1yara(1) General Commands Manual yara(1)
2
3
4
6 yara - find files matching patterns and rules written in a special-pur‐
7 pose language.
8
10 yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
11
13 yara scans the given FILE, all files contained in directory DIR, or the
14 process identified by PID looking for matches of patterns and rules
15 provided in a special purpose-language. The rules are read from one or
16 more RULES_FILE.
17
18 The options to yara(1) are:
19
20 --atom-quality-table
21 Path to a file with the atom quality table.
22
23 -C --compiled-rules
24 RULES_FILE contains rules already compiled with yarac.
25
26 -c --count
27 Print number of matches only.
28
29 -d --define=identifier=value
30 Define an external variable. This option can be used multiple
31 times.
32
33 --fail-on-warnings
34 Treat warnings as errors. Has no effect if used with --no-warn‐
35 ings.
36
37 -f --fast-scan
38 Speeds up scanning by searching only for the first occurrence of
39 each pattern.
40
41 -i identifier --identifier=identifier
42 Print rules named identifier and ignore the rest. This option
43 can be used multiple times.
44
45 -l number --max-rules=number
46 Abort scanning after a number of rules matched.
47
48 --max-strings-per-rule=number
49 Set maximum number of strings per rule (default=10000)
50
51 -x --module-data=module=file
52 Pass file's content as extra data to module. This option can be
53 used multiple times.
54
55 -n --negate
56 Print rules that doesn't apply (negate).
57
58 -w --no-warnings
59 Disable warnings.
60
61 -m --print-meta
62 Print metadata associated to the rule.
63
64 -D --print-module-data
65 Print module data.
66
67 -e --print-namespace
68 Print namespace associated to the rule.
69
70 -S --print-stats
71 Print rules' statistics.
72
73 -s --print-strings
74 Print strings found in the file.
75
76 -L --print-string-length
77 Print length of strings found in the file.
78
79 -g --print-tags
80 Print the tags associated to the rule.
81
82 -r --recursive
83 Scan files in directories recursively.
84
85 -k slots --stack-size=slots
86 Set maximum stack size to the specified number of slots.
87
88 -t tag --tag=tag
89 Print rules tagged as tag and ignore the rest. This option can
90 be used multiple times.
91
92 -p number --threads=number
93 Use the specified number of threads to scan a directory.
94
95 -a seconds --timeout=seconds
96 Abort scanning after a number of seconds has elapsed.
97
98 -v --version
99 Show version information.
100
102 $ yara /foo/bar/rules .
103
104 Apply rules on /foo/bar/rules to all files on current directory.
105 Subdirectories are not scanned.
106
107 $ yara -t Packer -t Compiler /foo/bar/rules bazfile
108
109 Apply rules on /foo/bar/rules to bazfile. Only reports rules
110 tagged as Packer or Compiler.
111
112 $ cat /foo/bar/rules | yara -r /foo
113
114 Scan all files in the /foo directory and its subdirectories.
115 Rules are read from standard input.
116
117 $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
118 bazfile
119
120 Defines three external variables mybool myint and mystring.
121
122 $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
123
124 Apply rules on /foo/bar/rules to bazfile while passing the con‐
125 tent of cuckoo_json_report to the cuckoo module.
126
127
129 Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
130
131
132
133Victor M. Alvarez September 22, 2008 yara(1)