radare2/doc/yara.md

Yara plugin
===========

Preliminary documentation on yara can be found here:
[Yara User's Manual](https://b161268c3bf5a87bc67309e7c870820f5f39f672.googledrive.com/host/0BznOMqZ9f3VUek8yN3VvSGdhRFU/YARA-Manual.pdf)

The following is [YARA in a nutshell](https://virustotal.github.io/yara/) from this document:

> YARA is a tool aimed at helping malware researchers to identify and classify malware
families. With YARA you can create descriptions of malware families based on textual or
binary information contained on samples of those families. These descriptions, a.k.a rules,
consist patterns and a boolean expression which determines its logic. Rules can be
applied to files or running processes in order to determine if it belongs to the described
malware family.

Requirements
------------

You can either install libyara with your preferred package manager, or you
can execute `r2pm -i yara` in order to retrieve latest source, compile,
and install the library via the r2 package manager. You will also need `yara-r2`
to execute the yara utility from the r2 shell.

Yara in radare2
----------

radare2 provides several commands, allowing the user, to add or remove rules,
scan a file, and list or use rules tags.

You can list the yara commands with the following r2 command `yara [help]`.

Rules
-----

By default, radare2 ships with some common crypto and packers rules that you
can find in `/usr/local/share/radare2/last/yara/` if you installed it r2 or
`radare2/shlr/yara/` in the git repo.
They are loaded as soon as you start using the yara plugin.
So you can issue `yara scan` and automatically see if your binary is packed
with a known packer.

Example
-------

Load a rule file on the fly, and then scan the currently opened file:
```
yara add /home/name/rules/malware.rules
yara scan
```
Yara versions
-------------

Because radare2 has support for both yara versions currently,
depending from the version/plugin you've loaded, you need
to use the proper versioned command.
E.g. `yara` or `yara`. For example `yara scan`.
Add new yara doc 2014-08-10 09:03:46 +02:00			`Yara plugin`
			`===========`

			`Preliminary documentation on yara can be found here:`
			`[Yara User's Manual](https://b161268c3bf5a87bc67309e7c870820f5f39f672.googledrive.com/host/0BznOMqZ9f3VUek8yN3VvSGdhRFU/YARA-Manual.pdf)`

moved to markdown extension (#9522) 2018-02-27 03:54:54 -06:00			`The following is [YARA in a nutshell](https://virustotal.github.io/yara/) from this document:`
Add new yara doc 2014-08-10 09:03:46 +02:00
			`> YARA is a tool aimed at helping malware researchers to identify and classify malware`
			`families. With YARA you can create descriptions of malware families based on textual or`
			`binary information contained on samples of those families. These descriptions, a.k.a rules,`
moved to markdown extension (#9522) 2018-02-27 03:54:54 -06:00			`consist patterns and a boolean expression which determines its logic. Rules can be`
Add new yara doc 2014-08-10 09:03:46 +02:00			`applied to files or running processes in order to determine if it belongs to the described`
			`malware family.`

Doc: add requirements to the yara plugin 2014-08-10 17:37:13 +02:00			`Requirements`
			`------------`

Fix grammar across the code 2019-06-18 13:13:08 +08:00			`You can either install libyara with your preferred package manager, or you`
Clarifying yara-to-r2 integration documentation. (#15404) 2019-11-03 00:21:31 -04:00			can execute `r2pm -i yara` in order to retrieve latest source, compile,
			and install the library via the r2 package manager. You will also need `yara-r2`
			`to execute the yara utility from the r2 shell.`
Doc: add requirements to the yara plugin 2014-08-10 17:37:13 +02:00
Add new yara doc 2014-08-10 09:03:46 +02:00			`Yara in radare2`
			`----------`

			`radare2 provides several commands, allowing the user, to add or remove rules,`
			`scan a file, and list or use rules tags.`

Clarifying yara-to-r2 integration documentation. (#15404) 2019-11-03 00:21:31 -04:00			You can list the yara commands with the following r2 command `yara [help]`.
Add new yara doc 2014-08-10 09:03:46 +02:00
Doc: precise yara comes with and loads crypto and packers rules 2014-08-10 16:05:42 +02:00			`Rules`
			`-----`

			`By default, radare2 ships with some common crypto and packers rules that you`
			can find in `/usr/local/share/radare2/last/yara/` if you installed it r2 or
			`radare2/shlr/yara/` in the git repo.
			`They are loaded as soon as you start using the yara plugin.`
Precision about packers in doc/yara.md 2014-08-11 00:18:25 +02:00			So you can issue `yara scan` and automatically see if your binary is packed
			`with a known packer.`
Doc: precise yara comes with and loads crypto and packers rules 2014-08-10 16:05:42 +02:00
Add new yara doc 2014-08-10 09:03:46 +02:00			`Example`
			`-------`

			`Load a rule file on the fly, and then scan the currently opened file:`
Fix the doc yara2/yara3 2015-08-07 19:47:43 +03:00			```
Clarifying yara-to-r2 integration documentation. (#15404) 2019-11-03 00:21:31 -04:00			`yara add /home/name/rules/malware.rules`
			`yara scan`
Fix the doc yara2/yara3 2015-08-07 19:47:43 +03:00			```
			`Yara versions`
			`-------------`

Update Yara doc and remove old script 2016-05-15 23:34:40 +03:00			`Because radare2 has support for both yara versions currently,`
Fix the doc yara2/yara3 2015-08-07 19:47:43 +03:00			`depending from the version/plugin you've loaded, you need`
			`to use the proper versioned command.`
Clarifying yara-to-r2 integration documentation. (#15404) 2019-11-03 00:21:31 -04:00			E.g. `yara` or `yara`. For example `yara scan`.