yara¶
Track YARA matches for files or PIDs.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: yara
Linux
Mac OSX
Table schema¶
Name |
Type |
Description |
|---|---|---|
path |
TEXT |
The path scanned |
matches |
TEXT |
List of YARA matches |
count |
INTEGER |
Number of YARA matches |
sig_group |
TEXT |
Signature group used |
sigfile |
TEXT |
Signature file used |
strings |
TEXT |
Matching strings |
tags |
TEXT |
Matching tags |
Query examples¶
select * from yara where path = '/etc/passwd'
select * from yara where path LIKE '/etc/%'
select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'