Provided by: yara_4.5.2-1_amd64
NAME
yara - find files matching patterns and rules written in a special-purpose language.
SYNOPSIS
yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
DESCRIPTION
yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE. The options to yara(1) are: --atom-quality-table Path to a file with the atom quality table. -C --compiled-rules RULES_FILE contains rules already compiled with yarac. -c --count Print number of matches only. -d --define=identifier=value Define an external variable. This option can be used multiple times. --fail-on-warnings Treat warnings as errors. Has no effect if used with --no-warnings. -f --fast-scan Speeds up scanning by searching only for the first occurrence of each pattern. -i identifier --identifier=identifier Print rules named identifier and ignore the rest. This option can be used multiple times. --max-process-memory-chunk=size While scanning process memory read data in chunks of the given size in bytes. -l number --max-rules=number Abort scanning after a number of rules matched. --max-strings-per-rule=number Set maximum number of strings per rule (default=10000) -x --module-data=module=file Pass file's content as extra data to module. This option can be used multiple times. -n --negate Print rules that doesn't apply (negate). -w --no-warnings Disable warnings. -m --print-meta Print metadata associated to the rule. -D --print-module-data Print module data. -M --module-names show module names -e --print-namespace Print namespace associated to the rule. -S --print-stats Print rules' statistics. -s --print-strings Print strings found in the file. -L --print-string-length Print length of strings found in the file. -X --print-xor-key Print xor key of matched strings. -g --print-tags Print the tags associated to the rule. -r --recursive Scan files in directories recursively. It follows symlinks. --scan-list Scan files listed in FILE, one per line. -z size --skip-larger=size Skip files larger than the given size in bytes when scanning a directory. -k slots --stack-size=slots Set maximum stack size to the specified number of slots. --strict-escape Print warnings if rules contain ambiguous escape statements. -t tag --tag=tag Print rules tagged as tag and ignore the rest. This option can be used multiple times. -p number --threads=number Use the specified number of threads to scan a directory. -a seconds --timeout=seconds Abort scanning after a number of seconds has elapsed. -v --version Show version information.
EXAMPLES
$ yara /foo/bar/rules . Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned. $ yara -t Packer -t Compiler /foo/bar/rules bazfile Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Compiler. $ cat /foo/bar/rules | yara -r /foo Scan all files in the /foo directory and its subdirectories. Rules are read from standard input. $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile Defines three external variables mybool myint and mystring. $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_report to the cuckoo module.
AUTHOR
Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>