← 返回命令列表

Linux command

yara 命令

文件

复制后可按需替换文件名、目录或参数。

常用示例

Scan file with rules

yara [rules.yar] [file]

Scan directory recursively

yara -r [rules.yar] [directory]

Scan process

yara [rules.yar] [pid]

Show matching strings

yara -s [rules.yar] [file]

Show metadata

yara -m [rules.yar] [file]

Multiple rule files

yara [rules1.yar] [rules2.yar] [file]

Scan with timeout

yara -a [30] [rules.yar] [file]

Count matches

yara -c [rules.yar] [file]

说明

yara matches patterns against files or processes. It's the primary tool for malware classification and detection. Rules define patterns using strings, regular expressions, and conditions. They describe characteristics of malware families or suspicious behavior. String matching finds literal text, hex bytes, or regex patterns. Conditions combine matches with logic for precise detection. Process scanning examines memory of running programs. This detects malware that may not be present on disk. Metadata in rules provides context: author, description, severity, and references. This aids incident response. External variables enable parameterized rules. Thresholds and settings can be adjusted without modifying rules.

参数

-r
Recursive directory scan.
-s
Show matching strings.
-m
Show metadata.
-c
Count matches only.
-a _SECONDS_
Timeout per file.
-n
Negate (show non-matches).
-g
Show tags.
-e
Show namespace.
-w
Disable warnings.
-f
Fast matching mode.
-p _N_
Parallel threads.
-d _VAR=VAL_
Define external variable.

FAQ

What is the yara command used for?

yara matches patterns against files or processes. It's the primary tool for malware classification and detection. Rules define patterns using strings, regular expressions, and conditions. They describe characteristics of malware families or suspicious behavior. String matching finds literal text, hex bytes, or regex patterns. Conditions combine matches with logic for precise detection. Process scanning examines memory of running programs. This detects malware that may not be present on disk. Metadata in rules provides context: author, description, severity, and references. This aids incident response. External variables enable parameterized rules. Thresholds and settings can be adjusted without modifying rules.

How do I run a basic yara example?

Run `yara [rules.yar] [file]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -r do in yara?

Recursive directory scan.