yara - find files matching patterns and rules written in a special-purpose language.
NAME SYNOPSIS DESCRIPTION EXAMPLES AUTHORNAME
yara − find files matching patterns and rules written in a special-purpose language.
SYNOPSIS
yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
DESCRIPTION
yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE.
The options to
yara(1) are:
--atom-quality-table
Path to a file with the atom quality table.
−C --compiled-rules
RULES_FILE contains rules already compiled with yarac.
−c --count
Print number of matches only.
−d --define=identifier=value
Define an external variable. This option can be used multiple times.
--fail-on-warnings
Treat warnings as errors. Has no effect if used with --no-warnings.
−f --fast-scan
Speeds up scanning by searching only for the first occurrence of each pattern.
−i identifier --identifier=identifier
Print rules named identifier and ignore the rest. This option can be used multiple times.
--max-process-memory-chunk=size
While scanning process memory read data in chunks of the given size in bytes.
−l number --max-rules=number
Abort scanning after a number of rules matched.
--max-strings-per-rule=number
Set maximum number of strings per rule (default=10000)
−x --module-data=module=file
Pass file’s content as extra data to module. This option can be used multiple times.
−n --negate
Print rules that doesn’t apply (negate).
−w --no-warnings
Disable warnings.
−m --print-meta
Print metadata associated to the rule.
−D --print-module-data
Print module data.
−M --module-names
show module names
−e --print-namespace
Print namespace associated to the rule.
−S --print-stats
Print rules’ statistics.
−s --print-strings
Print strings found in the file.
−L --print-string-length
Print length of strings found in the file.
−X --print-xor-key
Print xor key of matched strings.
−g --print-tags
Print the tags associated to the rule.
−r --recursive
Scan files in directories recursively. It follows symlinks.
--scan-list
Scan files listed in FILE, one per line.
−z size --skip-larger=size
Skip files larger than the given size in bytes when scanning a directory.
−k slots --stack-size=slots
Set maximum stack size to the specified number of slots.
--strict-escape
Print warnings if rules contain ambiguous escape statements.
−t tag --tag=tag
Print rules tagged as tag and ignore the rest. This option can be used multiple times.
−p number --threads=number
Use the specified number of threads to scan a directory.
−a seconds --timeout=seconds
Abort scanning after a number of seconds has elapsed.
−v --version
Show version information.
EXAMPLES
$ yara /foo/bar/rules .
Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned.
$ yara -t Packer -t Compiler /foo/bar/rules bazfile
Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Compiler.
$ cat /foo/bar/rules | yara -r /foo
Scan all files in the /foo directory and its subdirectories. Rules are read from standard input.
$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile
Defines three external variables mybool myint and mystring.
$ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_report to the cuckoo module.
AUTHOR
Victor M. Alvarez <[email protected]>;<[email protected]>