1yara(1)                     General Commands Manual                    yara(1)
2
3
4

NAME

6       yara - find files matching patterns and rules written in a special-pur‐
7       pose language.
8

SYNOPSIS

10       yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
11

DESCRIPTION

13       yara scans the given FILE, all files contained in directory DIR, or the
14       process  identified  by  PID  looking for matches of patterns and rules
15       provided in a special purpose-language. The rules are read from one  or
16       more RULES_FILE.
17
18       The options to yara(1) are:
19
20           --atom-quality-table
21              Path to a file with the atom quality table.
22
23       -C  --compiled-rules
24              RULES_FILE contains rules already compiled with yarac.
25
26       -c  --count
27              Print number of matches only.
28
29       -d  --define=identifier=value
30              Define  an  external  variable. This option can be used multiple
31              times.
32
33           --fail-on-warnings
34              Treat warnings as errors. Has no effect if used with  --no-warn‐
35              ings.
36
37       -f  --fast-scan
38              Speeds up scanning by searching only for the first occurrence of
39              each pattern.
40
41       -i identifier --identifier=identifier
42              Print rules named identifier and ignore the  rest.  This  option
43              can be used multiple times.
44
45       -l number --max-rules=number
46              Abort scanning after a number of rules matched.
47
48           --max-strings-per-rule=number
49              Set maximum number of strings per rule (default=10000)
50
51       -x  --module-data=module=file
52              Pass  file's content as extra data to module. This option can be
53              used multiple times.
54
55       -n  --negate
56              Print rules that doesn't apply (negate).
57
58       -w  --no-warnings
59              Disable warnings.
60
61       -m  --print-meta
62              Print metadata associated to the rule.
63
64       -D  --print-module-data
65              Print module data.
66
67       -e  --print-namespace
68              Print namespace associated to the rule.
69
70       -S  --print-stats
71              Print rules' statistics.
72
73       -s  --print-strings
74              Print strings found in the file.
75
76       -L  --print-string-length
77              Print length of strings found in the file.
78
79       -g  --print-tags
80              Print the tags associated to the rule.
81
82       -r  --recursive
83              Scan files in directories recursively.
84
85       -k slots --stack-size=slots
86              Set maximum stack size to the specified number of slots.
87
88       -t tag --tag=tag
89              Print rules tagged as tag and ignore the rest. This  option  can
90              be used multiple times.
91
92       -p number --threads=number
93              Use the specified number of threads to scan a directory.
94
95       -a seconds --timeout=seconds
96              Abort scanning after a number of seconds has elapsed.
97
98       -v  --version
99              Show version information.
100

EXAMPLES

102       $ yara /foo/bar/rules .
103
104              Apply rules on /foo/bar/rules to all files on current directory.
105              Subdirectories are not scanned.
106
107       $ yara -t Packer -t Compiler /foo/bar/rules bazfile
108
109              Apply rules on /foo/bar/rules to bazfile.   Only  reports  rules
110              tagged as Packer or Compiler.
111
112       $ cat /foo/bar/rules | yara -r /foo
113
114              Scan  all  files  in  the /foo directory and its subdirectories.
115              Rules are read from standard input.
116
117       $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
118       bazfile
119
120              Defines three external variables mybool myint and mystring.
121
122       $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
123
124              Apply  rules on /foo/bar/rules to bazfile while passing the con‐
125              tent of cuckoo_json_report to the cuckoo module.
126
127

AUTHOR

129       Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
130
131
132
133Victor M. Alvarez             September 22, 2008                       yara(1)
Impressum