-
Notifications
You must be signed in to change notification settings - Fork 7
YAML Plugins
YAML plugins make it easy to rapidly deploy new plugins. YAML plugins can be found in the /etc/efetch_plugins.yml file. Efetch automatically detects any changes the plugin file. Note, these plugins require caching the file.
The only required fields for a plugin are the name and command. Below is a basic example:
clamscan:
name: Clam Scan
command: "clamscan '{{ file_cache_path }}'"
Adding this to the plugins file will add a new CLAM SCAN option to the analyze view of all files.
There are two ways to limit the file types by mimetypes or by extensions. Below is an example of a PDFTOTEXT plugin that will only be visible in the analyze view to files with a .pdf extension:
pdftotext:
name: pdftotext
extensions: [ 'pdf' ]
command: "pdftotext '{{ file_cache_path }}' -"
However, a better option would be to limit it by mimetypes encase a file has a different extension:.
pdftotext:
name: pdftotext
mimetypes: [ 'application/pdf' ]
command: "pdftotext '{{ file_cache_path }}' -"
The file option allows returning a file instead of the results of the command. Below is an example of a PDF OCR plugin that returns a new PDF where the text can be searched.
pdfocr:
name: PDF OCR
mimetypes: [ 'application/pdf' ]
command: "pypdfocr '{{ file_cache_path }}'"
file: "{{ file_cache_dir }}*_ocr.pdf"
The icon option sets the icon displayed in the analyze. The icons come from Font Awesome. Below is an example of the CLAM SCAN plugin with a bug icon.
clamscan:
name: Clam Scan
icon: fa-bug
command: "clamscan '{{ file_cache_path }}'"
The popularity option sets the ordering of the plugins. The popularity should be a number 1-10, with the default value of 5. The default value should generally be used, but if you want to move the plugin up and down in the list, simply increase or decrease the value.
Below are some examples that can be easily added to your efetch plugins file. If you would like to provide me your plugins post them in the YAML plugin issue page or tweet them to @maurermj08 (Seriously how many other tools can say that).
STRINGS: Runs the bash strings command on a file
strings:
name: String
icon: fa-file-text
os: [ 'linux' ]
store: 'strings_bash'
command: "strings '{{ file_cache_path }}'"
HEXDUMPC: Runs hexdump -C on a file
hexdumpc:
name: "hexdump -c"
icon: fa-file-code-o
os: [ 'linux' ]
command: "hexdump -C '{{ file_cache_path }}'"
FILE: Runs file -b on a file
file:
name: File
os: [ 'linux' ]
store: 'file_bash'
command: "file -b '{{ file_cache_path }}'"
CLAMSCAN: Runs a ClamAV scan against the file and returns the results REQUIRES: clamav
clamscan:
name: Clam Scan
icon: fa-bug
os: [ 'linux' ]
command: "clamscan '{{ file_cache_path }}'"
CACHE GZ: Extracts a GZip files contents to the cache folder and opens that folder with the directory plugin
gunzip:
name: Cache GZ
popularity: 4
icon: fa-file-archive-o
os: [ 'linux' ]
mimetypes: [ 'application/gzip' ]
command: "gunzip -fkc '{{ file_cache_path }}' > '{{ file_cache_path }}_gunzip'"
file: "{{ file_cache_path }}_gunzip"
openwith: directory
CLEAN JSON:: Displays a file containing JSON in pretty format
cleanjson:
name: Clean JSON
icon: fa-file-text-o
os: [ 'linux' ]
extensions: [ 'json' ]
command: "cat '{{ file_cache_path }}' | python -m json.tool"
CORE.XML: prints the core.xml file in Office 2007 files REQUIRES: xmllint
corexml:
name: Core.xml
icon: fa-file-code-o
os: [ 'linux' ]
extensions: [ 'pptx', 'xlsx', 'docx' ]
command: "unzip -qc '{{ file_cache_path }}' docProps/core.xml | xmllint --format -"
PDFTOTEXT: Prints all machine encoded in a PDF REQUIRES: pdftotext
pdftotext:
name: pdftotext
icon: fa-file-pdf-o
os: [ 'linux' ]
mimetypes: [ 'application/pdf' ]
command: "pdftotext '{{ file_cache_path }}' -"
PDFOCR: Returns a new PDF with searchable text REQUIRES: pypdfocr
pdfocr:
name: PDF OCR
icon: fa-file-pdf-o
cache: True
popularity: 4
os: [ 'linux' ]
mimetypes: [ 'application/pdf' ]
command: "pypdfocr '{{ file_cache_path }}'"
file: "{{ file_cache_dir }}*_ocr.pdf"
READ PST: Extracts all messages and attachments to cache and displays it using the directory plugin REQUIRES: readpst NOTE: This plugin is useful because it will display attachments unlike the fa_pst plugin
readpst:
name: Read PST
icon: fa-envelope
popularity: 4
os: [ 'linux' ]
extensions: [ 'pst' ]
command: "mkdir {{ file_cache_path }}_readpst; readpst -w -D -S -o '{{ file_cache_path }}_readpst' {{ file_cache_path }}"
file: "{{ file_cache_path }}_readpst"
openwith: directory
CLEAN XML: Cleanly formats XML file ignoring errors REQUIRES: xmllint
cleanxml:
name: Clean XML
icon: fa-file-code-o
os: [ 'linux' ]
mimetypes: [ 'application/xml' ]
command: "cat '{{ file_cache_path }}' | xmllint --format --recover -"
ZIP LIST: Displays a simple list of all the files in a zip file
ziplist:
name: ZIP List
icon: fa-archive
os: [ 'linux' ]
mimetypes: [ 'application/zip' ]
command: "unzip -l '{{ file_cache_path }}'"
UNZIP: Extracts a zip files contents to cache and displays the results using the directory plugin NOTE: This plugin is useful because it works on corrupt or improperly formatted zip files unlike the directory plugin
unzip:
name: Cache Unzip
popularity: 4
icon: fa-file-archive-o
os: [ 'linux' ]
mimetypes: [ 'application/zip' ]
command: "unzip -u '{{ file_cache_path }}' -d '{{ file_cache_path }}_unzip'"
file: "{{ file_cache_path }}_unzip"
openwith: directory