Edit file File name : yara.1 Content :.TH yara 1 "September 22, 2008" "Victor M. Alvarez" .SH NAME yara \- find files matching patterns and rules written in a special-purpose language. .SH SYNOPSIS .B yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID .SH DESCRIPTION yara scans the given FILE, all files contained in directory DIR, or the process identified by PID looking for matches of patterns and rules provided in a special purpose-language. The rules are read from one or more RULES_FILE. .PP The options to .IR yara (1) are: .TP .B " --atom-quality-table" Path to a file with the atom quality table. .TP .B \-C " --compiled-rules" RULES_FILE contains rules already compiled with yarac. .TP .B \-c " --count" Print number of matches only. .TP .BI "\-d --define"=identifier=value Define an external variable. This option can be used multiple times. .TP .B " --fail-on-warnings" Treat warnings as errors. Has no effect if used with .B --no-warnings. .TP .B \-f " --fast-scan" Speeds up scanning by searching only for the first occurrence of each pattern. .TP .BI \-i " identifier" " --identifier=" identifier Print rules named .I identifier and ignore the rest. This option can be used multiple times. .TP .BI " --max-process-memory-chunk=" size While scanning process memory read data in chunks of the given .I size in bytes. .TP .BI \-l " number" " --max-rules=" number Abort scanning after a .I number of rules matched. .TP .BI " --max-strings-per-rule=" number Set maximum number of strings per rule (default=10000) .TP .BI "\-x --module-data"=module=file Pass file's content as extra data to module. This option can be used multiple times. .TP .B \-n " --negate" Print rules that doesn't apply (negate). .TP .B \-w " --no-warnings" Disable warnings. .TP .B \-m " --print-meta" Print metadata associated to the rule. .TP .B \-D " --print-module-data" Print module data. .TP .B \-M " --module-names" show module names .TP .B \-e " --print-namespace" Print namespace associated to the rule. .TP .B \-S " --print-stats" Print rules' statistics. .TP .B \-s " --print-strings" Print strings found in the file. .TP .B \-L " --print-string-length" Print length of strings found in the file. .TP .B \-X " --print-xor-key" Print xor key of matched strings. .TP .B \-g " --print-tags" Print the tags associated to the rule. .TP .B \-r " --recursive" Scan files in directories recursively. It follows symlinks. .TP .BI " --scan-list" Scan files listed in FILE, one per line. .TP .BI \-z " size" " --skip-larger=" size Skip files larger than the given .I size in bytes when scanning a directory. .TP .BI \-k " slots" " --stack-size=" slots Set maximum stack size to the specified number of .I slots. .TP .BI \-t " tag" " --tag=" tag Print rules tagged as .I tag and ignore the rest. This option can be used multiple times. .TP .BI \-p " number" " --threads=" number Use the specified .I number of threads to scan a directory. .TP .BI \-a " seconds" " --timeout=" seconds Abort scanning after a number of .I seconds has elapsed. .TP .B \-v " --version" Show version information. .SH EXAMPLES $ yara /foo/bar/rules . .RS .PP Apply rules on .I /foo/bar/rules to all files on current directory. Subdirectories are not scanned. .RE .PP $ yara -t Packer -t Compiler /foo/bar/rules bazfile .RS .PP Apply rules on .I /foo/bar/rules to .I bazfile. Only reports rules tagged as .I Packer or .I Compiler. .RE .PP $ cat /foo/bar/rules | yara -r /foo .RS .PP Scan all files in the .I /foo directory and its subdirectories. Rules are read from standard input. .RE .PP $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile .RS .PP Defines three external variables .I mybool .I myint and .I mystring. .RE .PP $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile .RS .PP Apply rules on .I /foo/bar/rules to .I bazfile while passing the content of .I cuckoo_json_report to the cuckoo module. .RE .SH AUTHOR Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com> Save