Provided by: yara_3.7.1-1ubuntu2_amd64
NAME
yara - find files matching patterns and rules written in a special-purpose language.
SYNOPSIS
yara [OPTION]... RULES_FILE FILE | DIR | PID
DESCRIPTION
yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from RULES_FILE. The options to yara(1) are: -t tag --tag=tag Print rules tagged as tag and ignore the rest. This option can be used multiple times. -i identifier --identifier=identifier Print rules named identifier and ignore the rest. This option can be used multiple times. -c --count Print number of matches only. -n --negate Print rules that doesn't apply (negate). -D --print-module-data Print module data. -g --print-tags Print the tags associated to the rule. -m --print-meta Print metadata associated to the rule. -s --print-strings Print strings found in the file. -L --print-string-length Print length of strings found in the file. -p number --threads=number Use the specified number of threads to scan a directory. -l number --max-rules=number Abort scanning after a number of rules matched. -a seconds --timeout=seconds Abort scanning after a number of seconds has elapsed. -k slots --stack-size=slots Set maximum stack size to the specified number of slots. -d identifier=value Define an external variable. This option can be used multiple times. -x module=file Pass file's content as extra data to module. This option can be used multiple times. -r --recursive Scan files in directories recursively. -f --fast-scan Speeds up scanning by searching only for the first occurrence of each pattern. -w --no-warnings Disable warnings. --fail-on-warnings Treat warnings as errors. Has no effect if used with --no-warnings. --max-strings-per-rule=number Set maximum number of strings per rule (default=10000) -v --version Show version information.
EXAMPLES
$ yara /foo/bar/rules . Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned. $ yara -t Packer -t Compiler /foo/bar/rules bazfile Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Compiler. $ cat /foo/bar/rules | yara -r /foo Scan all files in the /foo directory and its subdirectories. Rules are read from standard input. $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile Defines three external variables mybool myint and mystring. $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_report to the cuckoo module.
AUTHOR
Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>