{ "content": [ { "type": "text", "text": "# yara(1) (man)\n\n**Summary:** yara - find files matching patterns and rules written in a special-purpose language.\n\n**Synopsis:** yara [OPTION]... [NAMESPACE:]RULESFILE... FILE | DIR | PID\n\n## Flags\n\n| Flag | Long | Arg | Description |\n|------|------|-----|-------------|\n| -C | --compiled-rules | — | RULESFILE contains rules already compiled with yarac. |\n| -c | --count | — | Print number of matches only. |\n| -d | --define | — | Define an external variable. This option can be used multiple times. --fail-on-warnings Treat warnings as errors. Has no |\n| -f | --fast-scan | — | Speeds up scanning by searching only for the first occurrence of each pattern. |\n| -i | — | — | Print rules named identifier and ignore the rest. This option can be used multiple times. --max-process-memory-chunk=siz |\n| -l | — | — | Abort scanning after a number of rules matched. --max-strings-per-rule=number Set maximum number of strings per rule (de |\n| -x | --module-data | — | Pass file's content as extra data to module. This option can be used multiple times. |\n| -n | --negate | — | Print rules that doesn't apply (negate). |\n| -w | --no-warnings | — | Disable warnings. |\n| -m | --print-meta | — | Print metadata associated to the rule. |\n| -D | --print-module-data | — | Print module data. |\n| -M | --module-names | — | show module names |\n| -e | --print-namespace | — | Print namespace associated to the rule. |\n| -S | --print-stats | — | Print rules' statistics. |\n| -s | --print-strings | — | Print strings found in the file. |\n| -L | --print-string-length | — | Print length of strings found in the file. |\n| -X | --print-xor-key | — | Print xor key of matched strings. |\n| -g | --print-tags | — | Print the tags associated to the rule. |\n| -r | --recursive | — | Scan files in directories recursively. It follows symlinks. --scan-list Scan files listed in FILE, one per line. |\n| -z | — | — | Skip files larger than the given size in bytes when scanning a directory. |\n| -k | — | — | Set maximum stack size to the specified number of slots. |\n| -t | — | — | Print rules tagged as tag and ignore the rest. This option can be used multiple times. |\n| -p | — | — | Use the specified number of threads to scan a directory. |\n| -a | — | — | Abort scanning after a number of seconds has elapsed. |\n| -v | --version | — | Show version information. |\n\n## Examples\n\n- `$ yara /foo/bar/rules .`\n- `Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are`\n- `not scanned.`\n- `$ yara -t Packer -t Compiler /foo/bar/rules bazfile`\n- `Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Com‐`\n- `piler.`\n- `$ cat /foo/bar/rules | yara -r /foo`\n- `Scan all files in the /foo directory and its subdirectories. Rules are read from stan‐`\n- `dard input.`\n- `$ yara -d mybool=true -d myint=5 -d mystring=\"my string\" /foo/bar/rules bazfile`\n- `Defines three external variables mybool myint and mystring.`\n- `$ yara -x cuckoo=cuckoojsonreport /foo/bar/rules bazfile`\n- `Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoojsonre‐`\n- `port to the cuckoo module.`\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (9 lines) — 25 subsections\n - -C --compiled-rules (2 lines)\n - -c --count (2 lines)\n - -d --define (5 lines)\n - -f --fast-scan (2 lines)\n - -i --identifier= (6 lines)\n - -l --max-rules= (5 lines)\n - -x --module-data (2 lines)\n - -n --negate (2 lines)\n - -w --no-warnings (2 lines)\n - -m --print-meta (2 lines)\n - -D --print-module-data (2 lines)\n - -M --module-names (2 lines)\n - -e --print-namespace (2 lines)\n - -S --print-stats (2 lines)\n - -s --print-strings (2 lines)\n - -L --print-string-length (2 lines)\n - -X --print-xor-key (2 lines)\n - -g --print-tags (2 lines)\n - -r --recursive (5 lines)\n - -z --skip-larger= (2 lines)\n - -k --stack-size= (2 lines)\n - -t --tag= (2 lines)\n - -p --threads= (2 lines)\n - -a --timeout= (2 lines)\n - -v --version (2 lines)\n- **EXAMPLES** (25 lines)\n- **AUTHOR** (5 lines)\n\n## Full Content\n\n### NAME\n\nyara - find files matching patterns and rules written in a special-purpose language.\n\n### SYNOPSIS\n\nyara [OPTION]... [NAMESPACE:]RULESFILE... FILE | DIR | PID\n\n### DESCRIPTION\n\nyara scans the given FILE, all files contained in directory DIR, or the process identified by\nPID looking for matches of patterns and rules provided in a special purpose-language. The\nrules are read from one or more RULESFILE.\n\nThe options to yara(1) are:\n\n--atom-quality-table\nPath to a file with the atom quality table.\n\n#### -C --compiled-rules\n\nRULESFILE contains rules already compiled with yarac.