yara(1) - man - phpMan

Che Dong

yara(1) General Commands Manual yara(1)

NAME
yara - find files matching patterns and rules written in a special-purpose language.

SYNOPSIS
yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

DESCRIPTION
yara scans the given FILE, all files contained in directory DIR, or the process identified by
PID looking for matches of patterns and rules provided in a special purpose-language. The
rules are read from one or more RULES_FILE.

The options to yara(1) are:

--atom-quality-table
Path to a file with the atom quality table.

-C --compiled-rules
RULES_FILE contains rules already compiled with yarac.

-c --count
Print number of matches only.

-d --define=identifier=value
Define an external variable. This option can be used multiple times.

--fail-on-warnings
Treat warnings as errors. Has no effect if used with --no-warnings.

-f --fast-scan
Speeds up scanning by searching only for the first occurrence of each pattern.

-i identifier --identifier=identifier
Print rules named identifier and ignore the rest. This option can be used multiple
times.

--max-process-memory-chunk=size
While scanning process memory read data in chunks of the given size in bytes.

-l number --max-rules=number
Abort scanning after a number of rules matched.

--max-strings-per-rule=number
Set maximum number of strings per rule (default=10000)

-x --module-data=module=file
Pass file's content as extra data to module. This option can be used multiple times.

-n --negate
Print rules that doesn't apply (negate).

-w --no-warnings
Disable warnings.

-m --print-meta
Print metadata associated to the rule.

-D --print-module-data
Print module data.

-M --module-names
show module names

-e --print-namespace
Print namespace associated to the rule.

-S --print-stats
Print rules' statistics.

-s --print-strings
Print strings found in the file.

-L --print-string-length
Print length of strings found in the file.

-X --print-xor-key
Print xor key of matched strings.

-g --print-tags
Print the tags associated to the rule.

-r --recursive
Scan files in directories recursively. It follows symlinks.

--scan-list
Scan files listed in FILE, one per line.

-z size --skip-larger=size
Skip files larger than the given size in bytes when scanning a directory.

-k slots --stack-size=slots
Set maximum stack size to the specified number of slots.

-t tag --tag=tag
Print rules tagged as tag and ignore the rest. This option can be used multiple times.

-p number --threads=number
Use the specified number of threads to scan a directory.

-a seconds --timeout=seconds
Abort scanning after a number of seconds has elapsed.

-v --version
Show version information.

EXAMPLES
$ yara /foo/bar/rules .

Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are
not scanned.

$ yara -t Packer -t Compiler /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Com‐
piler.

$ cat /foo/bar/rules | yara -r /foo

Scan all files in the /foo directory and its subdirectories. Rules are read from stan‐
dard input.

$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile

Defines three external variables mybool myint and mystring.

$ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_re‐
port to the cuckoo module.

AUTHOR
Victor M. Alvarez <plusvic AT gmail.com>;<vmalvarez AT virustotal.com>

Victor M. Alvarez September 22, 2008 yara(1)