Malcolm Contributor Guide

The purpose of this document is to provide some direction for those willing to modify Malcolm, whether for local customization or for contribution to the Malcolm project.

It is recommended before reviewing this guide to read the documentation on custom rules and scripts, which outlines customizations that can be made to the behavior of Suricata, Zeek, and YARA.

• Local modifications
  • Volume bind mounts
  • Building Malcolm’s images
• Adding a new service (image)
  • Networking and firewall
• Adding new log fields
• Zeek
  • local.zeek
  • Adding a new Zeek package
  • Zeek Intelligence Framework
• PCAP processors
• Logstash
  • Parsing a new log data source
  • Parsing new Zeek logs
  • Enrichments
  • Logstash plugins
• OpenSearch Dashboards
  • Adding new visualizations and dashboards
  • OpenSearch Dashboards plugins
• Carved file scanners
• Style
• Using GitHub runners to build Malcolm images
• Preparing a Malcolm Release