\n\n#### -c --count\n\nPrint number of matches only.\n\n#### -d --define\n\nDefine an external variable. This option can be used multiple times.\n\n--fail-on-warnings\nTreat warnings as errors. Has no effect if used with --no-warnings.\n\n#### -f --fast-scan\n\nSpeeds up scanning by searching only for the first occurrence of each pattern.\n\n#### -i --identifier=\n\nPrint rules named identifier and ignore the rest. This option can be used multiple\ntimes.\n\n--max-process-memory-chunk=size\nWhile scanning process memory read data in chunks of the given size in bytes.\n\n#### -l --max-rules=\n\nAbort scanning after a number of rules matched.\n\n--max-strings-per-rule=number\nSet maximum number of strings per rule (default=10000)\n\n#### -x --module-data\n\nPass file's content as extra data to module. This option can be used multiple times.\n\n#### -n --negate\n\nPrint rules that doesn't apply (negate).\n\n#### -w --no-warnings\n\nDisable warnings.\n\n#### -m --print-meta\n\nPrint metadata associated to the rule.\n\n#### -D --print-module-data\n\nPrint module data.\n\n#### -M --module-names\n\nshow module names\n\n#### -e --print-namespace\n\nPrint namespace associated to the rule.\n\n#### -S --print-stats\n\nPrint rules' statistics.\n\n#### -s --print-strings\n\nPrint strings found in the file.\n\n#### -L --print-string-length\n\nPrint length of strings found in the file.\n\n#### -X --print-xor-key\n\nPrint xor key of matched strings.\n\n#### -g --print-tags\n\nPrint the tags associated to the rule.\n\n#### -r --recursive\n\nScan files in directories recursively. It follows symlinks.\n\n--scan-list\nScan files listed in FILE, one per line.\n\n#### -z --skip-larger=\n\nSkip files larger than the given size in bytes when scanning a directory.\n\n#### -k --stack-size=\n\nSet maximum stack size to the specified number of slots.\n\n#### -t --tag=\n\nPrint rules tagged as tag and ignore the rest. This option can be used multiple times.\n\n#### -p --threads=\n\nUse the specified number of threads to scan a directory.\n\n#### -a --timeout=\n\nAbort scanning after a number of seconds has elapsed.\n\n#### -v --version\n\nShow version information.\n\n### EXAMPLES\n\n$ yara /foo/bar/rules .\n\nApply rules on /foo/bar/rules to all files on current directory. Subdirectories are\nnot scanned.\n\n$ yara -t Packer -t Compiler /foo/bar/rules bazfile\n\nApply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Com‐\npiler.\n\n$ cat /foo/bar/rules | yara -r /foo\n\nScan all files in the /foo directory and its subdirectories. Rules are read from stan‐\ndard input.\n\n$ yara -d mybool=true -d myint=5 -d mystring=\"my string\" /foo/bar/rules bazfile\n\nDefines three external variables mybool myint and mystring.\n\n$ yara -x cuckoo=cuckoojsonreport /foo/bar/rules bazfile\n\nApply rules on /foo/bar/rules to bazfile while passing the content of cuckoojsonre‐\nport to the cuckoo module.\n\n### AUTHOR\n\nVictor M. Alvarez ;\n\n\n\nVictor M. Alvarez September 22, 2008 yara(1)\n\n" } ], "structuredContent": { "command": "yara", "section": "1", "mode": "man", "summary": "yara - find files matching patterns and rules written in a special-purpose language.", "synopsis": "yara [OPTION]... [NAMESPACE:]RULESFILE... FILE | DIR | PID", "flags": [ { "flag": "-C", "long": "--compiled-rules", "arg": null, "description": "RULESFILE contains rules already compiled with yarac." }, { "flag": "-c", "long": "--count", "arg": null, "description": "Print number of matches only." }, { "flag": "-d", "long": "--define", "arg": null, "description": "Define an external variable. This option can be used multiple times. --fail-on-warnings Treat warnings as errors. Has no effect if used with --no-warnings." }, { "flag": "-f", "long": "--fast-scan", "arg": null, "description": "Speeds up scanning by searching only for the first occurrence of each pattern." }, { "flag": "-i", "long": null, "arg": null, "description": "Print rules named identifier and ignore the rest. This option can be used multiple times. --max-process-memory-chunk=size While scanning process memory read data in chunks of the given size in bytes." }, { "flag": "-l", "long": null, "arg": null, "description": "Abort scanning after a number of rules matched. --max-strings-per-rule=number Set maximum number of strings per rule (default=10000)" }, { "flag": "-x", "long": "--module-data", "arg": null, "description": "Pass file's content as extra data to module. This option can be used multiple times." }, { "flag": "-n", "long": "--negate", "arg": null, "description": "Print rules that doesn't apply (negate)." }, { "flag": "-w", "long": "--no-warnings", "arg": null, "description": "Disable