Creating a custom library
Creating a custom library
While we strongly encourage you to contribute to DFIR‑OGRE by submitting new plugins, we recognize that some plugins may need to remain private.
A custom library makes sense if you need to create custom Python parsers that you don’t want to share.
This guide describes how to create a separate project to develop a private plugin library.
Check Prerequisites
| Item | Minimum version |
|---|---|
| Python | 3.10 or newer |
| git | any recent version |
| uv | ≥ 0.4 (installable with pip) |
Initialize project
uv init --package my-secret-plugins
cd my-secret-plugins
# add the dfir-ogre-common dependency
uv add "dfir-ogre-common @ git+ssh://git@github.com/ANSSI-FR/dfir-ogre-common.git"
# create folder that will contains the XML descriptors
# it is the same as the one defined in dfir-ogre-plugin-windows
mkdir configuration
# create the same test folder as the one defined in dfir-ogre-plugin-windows
mkdir tests
# install ogre to be able to test your plugins
git clone git@github.com/ANSSI-FR/dfir-ogre.git
uv pip install ./dfir-ogreThe installation takes some time because it compiles some Rust and C code.
After this step the layout should looks like:
-
-
-
-
-
-
- __init__.py
-
-
- .gitignore
- README.md
- pyproject.toml
- uv.lock
-
Create a test plugin
In the configuration folder create your first plugin descriptor
configuration/dummy_plugin.xml
<?xml version="1.0" encoding="UTF-8"?>
<plugin parser="Merge" file_encoding="UTF_8">
<mapping data_type="dummy" />
</plugin>This plugin will use the python Merge parser to read a UTF-8 file and merge every line into a single artefact of the dummy datatype.
Test the plugin
Find a text file you want to merge and run the following command:
dfir-ogre plugin \
--filename my_text_file.txt \
--plugin_config configuration/dummy_plugin.xml \
--computer_name SAMPLE_HOST \
--output_folder ouput/ \it should create a new file in the output/ folder
Congratulation! you have created your first plugin!