Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

yara(1)								       yara(1)

NAME
       yara - find files matching patterns and rules written in a special-pur‐
       pose language.

SYNOPSIS
       yara [OPTION]... [RULEFILE]... FILE | PID

DESCRIPTION
       Yara scans the given FILE or the process indentified by PID looking  if
       it  matches  the	 patterns and rules provided in a special purpose-lan‐
       guage. The rules are read from RULEFILEs or standard input.

       The options to yara(1) are:

       -t tag --tag=tag
	      Print rules tagged as tag and ignore the rest. This  option  can
	      be used multiple times.

       -i identifier --identifier=identifier
	      Print  rules  named  identifier and ignore the rest. This option
	      can be used multiple times.

       -n  --negate
	      Print rules that doesn't apply (negate)

       -D  --print-module-data
	      Print module data.

       -g  --print-tags
	      Print the tags associated to the rule.

       -m  --print-meta
	      Print metadata associated to the rule.

       -s  --print-strings
	      Print strings found in the file.

       -p number --threads=number
	      Use the specified number of threads to scan a directory.

       -l number --max-rules=number
	      Abort scanning after a number of rules matched.

       -a seconds --timeout=seconds
	      Abort scanning after a number of seconds has elapsed.

       -d identifier=value
	      Define an external variable. This option can  be	used  multiple
	      times.

       -x module=file
	      Pass  file's content as extra data to module. This option can be
	      used multiple times.

       -r  --recursive
	      Scan files in directories recursively.

       -f  --fast-scan
	      Speeds up scanning by searching only for the first occurrence of
	      each pattern.

       -w  --no-warnings
	      Disable warnings.

       -v  --version
	      Show version information.

EXAMPLES
       $ yara /foo/bar/rules1 /foo/bar/rules2 .

	      Apply  rules on /foo/bar/rules1 and /foo/bar/rules2 to all files
	      on current directory. Subdirectories are not scanned.

       $ yara -t Packer -t Compiler /foo/bar/rules bazfile

	      Apply rules on /foo/bar/rules to bazfile.	  Only	reports	 rules
	      tagged as Packer or Compiler.

       $ cat /foo/bar/rules1 | yara -r /foo

	      Scan  all	 files	in  the /foo directory and its subdirectories.
	      Rules are read from standard input.

       $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
       bazfile

	      Defines three external variables mybool myint and mystring.

       $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

	      Apply  rules on /foo/bar/rules to bazfile while passing the con‐
	      tent of cuckoo_json_report to the cuckoo module.

AUTHOR
       Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>

Victor M. Alvarez	      September 22, 2008		       yara(1)

Vote for polarhome