Plugin Development
This page provides a simply overview of the steps necessary for plugin development. We recommend to use a virtual environment for all development activities.
Clone the Threat Bus project, setup a virtual env, and install threatbus
and
some plugins with the in development mode:
Configuration & Extension
A plugin must define a setup.py
. Whenever a plugin is installed, you have to
add a corresponding configuration section to threatbus
' config.yaml
. That
section has to be named after the name
in the entry-point declaration of the
plugin's setup.py
file.
Please adhere to the
plugin naming conventions
proposed by pluggy and always prefix your
plugin name with threatbus-
.
Plugins can either be apps or backbones. Application plugins add new
functionality to threatbus
and allow communication to a
threat-intelligence-enabled app (e.g., Zeek or Suricata). Backbone plugins add a
new storage and distribution backend to threatbus
(e.g., in-memory or Kafka).
Consider the following example setup:
- Plugin folder structure:
- The
setup.py
file for a new plugin callmyapp
- The corresponding
config.yaml
entry for the new plugin
Implementation Specs
Plugin specifications are defined in the
threatbus/appspecs.py
and threatbus/backbonespecs.py
files, respectively. For any plugin, you should at least implement the run
function.