If I understand what you want to do correctly, you are trying to scan a specific folder with several yara rules thats are in multiple yara rule files. There are two ways I have found to do this. The first was brought up earlier, bring all the yara rules into one file and run that. The second way that I found worked well was to create a yara rule file that acts almost like a c++ header file. To illustrate what I mean follow this example:
You have several yara files, Rule1, Rule2, Rule3. Each contain their own yara rules to scan for different things. To get them all to run without combining all rules into one file create a new yara rule file, MasterRule. In this file you want to type the following to include all of your yara rules: include "Rule1.yar" include "Rule2.yar" include "Rule3.yar" Save that file and when you go to scan the folder call the MasterRule file as your yara rule. It will scan the folder against all rule files you included. We used this method coupled with a powershell script to automatically add new rule files to this main rule file and then run a yara scan on the entire drive of a computer. On Tuesday, June 27, 2017 at 1:06:37 AM UTC-5, Samsung NFC wrote: > > Hi, > I like to apply some yara-rules on a folder which contains some > malware-samples (e.g. infected1.exe, infected2.zip, infetced3.doc, etc.). > The yara-rules are in a folder and every yara rule is a file ( e.g. > exploit.yar, ransome.yar ,etc.). > > If I apply my yara-rules on the malware-sample folder like that: > > yara -rg rules/* infectedfolder > > It doesn't work that way. > > Does I have to paste my rules in a single file and then apply "yara -rg > rule.yar infectedfolder" to do a masscan or is there another way to do a > masscsan? > > Thanks Thomas > > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
