mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added support for TSK_RULE

Browse Source
This commit is contained in:
Kelly Kelly 2020-11-05 11:48:42 -05:00
parent 09d0c6e5f6
commit 6becccafc6
3 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -99,3 +99,4 @@ hs_err_pid*.log
/thirdparty/yara/YaraJNIWrapper/dist/
/thirdparty/yara/YaraJNIWrapper/build/
/thirdparty/yara/YaraJNIWrapper/nbproject/private/
thirdparty/yara/yarabridge/.vs/

6
Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java
View File

@ -23,6 +23,8 @@ import org.sleuthkit.autopsy.yara.YaraWrapperException;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_YARA_HIT;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.TskCoreException;
@ -136,8 +138,8 @@ final class YaraIngestHelper {
BlackboardArtifact artifact = abstractFile.newArtifact(TSK_YARA_HIT);
List<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, ruleSetName));
attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, MODULE_NAME, rule));
attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));
artifact.addAttributes(attributes);
artifacts.add(artifact);

5
thirdparty/yara/ReadMe.txt vendored
View File

@ -1,7 +1,7 @@
This folder contains the projects you need for building and testing the yarabridge.dll and YaraJNIWrapper.jar.
bin:
Contains the built dll and jar.
Contains the built jar and jarac64.exe. jarac64.exe is used to by the ingest module to compile the rule files.
yarabridge:
VS project to create the dll that wraps the the libyara library.
@ -18,7 +18,8 @@ Steps for building yarabridge, YaraJNIWrapper and YaraWrapperTest.
- Build Release x64.
3. Open the yarabridge project and build Release x64.
-If you have link issues, make sure you build release x64 in the previous step.
-This project will automatically copy the built dll to the bin folder.
-This project will automatically copy the built dll into the YaraJNIWrapper src\org\sleuthkit\autopsy\yara folder.
- This is where is needs to be so that its included into the jar file.
4. Build YaraJNIWrapper
- Open in netbeans and select Build.
- Manually move the newly build jar file to the bin folder. After building the jar file can be found in