GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
yara(1) FreeBSD General Commands Manual yara(1)

yara - find files matching patterns and rules written in a special-purpose language.

yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE.

The options to yara(1) are:

--atom-quality-table
Path to a file with the atom quality table.
-C --compiled-rules
RULES_FILE contains rules already compiled with yarac.
-c --count
Print number of matches only.
-d --define=identifier=value
Define an external variable. This option can be used multiple times.
--fail-on-warnings
Treat warnings as errors. Has no effect if used with --no-warnings.
-f --fast-scan
Speeds up scanning by searching only for the first occurrence of each pattern.
-i identifier --identifier=identifier
Print rules named identifier and ignore the rest. This option can be used multiple times.
-l number --max-rules=number
Abort scanning after a number of rules matched.
--max-strings-per-rule=number
Set maximum number of strings per rule (default=10000)
-x --module-data=module=file
Pass file's content as extra data to module. This option can be used multiple times.
-n --negate
Print rules that doesn't apply (negate).
-w --no-warnings
Disable warnings.
-m --print-meta
Print metadata associated to the rule.
-D --print-module-data
Print module data.
-e --print-namespace
Print namespace associated to the rule.
-S --print-stats
Print rules' statistics.
-s --print-strings
Print strings found in the file.
-L --print-string-length
Print length of strings found in the file.
-g --print-tags
Print the tags associated to the rule.
-r --recursive
Scan files in directories recursively. It follows symlinks.
--scan-list
Scan files listed in FILE, one per line.
-k slots --stack-size=slots
Set maximum stack size to the specified number of slots.
-t tag --tag=tag
Print rules tagged as tag and ignore the rest. This option can be used multiple times.
-p number --threads=number
Use the specified number of threads to scan a directory.
-a seconds --timeout=seconds
Abort scanning after a number of seconds has elapsed.
-v --version
Show version information.

$ yara /foo/bar/rules .

Apply rules on /foo/bar/rules to all files on current directory. Subdirectories are not scanned.

$ yara -t Packer -t Compiler /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile. Only reports rules tagged as Packer or Compiler.

$ cat /foo/bar/rules | yara -r /foo

Scan all files in the /foo directory and its subdirectories. Rules are read from standard input.

$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile

Defines three external variables mybool myint and mystring.

$ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

Apply rules on /foo/bar/rules to bazfile while passing the content of cuckoo_json_report to the cuckoo module.

Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
September 22, 2008 Victor M. Alvarez
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.