yara(1)yara(1)NAMEyara - find files matching patterns and rules written in a special-pur‐
pose language.
SYNOPSISyara [OPTION]... [RULEFILE]... FILE | PID
DESCRIPTION
Yara scans the given FILE or the process indentified by PID looking if
it matches the patterns and rules provided in a special purpose-lan‐
guage. The rules are read from RULEFILEs or standard input.
The options to yara(1) are:
-t tag --tag=tag
Print rules tagged as tag and ignore the rest. This option can
be used multiple times.
-i identifier --identifier=identifier
Print rules named identifier and ignore the rest. This option
can be used multiple times.
-n--negate
Print rules that doesn't apply (negate)
-D--print-module-data
Print module data.
-g--print-tags
Print the tags associated to the rule.
-m--print-meta
Print metadata associated to the rule.
-s--print-strings
Print strings found in the file.
-p number --threads=number
Use the specified number of threads to scan a directory.
-l number --max-rules=number
Abort scanning after a number of rules matched.
-a seconds --timeout=seconds
Abort scanning after a number of seconds has elapsed.
-d identifier=value
Define an external variable. This option can be used multiple
times.
-x module=file
Pass file's content as extra data to module. This option can be
used multiple times.
-r--recursive
Scan files in directories recursively.
-f--fast-scan
Speeds up scanning by searching only for the first occurrence of
each pattern.
-w--no-warnings
Disable warnings.
-v--version
Show version information.
EXAMPLES
$ yara /foo/bar/rules1 /foo/bar/rules2 .
Apply rules on /foo/bar/rules1 and /foo/bar/rules2 to all files
on current directory. Subdirectories are not scanned.
$ yara-t Packer -t Compiler /foo/bar/rules bazfile
Apply rules on /foo/bar/rules to bazfile. Only reports rules
tagged as Packer or Compiler.
$ cat /foo/bar/rules1 | yara-r /foo
Scan all files in the /foo directory and its subdirectories.
Rules are read from standard input.
$ yara-d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
bazfile
Defines three external variables mybool myint and mystring.
$ yara-x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
Apply rules on /foo/bar/rules to bazfile while passing the con‐
tent of cuckoo_json_report to the cuckoo module.
AUTHOR
Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
Victor M. Alvarez September 22, 2008 yara(1)