1yara(1) General Commands Manual yara(1)
2
6 yara - find files matching patterns and rules written in a special-pur‐
7 pose language.
8
10 yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
11
13 yara scans the given FILE, all files contained in directory DIR, or the
14 process identified by PID looking for matches of patterns and rules
15 provided in a special purpose-language. The rules are read from one or
16 more RULES_FILE.
17 The options to yara(1) are:
19 --atom-quality-table
21 Path to a file with the atom quality table.
22 -C --compiled-rules
24 RULES_FILE contains rules already compiled with yarac.
25 -c --count
27 Print number of matches only.
28 -d --define=identifier=value
30 Define an external variable. This option can be used multiple
31 times.
32 --fail-on-warnings
34 Treat warnings as errors. Has no effect if used with --no-warn‐
35 ings.
36 -f --fast-scan
38 Speeds up scanning by searching only for the first occurrence of
39 each pattern.
40 -i identifier --identifier=identifier
42 Print rules named identifier and ignore the rest. This option
43 can be used multiple times.
44 -l number --max-rules=number
46 Abort scanning after a number of rules matched.
47 --max-strings-per-rule=number
49 Set maximum number of strings per rule (default=10000)
50 -x --module-data=module=file
52 Pass file's content as extra data to module. This option can be
53 used multiple times.
54 -n --negate
56 Print rules that doesn't apply (negate).
57 -w --no-warnings
59 Disable warnings.
60 -m --print-meta
62 Print metadata associated to the rule.
63 -D --print-module-data
65 Print module data.
66 -e --print-namespace
68 Print namespace associated to the rule.
69 -S --print-stats
71 Print rules' statistics.
72 -s --print-strings
74 Print strings found in the file.
75 -L --print-string-length
77 Print length of strings found in the file.
78 -g --print-tags
80 Print the tags associated to the rule.
81 -r --recursive
83 Scan files in directories recursively. It follows symlinks.
84 --scan-list
86 Scan files listed in FILE, one per line.
87 -k slots --stack-size=slots
89 Set maximum stack size to the specified number of slots.
90 -t tag --tag=tag
92 Print rules tagged as tag and ignore the rest. This option can
93 be used multiple times.
94 -p number --threads=number
96 Use the specified number of threads to scan a directory.
97 -a seconds --timeout=seconds
99 Abort scanning after a number of seconds has elapsed.
100 -v --version
102 Show version information.
103
105 $ yara /foo/bar/rules .
106 Apply rules on /foo/bar/rules to all files on current directory.
108 Subdirectories are not scanned.
109 $ yara -t Packer -t Compiler /foo/bar/rules bazfile
111 Apply rules on /foo/bar/rules to bazfile. Only reports rules
113 tagged as Packer or Compiler.
114 $ cat /foo/bar/rules | yara -r /foo
116 Scan all files in the /foo directory and its subdirectories.
118 Rules are read from standard input.
119 $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
121 bazfile
122 Defines three external variables mybool myint and mystring.
124 $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
126 Apply rules on /foo/bar/rules to bazfile while passing the con‐
128 tent of cuckoo_json_report to the cuckoo module.
129
132 Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
133Victor M. Alvarez September 22, 2008 yara(1)