yara vs yara-x Speed

[MyraBaba]

Hi ,

time yara-x scan -d filepath=\"~/\" -d filename=\"history\" -d extension=\"bin\" -d filetype=\"jpg\" -d owner=\"root\" yara/signature-base/yara/* ~/badfiles/

time yara -d filepath="~/" -d filename="history" -d extension="bin" -d filetype="jpg" -d owner="root" yara/signature-base/yara/* ~/badfiles/ -r

I ran the same rule set in same path.

yara-x : (exclude rule compile time)

real 0m29.202s
user 0m26.946s
sys 0m1.220s

with compile almost 33 seconds

yara:

real 0m17.140s
user 0m16.373s
sys 0m0.609s

So almost twice slow then yara engine ?

any idea ?

[plusvic]

Can you share the rules? If the rules are already very well optimized this may happen. YARA-X is better at optimizing rules by itself, but it's still slower when the rules are composed mostly of plain text strings and doesn't have complex conditions.

[MyraBaba]

I will share when our datacenter up again.

is there any way to get output of the yr to file or mqtt ?

so we can update which file scanned and what error found centrally.

is there any performance drop if we use python or c++ api ?

[plusvic]

Is there any way to get output of the yr to file or mqtt ?

You can use yr scan --output-format=ndjson ... and get the matches as one JSON object per line. Or alternatively you can use the Python API for invoking YARA-X and do whatever you want with the result.

Is there any performance drop if we use python or c++ api ?

No, there's no performance drop for using the Python or C++ API.