warnings." }, { "flag": "-m", "long": "--print-meta", "arg": null, "description": "Print metadata associated to the rule." }, { "flag": "-D", "long": "--print-module-data", "arg": null, "description": "Print module data." }, { "flag": "-M", "long": "--module-names", "arg": null, "description": "show module names" }, { "flag": "-e", "long": "--print-namespace", "arg": null, "description": "Print namespace associated to the rule." }, { "flag": "-S", "long": "--print-stats", "arg": null, "description": "Print rules' statistics." }, { "flag": "-s", "long": "--print-strings", "arg": null, "description": "Print strings found in the file." }, { "flag": "-L", "long": "--print-string-length", "arg": null, "description": "Print length of strings found in the file." }, { "flag": "-X", "long": "--print-xor-key", "arg": null, "description": "Print xor key of matched strings." }, { "flag": "-g", "long": "--print-tags", "arg": null, "description": "Print the tags associated to the rule." }, { "flag": "-r", "long": "--recursive", "arg": null, "description": "Scan files in directories recursively. It follows symlinks. --scan-list Scan files listed in FILE, one per line." }, { "flag": "-z", "long": null, "arg": null, "description": "Skip files larger than the given size in bytes when scanning a directory." }, { "flag": "-k", "long": null, "arg": null, "description": "Set maximum stack size to the specified number of slots." }, { "flag": "-t", "long": null, "arg": null, "description": "Print rules tagged as tag and ignore the rest. This option can be used multiple times." }, { "flag": "-p", "long": null, "arg": null, "description": "Use the specified number of threads to scan a directory." }, { "flag": "-a", "long": null, "arg": null, "description": "Abort scanning after a number of seconds has elapsed." }, { "flag": "-v", "long": "--version", "arg": null, "description": "Show version information." } ], "examples": [ "$ yara /foo/bar/rules .", "Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are", "not scanned.", "$ yara -t Packer -t Compiler /foo/bar/rules bazfile", "Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Com‐", "piler.", "$ cat /foo/bar/rules | yara -r /foo", "Scan all files in the /foo directory and its subdirectories. Rules are read from stan‐", "dard input.", "$ yara -d mybool=true -d myint=5 -d mystring=\"my string\" /foo/bar/rules bazfile", "Defines three external variables mybool myint and mystring.", "$ yara -x cuckoo=cuckoojsonreport /foo/bar/rules bazfile", "Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoojsonre‐", "port to the cuckoo module." ], "see_also": [], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 9, "subsections": [ { "name": "-C --compiled-rules", "lines": 2, "flag": "-C", "long": "--compiled-rules" }, { "name": "-c --count", "lines": 2, "flag": "-c", "long": "--count" }, { "name": "-d --define", "lines": 5, "flag": "-d", "long": "--define" }, { "name": "-f --fast-scan", "lines": 2, "flag": "-f", "long": "--fast-scan" }, { "name": "-i --identifier=", "lines": 6, "flag": "-i" }, { "name": "-l --max-rules=", "lines": 5, "flag": "-l" }, { "name": "-x --module-data", "lines": 2, "flag": "-x", "long": "--module-data" }, { "name": "-n --negate", "lines": 2, "flag": "-n", "long": "--negate" }, { "name": "-w --no-warnings", "lines": 2, "flag": "-w", "long": "--no-warnings" }, { "name": "-m --print-meta", "lines": 2, "flag": "-m", "long": "--print-meta" }, { "name": "-D --print-module-data", "lines": 2, "flag": "-D", "long": "--print-module-data" }, { "name": "-M --module-names", "lines": 2, "flag": "-M", "long": "--module-names" }, { "name": "-e --print-namespace", "lines": 2, "flag": "-e", "long": "--print-namespace" }, { "name": "-S --print-stats", "lines": 2, "flag": "-S", "long": "--print-stats" }, { "name": "-s --print-strings", "lines": 2, "flag": "-s", "long": "--print-strings" }, { "name": "-L --print-string-length", "lines": 2, "flag": "-L", "long": "--print-string-length" }, { "name": "-X --print-xor-key", "lines": 2, "flag": "-X", "long": "--print-xor-key" }, { "name": "-g --print-tags", "lines": 2, "flag": "-g", "long": "--print-tags" }, { "name": "-r --recursive", "lines": 5, "flag": "-r", "long": "--recursive" }, { "name": "-z --skip-larger=", "lines": 2, "flag": "-z" }, { "name": "-k --stack-size=", "lines": 2, "flag": "-k" }, { "name": "-t --tag=", "lines": 2, "flag": "-t" }, { "name": "-p --threads=", "lines": 2, "flag": "-p" }, { "name": "-a --timeout=", "lines": 2, "flag": "-a" }, { "name": "-v --version", "lines": 2, "flag": "-v", "long": "--version" } ] }, { "name": "EXAMPLES", "lines": 25, "subsections": [] }, { "name": "AUTHOR", "lines": 5, "subsections": [] } ] } }