search

A menu icon Tables {{numberOfTablesDisplayed}}

right chevron down chevron

Tables{{numberOfTablesDisplayed}}

macOS logo Windows logo Linux logo macOS logo

yara

Triggers one-off YARA query for files at the specified path. Requires one of sig_group, sigfile, or sigrule.

Column Type Description
count integer Number of YARA matches
matches text List of YARA matches
path text The path scanned
Required in WHERE clause
pid_with_namespace integer Pids that contain a namespace
Not returned in SELECT * FROM yara.
Only available on Linux
sig_group text Signature group used
sigfile text Signature file used
sigrule text Signature strings used
Not returned in SELECT * FROM yara.
sigurl text Signature url
Not returned in SELECT * FROM yara.
strings text Matching strings
tags text Matching tags

Example

Look for files under /root that match a Yara signature. This example uses the EICAR test file.

SELECT * FROM yara WHERE path like '/root/%%' AND sigrule IN (
  'rule eicar {
  strings:
  $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
  condition:
  all of them
}'
 ) AND matches='eicar';