DShield collects data about malicious activity from across the Internet. This data is cataloged and summarized and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.
# list of prototypes, mandatory prototypes: # prototype name, mandatory. Should be unique inside the library block: # development status, recommended development_status: STABLE # node type, recommended node_type: miner # description of the prototype, recommended description: suggested block list # node class, mandatory class: minemeld.ft.http.HttpFT # node config, recommended config: [...]
Inside the MineMeld Engine Config
Inside the MineMeld engine config file prototypes are used inside the node definition. You can check the running config file /opt/minemeld/local/config/running-config.yml for an example:
nodes: # ... more nodes here dshield_blocklist: output: true prototype: dshield.block # ... nore nodes here
A prototype is referenced as <library name>.<prototype name>.
Customizing a Prototype
The easiest way to customize a prototype is creating your own local version of the prototype and then use it inside the config.
As an example we will create a local version of the malwaredomainlist.ip prototype to raise the confidence of the indicators.
1. Copy the library to the local prototype directory
Copy the original library to a new library with a new unique global name in the local prototype directory