yara - find files matching patterns and rules written in a special-purpose language.

Author

       Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>

Victor M. Alvarez                              September 22, 2008                                        yara(1)

Description

yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking
for matches of patterns and rules provided in a special purpose-language. The rules are read from one or
more RULES_FILE.

The options to yara(1) are:

--atom-quality-table
Path to a file with the atom quality table.

-C--compiled-rules
RULES_FILE contains rules already compiled with yarac.

-c--count
Print number of matches only.

-d--define=identifier=value
Define an external variable. This option can be used multiple times.

--fail-on-warnings
Treat warnings as errors. Has no effect if used with --no-warnings.-f--fast-scan
Speeds up scanning by searching only for the first occurrence of each pattern.

-iidentifier--identifier=identifier
Print rules named identifier and ignore the rest. This option can be used multiple times.

--max-process-memory-chunk=size
While scanning process memory read data in chunks of the given size in bytes.

-lnumber--max-rules=number
Abort scanning after a number of rules matched.

--max-strings-per-rule=number
Set maximum number of strings per rule (default=10000)

-x--module-data=module=file
Pass file's content as extra data to module. This option can be used multiple times.

-n--negate
Print rules that doesn't apply (negate).

-w--no-warnings
Disable warnings.

-m--print-meta
Print metadata associated to the rule.

-D--print-module-data
Print module data.

-M--module-names
show module names

-e--print-namespace
Print namespace associated to the rule.

-S--print-stats
Print rules' statistics.

-s--print-strings
Print strings found in the file.

-L--print-string-length
Print length of strings found in the file.

-X--print-xor-key
Print xor key of matched strings.

-g--print-tags
Print the tags associated to the rule.

-r--recursive
Scan files in directories recursively. It follows symlinks.

--scan-list
Scan files listed in FILE, one per line.

-zsize--skip-larger=size
Skip files larger than the given size in bytes when scanning a directory.

-kslots--stack-size=slots
Set maximum stack size to the specified number of slots.--strict-escape
Print warnings if rules contain ambiguous escape statements.

-ttag--tag=tag
Print rules tagged as tag and ignore the rest. This option can be used multiple times.

-pnumber--threads=number
Use the specified number of threads to scan a directory.

-aseconds--timeout=seconds
Abort scanning after a number of seconds has elapsed.

-v--version
Show version information.

Examples

       $ yara /foo/bar/rules .

              Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned.

       $ yara -t Packer -t Compiler /foo/bar/rules bazfile

              Apply rules on /foo/bar/rules to bazfile.  Only reports rules tagged as Packer or Compiler.

       $ cat /foo/bar/rules | yara -r /foo

              Scan all files in the /foo directory and its subdirectories. Rules are read from standard input.

       $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile

              Defines three external variables myboolmyint and mystring.

       $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

              Apply rules on /foo/bar/rules to bazfile while passing the content of  cuckoo_json_report  to  the
              cuckoo module.

Name

       yara - find files matching patterns and rules written in a special-purpose language.

Synopsis

yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID