41 lines
656 B
Markdown
41 lines
656 B
Markdown
|
# Yara
|
||
|
|
||
|
## Structure
|
||
|
A rule consists of
|
||
|
* Name
|
||
|
* Metadata
|
||
|
* String definitions
|
||
|
* Conditions on these strings
|
||
|
|
||
|
## Example
|
||
|
|
||
|
```sh
|
||
|
rule eicar {
|
||
|
meta:
|
||
|
author="foo"
|
||
|
description="eicar test virus"
|
||
|
strings:
|
||
|
$a="X5O"
|
||
|
$b="EICAR"
|
||
|
$c="ANTIVIRUS"
|
||
|
$d="TEST"
|
||
|
condition:
|
||
|
$a and $b and $c and $d
|
||
|
}
|
||
|
```
|
||
|
|
||
|
## Usage
|
||
|
|
||
|
* Information about a rule, metadata or strings
|
||
|
```sh
|
||
|
yara -m <file.yara> <file.target>
|
||
|
yara -s <file.yara> <file.target>
|
||
|
```
|
||
|
|
||
|
* Run Yara via
|
||
|
```sh
|
||
|
yara <file.yara> <file.target>
|
||
|
```
|
||
|
* If the name of the rule and the target is returned, the rule matched. Otherwise it did not match.
|
||
|
|