1yara(1) General Commands Manual yara(1)
2
6 yara - find files matching patterns and rules written in a special-pur‐
7 pose language.
8
10 yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
11
13 yara scans the given FILE, all files contained in directory DIR, or the
14 process identified by PID looking for matches of patterns and rules
15 provided in a special purpose-language. The rules are read from one or
16 more RULES_FILE.
17 The options to yara(1) are:
19 --atom-quality-table
21 Path to a file with the atom quality table.
22 -c --count
24 Print number of matches only.
25 -d --define=identifier=value
27 Define an external variable. This option can be used multiple
28 times.
29 --fail-on-warnings
31 Treat warnings as errors. Has no effect if used with --no-warn‐
32 ings.
33 -f --fast-scan
35 Speeds up scanning by searching only for the first occurrence of
36 each pattern.
37 -i identifier --identifier=identifier
39 Print rules named identifier and ignore the rest. This option
40 can be used multiple times.
41 -l number --max-rules=number
43 Abort scanning after a number of rules matched.
44 --max-strings-per-rule=number
46 Set maximum number of strings per rule (default=10000)
47 -x --module-data=module=file
49 Pass file's content as extra data to module. This option can be
50 used multiple times.
51 -n --negate
53 Print rules that doesn't apply (negate).
54 -w --no-warnings
56 Disable warnings.
57 -m --print-meta
59 Print metadata associated to the rule.
60 -D --print-module-data
62 Print module data.
63 -g --print-namespace
65 Print namespace associated to the rule.
66 -D --print-stats
68 Print rules' statistics.
69 -s --print-strings
71 Print strings found in the file.
72 -L --print-string-length
74 Print length of strings found in the file.
75 -g --print-tags
77 Print the tags associated to the rule.
78 -r --recursive
80 Scan files in directories recursively.
81 -k slots --stack-size=slots
83 Set maximum stack size to the specified number of slots.
84 -t tag --tag=tag
86 Print rules tagged as tag and ignore the rest. This option can
87 be used multiple times.
88 -p number --threads=number
90 Use the specified number of threads to scan a directory.
91 -a seconds --timeout=seconds
93 Abort scanning after a number of seconds has elapsed.
94 -v --version
96 Show version information.
97
99 $ yara /foo/bar/rules .
100 Apply rules on /foo/bar/rules to all files on current directory.
102 Subdirectories are not scanned.
103 $ yara -t Packer -t Compiler /foo/bar/rules bazfile
105 Apply rules on /foo/bar/rules to bazfile. Only reports rules
107 tagged as Packer or Compiler.
108 $ cat /foo/bar/rules | yara -r /foo
110 Scan all files in the /foo directory and its subdirectories.
112 Rules are read from standard input.
113 $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
115 bazfile
116 Defines three external variables mybool myint and mystring.
118 $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
120 Apply rules on /foo/bar/rules to bazfile while passing the con‐
122 tent of cuckoo_json_report to the cuckoo module.
123
126 Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
127Victor M. Alvarez September 22, 2008 yara(1)