From 6becccafc6fc17902c5e659df275f1b00c7d500e Mon Sep 17 00:00:00 2001
From: Kelly Kelly <kelly@basistech.com>
Date: Thu, 5 Nov 2020 11:48:42 -0500
Subject: [PATCH] Added support for TSK_RULE

---
 .gitignore                                                  | 1 +
 .../sleuthkit/autopsy/modules/yara/YaraIngestHelper.java    | 6 ++++--
 thirdparty/yara/ReadMe.txt                                  | 5 +++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index 9672ad8957..83345a859b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -99,3 +99,4 @@ hs_err_pid*.log
 /thirdparty/yara/YaraJNIWrapper/dist/
 /thirdparty/yara/YaraJNIWrapper/build/
 /thirdparty/yara/YaraJNIWrapper/nbproject/private/
+thirdparty/yara/yarabridge/.vs/
diff --git a/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java b/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java
index 9afcc9facd..c0f36e6ea3 100755
--- a/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java
@@ -23,6 +23,8 @@
 import org.sleuthkit.datamodel.AbstractFile;
 import org.sleuthkit.datamodel.BlackboardArtifact;
 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_YARA_HIT;
+import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
+import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
 import org.sleuthkit.datamodel.BlackboardAttribute;
 import org.sleuthkit.datamodel.TskCoreException;
 
@@ -136,8 +138,8 @@ private static List<BlackboardArtifact> createArtifact(AbstractFile abstractFile
             BlackboardArtifact artifact = abstractFile.newArtifact(TSK_YARA_HIT);
             List<BlackboardAttribute> attributes = new ArrayList<>();
 
-            attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, ruleSetName));
-            attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, MODULE_NAME, rule));
+            attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
+            attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));
 
             artifact.addAttributes(attributes);
             artifacts.add(artifact);
diff --git a/thirdparty/yara/ReadMe.txt b/thirdparty/yara/ReadMe.txt
index 31f38633b4..98c356f1b6 100755
--- a/thirdparty/yara/ReadMe.txt
+++ b/thirdparty/yara/ReadMe.txt
@@ -1,7 +1,7 @@
 This folder contains the projects you need for building and testing the yarabridge.dll and YaraJNIWrapper.jar.
 
 bin:
-Contains the built dll and jar.
+Contains the built jar and jarac64.exe.  jarac64.exe is used to by the ingest module to compile the rule files.
 
 yarabridge:
 VS project to create the dll that wraps the the libyara library.
@@ -18,7 +18,8 @@ Steps for building yarabridge, YaraJNIWrapper and YaraWrapperTest.
 	- Build Release x64.
 3. Open the yarabridge project and build Release x64.
 	-If you have link issues, make sure you build release x64 in the previous step.
-	-This project will automatically copy the built dll to the bin folder.
+	-This project will automatically copy the built dll into the YaraJNIWrapper src\org\sleuthkit\autopsy\yara folder.
+		- This is where is needs to be so that its included into the jar file.
 4. Build YaraJNIWrapper
 	- Open in netbeans and select Build.
 	- Manually move the newly build jar file to the bin folder. After building the jar file can be found in
-- 
GitLab