yara ==== Track YARA matches for files or PIDs. Platform support ---------------- Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. **Running a query against an unsupported platform will result in the following error:** ``no such table: yara`` - Linux - Mac OSX Table schema ------------ ========= ======= ====================== Name Type Description ========= ======= ====================== path TEXT The path scanned matches TEXT List of YARA matches count INTEGER Number of YARA matches sig_group TEXT Signature group used sigfile TEXT Signature file used strings TEXT Matching strings tags TEXT Matching tags ========= ======= ====================== Query examples -------------- .. code-block:: sql select * from yara where path = '/etc/passwd' .. code-block:: sql select * from yara where path LIKE '/etc/%' .. code-block:: sql select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'