Attention
Zercurity has been acquired by JumpCloud.
This documentation will no longer be maintained or updated. You can read more about the acquisition, or signup to JumpCloud today.
yara¶
Track YARA matches for files or PIDs.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: yara
- Linux
- Mac OSX
Table schema¶
Name | Type | Description |
---|---|---|
path | TEXT | The path scanned |
matches | TEXT | List of YARA matches |
count | INTEGER | Number of YARA matches |
sig_group | TEXT | Signature group used |
sigfile | TEXT | Signature file used |
strings | TEXT | Matching strings |
tags | TEXT | Matching tags |
Query examples¶
select * from yara where path = '/etc/passwd'
select * from yara where path LIKE '/etc/%'
select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'