forked from VirusTotal/yara
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathyara.man
115 lines (114 loc) · 2.14 KB
/
yara.man
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
.TH yara 1 "September 22, 2008" "Victor M. Alvarez"
.SH NAME
yara \- find files matching patterns and rules written in a special-purpose language.
.SH SYNOPSIS
.B yara
[OPTION]... [RULEFILE]... FILE | PID
.SH DESCRIPTION
.I Yara
scans the given
.I FILE
or the process indentified by
.I PID
looking if it matches the patterns and rules provided in a special purpose-language. The rules are read from
.I RULEFILEs
or standard input.
.PP
The options to
.IR yara (1)
are:
.TP
.BI \-t " tag"
Print rules tagged as
.I tag
and ignore the rest. This option can be used multiple times.
.TP
.BI \-i " identifier"
Print rules named
.I identifier
and ignore the rest. This option can be used multiple times.
.TP
.B \-n
Print rules that doesn't apply (negate)
.TP
.B \-g
Print the tags associated to the rule.
.TP
.B \-m
Print metadata associated to the rule.
.TP
.B \-s
Print strings found in the file.
.TP
.BI \-p " number"
Use the specified
.I number
of threads to scan a directory.
.TP
.BI \-l " number"
Abort scanning after a
.I number
of rules matched.
.TP
.BI \-a " seconds"
Abort scanning after a number of
.I seconds
has elapsed.
.TP
.BI \-d " identifier"=value
Define an external variable. This option can be used multiple times.
.TP
.B \-r
Scan files in directories recursively.
.TP
.B \-f
Speeds up scanning by searching only for the first occurrence of each pattern.
.TP
.B \-w
Disable warnings.
.TP
.B \-v
Show version information.
.SH EXAMPLES
$ yara /foo/bar/rules1 /foo/bar/rules2 .
.RS
.PP
Apply rules on
.I /foo/bar/rules1
and
.I /foo/bar/rules2
to all files on current directory. Subdirectories are not scanned.
.RE
.PP
$ yara -t Packer -t Compiler /foo/bar/rules bazfile
.RS
.PP
Apply rules on
.I /foo/bar/rules
to
.I bazfile.
Only reports rules tagged as
.I Packer
or
.I Compiler.
.RE
.PP
$ cat /foo/bar/rules1 | yara -r /foo
.RS
.PP
Scan all files in the
.I /foo
directory and its subdirectories. Rules are read from standard input.
.RE
.PP
$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile
.RS
.PP
Defines three external variables
.I mybool
.I myint
and
.I mystring.
.RE
.SH AUTHOR
Victor M. Alvarez <[email protected]>;<[email protected]>