table of contents
- bookworm 4.2.3-4
- bookworm-backports 4.5.1-1~bpo12+1
- testing 4.5.1-1
- unstable 4.5.2-1
yara(1) | General Commands Manual | yara(1) |
NAME¶
yara - find files matching patterns and rules written in a special-purpose language.
SYNOPSIS¶
yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
DESCRIPTION¶
yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE.
The options to yara(1) are:
- --atom-quality-table
- Path to a file with the atom quality table.
- -C --compiled-rules
- RULES_FILE contains rules already compiled with yarac.
- -c --count
- Print number of matches only.
- -d --define=identifier=value
- Define an external variable. This option can be used multiple times.
- --fail-on-warnings
- Treat warnings as errors. Has no effect if used with --no-warnings.
- -f --fast-scan
- Speeds up scanning by searching only for the first occurrence of each pattern.
- -i identifier --identifier=identifier
- Print rules named identifier and ignore the rest. This option can be used multiple times.
- --max-process-memory-chunk=size
- While scanning process memory read data in chunks of the given size in bytes.
- -l number --max-rules=number
- Abort scanning after a number of rules matched.
- --max-strings-per-rule=number
- Set maximum number of strings per rule (default=10000)
- -x --module-data=module=file
- Pass file's content as extra data to module. This option can be used multiple times.
- -n --negate
- Print rules that doesn't apply (negate).
- -w --no-warnings
- Disable warnings.
- -m --print-meta
- Print metadata associated to the rule.
- -D --print-module-data
- Print module data.
- -e --print-namespace
- Print namespace associated to the rule.
- -S --print-stats
- Print rules' statistics.
- -s --print-strings
- Print strings found in the file.
- -L --print-string-length
- Print length of strings found in the file.
- -g --print-tags
- Print the tags associated to the rule.
- -r --recursive
- Scan files in directories recursively. It follows symlinks.
- --scan-list
- Scan files listed in FILE, one per line.
- -z size --skip-larger=size
- Skip files larger than the given size in bytes when scanning a directory.
- -k slots --stack-size=slots
- Set maximum stack size to the specified number of slots.
- -t tag --tag=tag
- Print rules tagged as tag and ignore the rest. This option can be used multiple times.
- -p number --threads=number
- Use the specified number of threads to scan a directory.
- -a seconds --timeout=seconds
- Abort scanning after a number of seconds has elapsed.
- -v --version
- Show version information.
EXAMPLES¶
$ yara /foo/bar/rules .
Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned.
$ yara -t Packer -t Compiler /foo/bar/rules bazfile
Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Compiler.
$ cat /foo/bar/rules | yara -r /foo
Scan all files in the /foo directory and its subdirectories. Rules are read from standard input.
$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile
Defines three external variables mybool myint and mystring.
$ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_report to the cuckoo module.
AUTHOR¶
Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
September 22, 2008 | Victor M. Alvarez |