Scroll to navigation

yara(1) General Commands Manual yara(1)

NAME

yara - find files matching patterns and rules written in a special-purpose language.

SYNOPSIS

yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

DESCRIPTION

yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE.

The options to yara(1) are:

Path to a file with the atom quality table.
RULES_FILE contains rules already compiled with yarac.
Print number of matches only.
Define an external variable. This option can be used multiple times.
Treat warnings as errors. Has no effect if used with --no-warnings.
Speeds up scanning by searching only for the first occurrence of each pattern.
Print rules named identifier and ignore the rest. This option can be used multiple times.
While scanning process memory read data in chunks of the given size in bytes.
Abort scanning after a number of rules matched.
Set maximum number of strings per rule (default=10000)
Pass file's content as extra data to module. This option can be used multiple times.
Print rules that doesn't apply (negate).
Disable warnings.
Print metadata associated to the rule.
Print module data.
show module names
Print namespace associated to the rule.
Print rules' statistics.
Print strings found in the file.
Print length of strings found in the file.
Print xor key of matched strings.
Print the tags associated to the rule.
Scan files in directories recursively. It follows symlinks.
Scan files listed in FILE, one per line.
Skip files larger than the given size in bytes when scanning a directory.
Set maximum stack size to the specified number of slots.
Print warnings if rules contain ambiguous escape statements.
Print rules tagged as tag and ignore the rest. This option can be used multiple times.
Use the specified number of threads to scan a directory.
Abort scanning after a number of seconds has elapsed.
Show version information.

EXAMPLES

$ yara /foo/bar/rules .

Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned.

$ yara -t Packer -t Compiler /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Compiler.

$ cat /foo/bar/rules | yara -r /foo

Scan all files in the /foo directory and its subdirectories. Rules are read from standard input.

$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile

Defines three external variables mybool myint and mystring.

$ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_report to the cuckoo module.

AUTHOR

Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>

September 22, 2008 Victor M. Alvarez