Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
yara(1)			    General Commands Manual		       yara(1)

NAME
       yara - find files matching patterns and rules written in	a special-pur-
       pose language.

SYNOPSIS
       yara [OPTION]...	[NAMESPACE:]RULES_FILE... FILE | DIR | PID

DESCRIPTION
       yara scans the given FILE, all files contained in directory DIR,	or the
       process	identified  by	PID  looking for matches of patterns and rules
       provided	in a special purpose-language. The rules are read from one  or
       more RULES_FILE.

       The options to yara(1) are:

	   --atom-quality-table
	      Path to a	file with the atom quality table.

       -C  --compiled-rules
	      RULES_FILE contains rules	already	compiled with yarac.

       -c  --count
	      Print number of matches only.

       -d  --define=identifier=value
	      Define  an  external  variable. This option can be used multiple
	      times.

	   --fail-on-warnings
	      Treat warnings as	errors.	Has no effect if used with  --no-warn-
	      ings.

       -f  --fast-scan
	      Speeds up	scanning by searching only for the first occurrence of
	      each pattern.

       -i identifier --identifier=identifier
	      Print rules named	identifier and ignore the  rest.  This	option
	      can be used multiple times.

       -l number --max-rules=number
	      Abort scanning after a number of rules matched.

	   --max-strings-per-rule=number
	      Set maximum number of strings per	rule (default=10000)

       -x  --module-data=module=file
	      Pass  file's content as extra data to module. This option	can be
	      used multiple times.

       -n  --negate
	      Print rules that doesn't apply (negate).

       -w  --no-warnings
	      Disable warnings.

       -m  --print-meta
	      Print metadata associated	to the rule.

       -D  --print-module-data
	      Print module data.

       -e  --print-namespace
	      Print namespace associated to the	rule.

       -S  --print-stats
	      Print rules' statistics.

       -s  --print-strings
	      Print strings found in the file.

       -L  --print-string-length
	      Print length of strings found in the file.

       -g  --print-tags
	      Print the	tags associated	to the rule.

       -r  --recursive
	      Scan files in directories	recursively. It	follows	symlinks.

	   --scan-list
	      Scan files listed	in FILE, one per line.

       -k slots	--stack-size=slots
	      Set maximum stack	size to	the specified number of	slots.

       -t tag --tag=tag
	      Print rules tagged as tag	and ignore the rest. This  option  can
	      be used multiple times.

       -p number --threads=number
	      Use the specified	number of threads to scan a directory.

       -a seconds --timeout=seconds
	      Abort scanning after a number of seconds has elapsed.

       -v  --version
	      Show version information.

EXAMPLES
       $ yara /foo/bar/rules .

	      Apply rules on /foo/bar/rules to all files on current directory.
	      Subdirectories are not scanned.

       $ yara -t Packer	-t Compiler /foo/bar/rules bazfile

	      Apply rules on /foo/bar/rules to bazfile.	  Only	reports	 rules
	      tagged as	Packer or Compiler.

       $ cat /foo/bar/rules | yara -r /foo

	      Scan  all	 files	in  the	/foo directory and its subdirectories.
	      Rules are	read from standard input.

       $ yara -d mybool=true -d	myint=5	-d mystring="my	string"	/foo/bar/rules
       bazfile

	      Defines three external variables mybool myint and	mystring.

       $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

	      Apply  rules on /foo/bar/rules to	bazfile	while passing the con-
	      tent of cuckoo_json_report to the	cuckoo module.

AUTHOR
       Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>

Victor M. Alvarez	      September	22, 2008		       yara(1)

NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=yara&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help