Writing Sarlacc Plugins
Since releasing Sarlacc it has received a lot more attention that I expected. It is still in it’s infancy and even though I work on it as much as I can I haven’t written any real documentation for it (besides python docstrings). Because of this I figured I’d write a little tutorial on writing a Sarlacc plugin.
Sarlacc will load any python files found in the
smtpd/src/plugins directory as a python module that extends the
SarlaccPlugin class, defined here: https://github.com/scrapbird/sarlacc/blob/master/smtpd/src/plugins/plugin.py.
You can also write your plugins as a python module in it’s own directory, as we will do today. This means that all we need to do is drop our plugin into the correct directory and restart Sarlacc and it will be running.
We will be writing a plugin to upload any previously unseen email attachments to Malshare.
Okay so first thing is first, let’s create a directory for our plugin and create the
Next lets extend the
SarlaccPlugin class inside the
We are overloading the
new_attachment method from the base
SarlaccPlugin class here so that our plugin will get notified whenever a previously unseen attachment is detected. This method will pass in any data you will need about the attachment, including the raw file data, filename etc. To see which other methods are available to notify our plugins of events see the plugin.py doc strings.
The Malshare API requires an API key, so we will create a config file and load the key from there. Create a file in your plugin directory named
malshare.cfg with the following contents (replacing API_KEY with your API key):
Now we need to read this config in our plugin. Let’s add some code to do this, modify your plugin code to look like the following:
The last thing left to do is to actually upload the sample:
And there you have it, our plugin will upload any new attachments to Malshare.
Keep in mind that as python is single threaded this will pause the execution of Sarlacc while the upload is happening, so for large files this is not a good idea to do while under heavy load as for each new attachment execution will pause for a few seconds. To combat this we could use an HTTP client that makes proper use of
asyncio, this is mostly to be used as an example.
Full code for this plugin is available on github: https://github.com/scrapbird/sarlacc-malshare.