NAME¶

yara - find files matching patterns and rules written in a special-purpose language.

SYNOPSIS¶

yara [OPTION]... [RULEFILE]... FILE | PID

DESCRIPTION¶

Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose-language. The rules are read from RULEFILEs or standard input. The options to yara(1) are:

-t tag

Print rules tagged as tag and ignore the rest. This option can be used multiple times.

-i identifier

Print rules named identifier and ignore the rest. This option can be used multiple times.

-n

Print rules that doesn't apply (negate)

-g

Print the tags associated to the rule.

-m

Print metadata associated to the rule.

-s

Print strings found in the file.

-p number

Use the specified number of threads to scan a directory.

-l number

Abort scanning after a number of rules matched.

-a seconds

Abort scanning after a number of seconds has elapsed.

-d identifier=value

Define an external variable. This option can be used multiple times.

-x module=file

Pass file's content as extra data to module. This option can be used multiple times.

-r

Scan files in directories recursively.

-f

Speeds up scanning by searching only for the first occurrence of each pattern.

-w

Disable warnings.

-v

Show version information.

EXAMPLES¶

$ yara /foo/bar/rules1 /foo/bar/rules2 . $ yara -t Packer -t Compiler /foo/bar/rules bazfile $ cat /foo/bar/rules1 | yara -r /foo $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

AUTHOR¶

Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>