1yara(1) General Commands Manual yara(1)
2
6 yara - find files matching patterns and rules written in a special-pur‐
7 pose language.
8
10 yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
11
13 yara scans the given FILE, all files contained in directory DIR, or the
14 process identified by PID looking for matches of patterns and rules
15 provided in a special purpose-language. The rules are read from one or
16 more RULES_FILE.
17 The options to yara(1) are:
19 --atom-quality-table
21 Path to a file with the atom quality table.
22 -C --compiled-rules
24 RULES_FILE contains rules already compiled with yarac.
25 -c --count
27 Print number of matches only.
28 -d --define=identifier=value
30 Define an external variable. This option can be used multiple
31 times.
32 --fail-on-warnings
34 Treat warnings as errors. Has no effect if used with --no-warn‐
35 ings.
36 -f --fast-scan
38 Speeds up scanning by searching only for the first occurrence of
39 each pattern.
40 -i identifier --identifier=identifier
42 Print rules named identifier and ignore the rest. This option
43 can be used multiple times.
44 --max-process-memory-chunk=size
46 While scanning process memory read data in chunks of the given
47 size in bytes.
48 -l number --max-rules=number
50 Abort scanning after a number of rules matched.
51 --max-strings-per-rule=number
53 Set maximum number of strings per rule (default=10000)
54 -x --module-data=module=file
56 Pass file's content as extra data to module. This option can be
57 used multiple times.
58 -n --negate
60 Print rules that doesn't apply (negate).
61 -w --no-warnings
63 Disable warnings.
64 -m --print-meta
66 Print metadata associated to the rule.
67 -D --print-module-data
69 Print module data.
70 -M --module-names
72 show module names
73 -e --print-namespace
75 Print namespace associated to the rule.
76 -S --print-stats
78 Print rules' statistics.
79 -s --print-strings
81 Print strings found in the file.
82 -L --print-string-length
84 Print length of strings found in the file.
85 -X --print-xor-key
87 Print xor key of matched strings.
88 -g --print-tags
90 Print the tags associated to the rule.
91 -r --recursive
93 Scan files in directories recursively. It follows symlinks.
94 --scan-list
96 Scan files listed in FILE, one per line.
97 -z size --skip-larger=size
99 Skip files larger than the given size in bytes when scanning a
100 directory.
101 -k slots --stack-size=slots
103 Set maximum stack size to the specified number of slots.
104 -t tag --tag=tag
106 Print rules tagged as tag and ignore the rest. This option can
107 be used multiple times.
108 -p number --threads=number
110 Use the specified number of threads to scan a directory.
111 -a seconds --timeout=seconds
113 Abort scanning after a number of seconds has elapsed.
114 -v --version
116 Show version information.
117
119 $ yara /foo/bar/rules .
120 Apply rules on /foo/bar/rules to all files on current directory.
122 Subdirectories are not scanned.
123 $ yara -t Packer -t Compiler /foo/bar/rules bazfile
125 Apply rules on /foo/bar/rules to bazfile. Only reports rules
127 tagged as Packer or Compiler.
128 $ cat /foo/bar/rules | yara -r /foo
130 Scan all files in the /foo directory and its subdirectories.
132 Rules are read from standard input.
133 $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
135 bazfile
136 Defines three external variables mybool myint and mystring.
138 $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
140 Apply rules on /foo/bar/rules to bazfile while passing the con‐
142 tent of cuckoo_json_report to the cuckoo module.
143
146 Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
147Victor M. Alvarez September 22, 2008 yara(1)