Added support for TSK_RULE

6becccaf · Kelly Kelly · 09d0c6e5 · 6becccaf · 6becccaf · 6becccaf
Commit 6becccaf authored 4 years ago by Kelly Kelly
--- a/.gitignore
+++ b/.gitignore
@@ -99,3 +99,4 @@ hs_err_pid*.log
 /thirdparty/yara/YaraJNIWrapper/dist/
 /thirdparty/yara/YaraJNIWrapper/build/
 /thirdparty/yara/YaraJNIWrapper/nbproject/private/
+thirdparty/yara/yarabridge/.vs/
--- a/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java
@@ -23,6 +23,8 @@
 import org.sleuthkit.datamodel.AbstractFile;
 import org.sleuthkit.datamodel.BlackboardArtifact;
 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_YARA_HIT;
+import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
+import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
 import org.sleuthkit.datamodel.BlackboardAttribute;
 import org.sleuthkit.datamodel.TskCoreException;

@@ -136,8 +138,8 @@ private static List<BlackboardArtifact> createArtifact(AbstractFile abstractFile
            BlackboardArtifact artifact = abstractFile.newArtifact(TSK_YARA_HIT);
            List<BlackboardAttribute> attributes = new ArrayList<>();

-            attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, ruleSetName));
-            attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, MODULE_NAME, rule));
+            attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
+            attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));

            artifact.addAttributes(attributes);
            artifacts.add(artifact);

--- a/thirdparty/yara/ReadMe.txt
+++ b/thirdparty/yara/ReadMe.txt
 This folder contains the projects you need for building and testing the yarabridge.dll and YaraJNIWrapper.jar.

 bin:
-Contains the built dll and jar.
+Contains the built jar and jarac64.exe.  jarac64.exe is used to by the ingest module to compile the rule files.

 yarabridge:
 VS project to create the dll that wraps the the libyara library.
@@ -18,7 +18,8 @@ Steps for building yarabridge, YaraJNIWrapper and YaraWrapperTest.
 	- Build Release x64.
 3. Open the yarabridge project and build Release x64.
 	-If you have link issues, make sure you build release x64 in the previous step.
-	-This project will automatically copy the built dll to the bin folder.
+	-This project will automatically copy the built dll into the YaraJNIWrapper src\org\sleuthkit\autopsy\yara folder.
+		- This is where is needs to be so that its included into the jar file.
 4. Build YaraJNIWrapper
 	- Open in netbeans and select Build.
 	- Manually move the newly build jar file to the bin folder. After building the jar file can be found in