# yara(1) - man - phpMan [yara(1)](https://www.chedong.com/phpMan.php/man/yara/1/markdown) General Commands Manual [yara(1)](https://www.chedong.com/phpMan.php/man/yara/1/markdown) ## NAME yara - find files matching patterns and rules written in a special-purpose language. ## SYNOPSIS **yara** [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID ## DESCRIPTION yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE. The options to [_yara_(1)](https://www.chedong.com/phpMan.php/man/yara/1/markdown) are: **--atom-quality-table** Path to a file with the atom quality table. ### -C --compiled-rules RULES_FILE contains rules already compiled with yarac. ### -c --count Print number of matches only. ### -d --define Define an external variable. This option can be used multiple times. **--fail-on-warnings** Treat warnings as errors. Has no effect if used with **--no-warnings.** ### -f --fast-scan Speeds up scanning by searching only for the first occurrence of each pattern. ### -i --identifier= Print rules named _identifier_ and ignore the rest. This option can be used multiple times. **--max-process-memory-chunk=**_size_ While scanning process memory read data in chunks of the given _size_ in bytes. ### -l --max-rules= Abort scanning after a _number_ of rules matched. **--max-strings-per-rule=**_number_ Set maximum number of strings per rule (default=10000) ### -x --module-data Pass file's content as extra data to module. This option can be used multiple times. ### -n --negate Print rules that doesn't apply (negate). ### -w --no-warnings Disable warnings. ### -m --print-meta Print metadata associated to the rule. ### -D --print-module-data Print module data. ### -M --module-names show module names ### -e --print-namespace Print namespace associated to the rule. ### -S --print-stats Print rules' statistics. ### -s --print-strings Print strings found in the file. ### -L --print-string-length Print length of strings found in the file. ### -X --print-xor-key Print xor key of matched strings. ### -g --print-tags Print the tags associated to the rule. ### -r --recursive Scan files in directories recursively. It follows symlinks. **--scan-list** Scan files listed in FILE, one per line. ### -z --skip-larger= Skip files larger than the given _size_ in bytes when scanning a directory. ### -k --stack-size= Set maximum stack size to the specified number of _slots._ ### -t --tag= Print rules tagged as _tag_ and ignore the rest. This option can be used multiple times. ### -p --threads= Use the specified _number_ of threads to scan a directory. ### -a --timeout= Abort scanning after a number of _seconds_ has elapsed. ### -v --version Show version information. ## EXAMPLES $ yara /foo/bar/rules . Apply rules on _/foo/bar/rules_ to all files on current directory. Subdirectories are not scanned. $ yara -t Packer -t Compiler /foo/bar/rules bazfile Apply rules on _/foo/bar/rules_ to _bazfile._ Only reports rules tagged as _Packer_ or _Com__‐ _piler._ $ cat /foo/bar/rules | yara -r /foo Scan all files in the _/foo_ directory and its subdirectories. Rules are read from stan‐ dard input. $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile Defines three external variables _mybool_ _myint_ and _mystring._ $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile Apply rules on _/foo/bar/rules_ to _bazfile_ while passing the content of _cuckoo_json_re__‐ _port_ to the cuckoo module. ## AUTHOR Victor M. Alvarez <>;<> Victor M. Alvarez September 22, 2008 [yara(1)](https://www.chedong.com/phpMan.php/man/yara/1/markdown)