{ "mode": "man", "parameter": "yara", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/yara/1/json", "generated": "2026-05-30T06:07:09Z", "synopsis": "yara [OPTION]... [NAMESPACE:]RULESFILE... FILE | DIR | PID", "sections": { "NAME": { "content": "yara - find files matching patterns and rules written in a special-purpose language.\n", "subsections": [] }, "SYNOPSIS": { "content": "yara [OPTION]... [NAMESPACE:]RULESFILE... FILE | DIR | PID\n", "subsections": [] }, "DESCRIPTION": { "content": "yara scans the given FILE, all files contained in directory DIR, or the process identified by\nPID looking for matches of patterns and rules provided in a special purpose-language. The\nrules are read from one or more RULESFILE.\n\nThe options to yara(1) are:\n\n--atom-quality-table\nPath to a file with the atom quality table.\n", "subsections": [ { "name": "-C --compiled-rules", "content": "RULESFILE contains rules already compiled with yarac.\n", "flag": "-C", "long": "--compiled-rules" }, { "name": "-c --count", "content": "Print number of matches only.\n", "flag": "-c", "long": "--count" }, { "name": "-d --define", "content": "Define an external variable. This option can be used multiple times.\n\n--fail-on-warnings\nTreat warnings as errors. Has no effect if used with --no-warnings.\n", "flag": "-d", "long": "--define" }, { "name": "-f --fast-scan", "content": "Speeds up scanning by searching only for the first occurrence of each pattern.\n", "flag": "-f", "long": "--fast-scan" }, { "name": "-i --identifier=", "content": "Print rules named identifier and ignore the rest. This option can be used multiple\ntimes.\n\n--max-process-memory-chunk=size\nWhile scanning process memory read data in chunks of the given size in bytes.\n", "flag": "-i" }, { "name": "-l --max-rules=", "content": "Abort scanning after a number of rules matched.\n\n--max-strings-per-rule=number\nSet maximum number of strings per rule (default=10000)\n", "flag": "-l" }, { "name": "-x --module-data", "content": "Pass file's content as extra data to module. This option can be used multiple times.\n", "flag": "-x", "long": "--module-data" }, { "name": "-n --negate", "content": "Print rules that doesn't apply (negate).\n", "flag": "-n", "long": "--negate" }, { "name": "-w --no-warnings", "content": "Disable warnings.\n", "flag": "-w", "long": "--no-warnings" }, { "name": "-m --print-meta", "content": "Print metadata associated to the rule.\n", "flag": "-m", "long": "--print-meta" }, { "name": "-D --print-module-data", "content": "Print module data.\n", "flag": "-D", "long": "--print-module-data" }, { "name": "-M --module-names", "content": "show module names\n", "flag": "-M", "long": "--module-names" }, { "name": "-e --print-namespace", "content": "Print namespace associated to the rule.\n", "flag": "-e", "long": "--print-namespace" }, { "name": "-S --print-stats", "content": "Print rules' statistics.\n", "flag": "-S", "long": "--print-stats" }, { "name": "-s --print-strings", "content": "Print strings found in the file.\n", "flag": "-s", "long": "--print-strings" }, { "name": "-L --print-string-length", "content": "Print length of strings found in the file.\n", "flag": "-L", "long": "--print-string-length" }, { "name": "-X --print-xor-key", "content": "Print xor key of matched strings.\n", "flag": "-X", "long": "--print-xor-key" }, { "name": "-g --print-tags", "content": "Print the tags associated to the rule.\n", "flag": "-g", "long": "--print-tags" }, { "name": "-r --recursive", "content": "Scan files in directories recursively. It follows symlinks.\n\n--scan-list\nScan files listed in FILE, one per line.\n", "flag": "-r", "long": "--recursive" }, { "name": "-z --skip-larger=", "content": "Skip files larger than the given size in bytes when scanning a directory.\n", "flag": "-z" }, { "name": "-k --stack-size=", "content": "Set maximum stack size to the specified number of slots.\n", "flag": "-k" }, { "name": "-t --tag=", "content": "Print rules tagged as tag and ignore the rest. This option can be used multiple times.\n", "flag": "-t" }, { "name": "-p --threads=", "content": "Use the specified number of threads to scan a directory.\n", "flag": "-p" }, { "name": "-a --timeout=", "content": "Abort scanning after a number of seconds has elapsed.\n", "flag": "-a" }, { "name": "-v --version", "content": "Show version information.\n", "flag": "-v", "long": "--version" } ] }, "EXAMPLES": { "content": "$ yara /foo/bar/rules .\n\nApply rules on /foo/bar/rules to all files on current directory. Subdirectories are\nnot scanned.\n\n$ yara -t Packer -t Compiler /foo/bar/rules bazfile\n\nApply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Com‐\npiler.