yara¶
Track YARA matches for files or PIDs.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: yara
- Linux
- Mac OSX
Table schema¶
Name | Type | Description |
---|---|---|
path | TEXT | The path scanned |
matches | TEXT | List of YARA matches |
count | INTEGER | Number of YARA matches |
sig_group | TEXT | Signature group used |
sigfile | TEXT | Signature file used |
strings | TEXT | Matching strings |
tags | TEXT | Matching tags |
Query examples¶
select * from yara where path = '/etc/passwd'
select * from yara where path LIKE '/etc/%'
select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'