Merge pull request #2063 from kellykelly3/6969-create-yara-ingest-module

6969 - Added YARA attribute and artifact

Merge pull request #2063 from kellykelly3/6969-create-yara-ingest-module
f6fcb211 · Richard Cordovano · GitHub · ecdac17e · cb434265 · f6fcb211
Unverified Commit f6fcb211 authored 4 years ago by Richard Cordovano Committed by GitHub 4 years ago
--- a/bindings/java/doxygen/artifact_catalog.dox
+++ b/bindings/java/doxygen/artifact_catalog.dox
@@ -875,5 +875,14 @@ Details about a WiFi adapter.



+---
+## TSK_YARA_HIT
+Indicates that the some content of the file was a hit for a YARA rule match.
+
+### REQUIRED ATTRIBUTES
+- TSK_RULE (The rule that was a hit for this file)
+- TSK_SET_NAME (Name of the rule set containing the matching rule YARA rule)
+
+

 */
--- a/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
@@ -1260,7 +1260,7 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
 		 * Stores a role on a given domain.
 		 */
 		TSK_WEB_ACCOUNT_TYPE(59, "TSK_WEB_ACCOUNT_TYPE",
-				bundle.getString("BlackboardArtifact.tskWebAccountType.text")),		
+				bundle.getString("BlackboardArtifact.tskWebAccountType.text")),			
 		/**
 		 * Screen shots from device or Application.
 		 */
@@ -1290,7 +1290,13 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
 		 * Activity on the System/Application.
 		 */
 		TSK_USER_DEVICE_EVENT(65, "TSK_USER_DEVICE_EVENT",
-				bundle.getString("BlackboardArtifact.tskUserDeviceEvent.text"));		
+				bundle.getString("BlackboardArtifact.tskUserDeviceEvent.text")),
+		/**
+		 * Indicates that the file had a yara pattern match hit.
+		 */
+		TSK_YARA_HIT(66, "TSK_YARA_HIT",	
+				bundle.getString("BlackboardArtifact.tskWebAccountType.text"));		
+
        /* To developers: For each new artifact, ensure that:
         * - The enum value has 1-line JavaDoc description
         * - The artifact catalog (artifact_catalog.dox) is updated to reflect the attributes it uses

--- a/bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java
@@ -1417,9 +1417,14 @@ public enum ATTRIBUTE_TYPE {
 	        bundle.getString("BlackboardAttribute.tsklastprinteddatetime.text"),
 	        TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
 		
-		TSK_ACTIVITY_TYPE(150, "TSK_ACTIVITY_TYPE",
+		TSK_RULE(150, "TSK_RULE",
+	        bundle.getString("BlackboardAttribute.tskrule.text"),
+	        TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),		
+		
+		TSK_ACTIVITY_TYPE(151, "TSK_ACTIVITY_TYPE",
 	        bundle.getString("BlackboardAttribute.tskActivityType.text"),
 	        TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING)
+
 		;

 		private final int typeID;

--- a/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties
+++ b/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties
@@ -206,6 +206,7 @@ BlackboardAttribute.tskhashphotodna.text=PhotoDNA Hash
 BlackboardAttribute.tskbytessent.text=Bytes Sent
 BlackboardAttribute.tskbytesreceived.text=Bytes Received
 BlackboardAttribute.tsklastprinteddatetime.text=Last Printed Date
+BlackboardAttribute.tskrule.text = Rule
 BlackboardAttribute.tskActivityType.text=Activity Type
 AbstractFile.readLocal.exception.msg4.text=Error reading local file\: {0}
 AbstractFile.readLocal.exception.msg1.text=Error reading local file, local path is not set

--- a/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties-MERGED
+++ b/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties-MERGED
@@ -206,6 +206,7 @@ BlackboardAttribute.tskhashphotodna.text=PhotoDNA Hash
 BlackboardAttribute.tskbytessent.text=Bytes Sent
 BlackboardAttribute.tskbytesreceived.text=Bytes Received
 BlackboardAttribute.tsklastprinteddatetime.text=Last Printed Date
+BlackboardAttribute.tskrule.text = Rule
 BlackboardAttribute.tskActivityType.text=Activity Type
 AbstractFile.readLocal.exception.msg4.text=Error reading local file\: {0}
 AbstractFile.readLocal.exception.msg1.text=Error reading local file, local path is not set