\n\n$ cat /foo/bar/rules | yara -r /foo\n\nScan all files in the /foo directory and its subdirectories. Rules are read from stan‐\ndard input.\n\n$ yara -d mybool=true -d myint=5 -d mystring=\"my string\" /foo/bar/rules bazfile\n\nDefines three external variables mybool myint and mystring.\n\n$ yara -x cuckoo=cuckoojsonreport /foo/bar/rules bazfile\n\nApply rules on /foo/bar/rules to bazfile while passing the content of cuckoojsonre‐\nport to the cuckoo module.\n\n", "subsections": [] }, "AUTHOR": { "content": "Victor M. Alvarez ;\n\n\n\nVictor M. Alvarez September 22, 2008 yara(1)", "subsections": [] } }, "summary": "yara - find files matching patterns and rules written in a special-purpose language.", "flags": [ { "flag": "-C", "long": "--compiled-rules", "arg": null, "description": "RULESFILE contains rules already compiled with yarac." }, { "flag": "-c", "long": "--count", "arg": null, "description": "Print number of matches only." }, { "flag": "-d", "long": "--define", "arg": null, "description": "Define an external variable. This option can be used multiple times. --fail-on-warnings Treat warnings as errors. Has no effect if used with --no-warnings." }, { "flag": "-f", "long": "--fast-scan", "arg": null, "description": "Speeds up scanning by searching only for the first occurrence of each pattern." }, { "flag": "-i", "long": null, "arg": null, "description": "Print rules named identifier and ignore the rest. This option can be used multiple times. --max-process-memory-chunk=size While scanning process memory read data in chunks of the given size in bytes." }, { "flag": "-l", "long": null, "arg": null, "description": "Abort scanning after a number of rules matched. --max-strings-per-rule=number Set maximum number of strings per rule (default=10000)" }, { "flag": "-x", "long": "--module-data", "arg": null, "description": "Pass file's content as extra data to module. This option can be used multiple times." }, { "flag": "-n", "long": "--negate", "arg": null, "description": "Print rules that doesn't apply (negate)." }, { "flag": "-w", "long": "--no-warnings", "arg": null, "description": "Disable warnings." }, { "flag": "-m", "long": "--print-meta", "arg": null, "description": "Print metadata associated to the rule." }, { "flag": "-D", "long": "--print-module-data", "arg": null, "description": "Print module data." }, { "flag": "-M", "long": "--module-names", "arg": null, "description": "show module names" }, { "flag": "-e", "long": "--print-namespace", "arg": null, "description": "Print namespace associated to the rule." }, { "flag": "-S", "long": "--print-stats", "arg": null, "description": "Print rules' statistics." }, { "flag": "-s", "long": "--print-strings", "arg": null, "description": "Print strings found in the file." }, { "flag": "-L", "long": "--print-string-length", "arg": null, "description": "Print length of strings found in the file." }, { "flag": "-X", "long": "--print-xor-key", "arg": null, "description": "Print xor key of matched strings." }, { "flag": "-g", "long": "--print-tags", "arg": null, "description": "Print the tags associated to the rule." }, { "flag": "-r", "long": "--recursive", "arg": null, "description": "Scan files in directories recursively. It follows symlinks. --scan-list Scan files listed in FILE, one per line." }, { "flag": "-z", "long": null, "arg": null, "description": "Skip files larger than the given size in bytes when scanning a directory." }, { "flag": "-k", "long": null, "arg": null, "description": "Set maximum stack size to the specified number of slots." }, { "flag": "-t", "long": null, "arg": null, "description": "Print rules tagged as tag and ignore the rest. This option can be used multiple times." }, { "flag": "-p", "long": null, "arg": null, "description": "Use the specified number of threads to scan a directory." }, { "flag": "-a", "long": null, "arg": null, "description": "Abort scanning after a number of seconds has elapsed." }, { "flag": "-v", "long": "--version", "arg": null, "description": "Show version information." } ], "examples": [ "$ yara /foo/bar/rules .", "Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are", "not scanned.", "$ yara -t Packer -t Compiler /foo/bar/rules bazfile", "Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Com‐", "piler.", "$ cat /foo/bar/rules | yara -r /foo", "Scan all files in the /foo directory and its subdirectories. Rules are read from stan‐", "dard input.", "$ yara -d mybool=true -d myint=5 -d mystring=\"my string\" /foo/bar/rules bazfile", "Defines three external variables mybool myint and mystring.", "$ yara -x cuckoo=cuckoojsonreport /foo/bar/rules bazfile", "Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoojsonre‐", "port to the cuckoo module." ], "see_also": [] }