NAME

yara - find files matching patterns and rules written in a special-purpose language.

SYNOPSIS

yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

DESCRIPTION

yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE.

The options to yara(1) are:

--atom-quality-table: Path to a file with the atom quality table.
-C --compiled-rules: RULES_FILE contains rules already compiled with yarac.
-c --count: Print number of matches only.
-d --define=identifier=value: Define an external variable. This option can be used multiple times.
--fail-on-warnings: Treat warnings as errors. Has no effect if used with --no-warnings.
-f --fast-scan: Speeds up scanning by searching only for the first occurrence of each pattern.
-i identifier --identifier=identifier: Print rules named identifier and ignore the rest. This option can be used multiple times.
-l number --max-rules=number: Abort scanning after a number of rules matched.
--max-strings-per-rule=number: Set maximum number of strings per rule (default=10000)
-x --module-data=module=file: Pass file's content as extra data to module. This option can be used multiple times.
-n --negate: Print rules that doesn't apply (negate).
-w --no-warnings: Disable warnings.
-m --print-meta: Print metadata associated to the rule.
-D --print-module-data: Print module data.
-e --print-namespace: Print namespace associated to the rule.
-S --print-stats: Print rules' statistics.
-s --print-strings: Print strings found in the file.
-L --print-string-length: Print length of strings found in the file.
-g --print-tags: Print the tags associated to the rule.
-r --recursive: Scan files in directories recursively. It follows symlinks.
--scan-list: Scan files listed in FILE, one per line.
-k slots --stack-size=slots: Set maximum stack size to the specified number of slots.
-t tag --tag=tag: Print rules tagged as tag and ignore the rest. This option can be used multiple times.
-p number --threads=number: Use the specified number of threads to scan a directory.
-a seconds --timeout=seconds: Abort scanning after a number of seconds has elapsed.
-v --version: Show version information.

EXAMPLES

$ yara /foo/bar/rules .

Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned.

$ yara -t Packer -t Compiler /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Compiler.

$ cat /foo/bar/rules | yara -r /foo

Scan all files in the /foo directory and its subdirectories. Rules are read from standard input.

$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile

Defines three external variables mybool myint and mystring.

$ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_report to the cuckoo module.

AUTHOR

Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>

September 22, 2008

Victor M. Alvarez