.TH yara 1 "September 22, 2008" "Victor M. Alvarez"
.SH NAME
yara \- find files matching patterns and rules written in a special-purpose
language.
.SH SYNOPSIS
.B yara
[OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
.SH DESCRIPTION
yara scans the given FILE, all files contained in directory DIR, or the process
identified by PID looking for matches of patterns and rules provided in a
special purpose-language. The rules are read from one or more RULES_FILE.
.PP
The options to
.IR yara (1)
are:
.TP
.B "    --atom-quality-table"
Path to a file with the atom quality table.
.TP
.B \-C " --compiled-rules"
RULES_FILE contains rules already compiled with yarac.
.TP
.B \-c " --count"
Print number of matches only.
.TP
.BI "\-d  --define"=identifier=value
Define an external variable. This option can be used multiple times.
.TP
.B "    --fail-on-warnings"
Treat warnings as errors. Has no effect if used with
.B --no-warnings.
.TP
.B \-f " --fast-scan"
Speeds up scanning by searching only for the first occurrence of each pattern.
.TP
.BI \-i " identifier" " --identifier=" identifier
Print rules named
.I identifier
and ignore the rest. This option can be used multiple times.
.TP
.BI "    --max-process-memory-chunk=" size
While scanning process memory read data in chunks of the given
.I size
in bytes.
.TP
.BI \-l " number" " --max-rules=" number
Abort scanning after a
.I number
of rules matched.
.TP
.BI "    --max-strings-per-rule=" number
Set maximum number of strings per rule (default=10000)
.TP
.BI "\-x  --module-data"=module=file
Pass file's content as extra data to module. This option can be used multiple
times.
.TP
.B \-n " --negate"
Print rules that doesn't apply (negate).
.TP
.B \-w " --no-warnings"
Disable warnings.
.TP
.B \-m " --print-meta"
Print metadata associated to the rule.
.TP
.B \-D " --print-module-data"
Print module data.
.TP
.B \-M " --module-names"
show module names
.TP
.B \-e " --print-namespace"
Print namespace associated to the rule.
.TP
.B \-S " --print-stats"
Print rules' statistics.
.TP
.B \-s " --print-strings"
Print strings found in the file.
.TP
.B \-L " --print-string-length"
Print length of strings found in the file.
.TP
.B \-X " --print-xor-key"
Print xor key of matched strings.
.TP
.B \-g " --print-tags"
Print the tags associated to the rule.
.TP
.B \-r " --recursive"
Scan files in directories recursively. It follows symlinks.
.TP
.BI "    --scan-list"
Scan files listed in FILE, one per line.
.TP
.BI \-z " size" " --skip-larger=" size
Skip files larger than the given
.I size
in bytes when scanning a directory.
.TP
.BI \-k " slots" " --stack-size=" slots
Set maximum stack size to the specified number of
.I slots.
.TP
.BI "    --strict-escape"
Print warnings if rules contain ambiguous escape statements.
.TP
.BI \-t " tag" " --tag=" tag
Print rules tagged as
.I tag
and ignore the rest. This option can be used multiple times.
.TP
.BI \-p " number" " --threads=" number
Use the specified
.I number
of threads to scan a directory.
.TP
.BI \-a " seconds" " --timeout=" seconds
Abort scanning after a number of
.I seconds
has elapsed.
.TP
.B \-v " --version"
Show version information.
.SH EXAMPLES
$ yara /foo/bar/rules .
.RS
.PP
Apply rules on
.I /foo/bar/rules
to all files on current directory. Subdirectories are not scanned.
.RE
.PP
$ yara -t Packer -t Compiler /foo/bar/rules bazfile
.RS
.PP
Apply rules on
.I /foo/bar/rules
to
.I bazfile.
Only reports rules tagged as
.I Packer
or
.I Compiler.
.RE
.PP
$ cat /foo/bar/rules | yara -r /foo
.RS
.PP
Scan all files in the
.I /foo
directory and its subdirectories. Rules are read from standard input.
.RE
.PP
$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile
.RS
.PP
Defines three external variables
.I mybool
.I myint
and
.I mystring.
.RE
.PP
$ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile
.RS
.PP
Apply rules on
.I /foo/bar/rules
to
.I bazfile
while passing the content of
.I cuckoo_json_report
to the cuckoo module.
.RE

.SH AUTHOR
Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>