Rule compilation error: undefined string

[absurd121]

Please help with compilation error yara rule. Rule logic: find 2 different strings from the list and at the same time they were nearby in the file. Code:

rule search_for_lines
{
    strings:
        $line1 = "line1 from list" ascii
        $line2 = "line2 from list" ascii
        $line3 = "line3 from list" ascii
        $line4 = "line4 from list" ascii
        $line5 = "line5 from list" ascii
        $line6 = "line6 from list" ascii
        $line7 = "line7 from list" ascii
        $line8 = "line8 from list" ascii
        $line9 = "line9 from list" ascii
        $line10 = "line10 from list" ascii

    condition:
        for any i in (1..9): (
            for any j in (i+1..10):
                ( ($line[i] - 100) < $line[j] < ($line[i] + 100) )
       )
}

An error occurs while compiling: 'undefined string "$line"' at string: ( ($line[i] - 50) < $line[j] < ($line[i] + 50) )

[aschuster99]

There seems to be a slight, yet important, misunderstanding: The term $line[i] refers to the i-th occurrence of the string defined by $line, which hasn't been defined.

Here are two ideas, that hopefully might help you find a solution to your problem. The first one uses a sliding-window:

rule search_for_lines_sliding_window
{
    strings:
        $ = "line1 from list" ascii
        $ = "line2 from list" ascii
        $ = "line3 from list" ascii
        $ = "line4 from list" ascii
        $ = "line5 from list" ascii
        $ = "line6 from list" ascii
        $ = "line7 from list" ascii
        $ = "line8 from list" ascii
        $ = "line9 from list" ascii
        $ = "line10 from list" ascii

    condition:
        // make sure we have at least 2 distinct strings
        2 of them and
        // now search within a sliding window, assume window size of 100 bytes
        for any i in (1 .. filesize-100) : (
            2 of them in (i .. i+100)
        )
}

Please note that this a slow approach and may take a lot of time for large files. In order to avoid wasting time, the condition first checks for the presence of two strings, regardless of the distance constraint.

The second approach uses a regex to find all relevant lines. In this simple example, $line = /line\d+ from list/ ascii does the job. For more complex cases you can always concatenate expressions using the pipe symbol as in $line = /line1 from list|line2 from list|line 3 and so on/. So, the rule has to deal only with a single array of matches:

import "hash"

rule search_for_lines_regex
{
    strings:
        $line = /line\d+ from list/ ascii
    condition:
        #line >= 2 and
        for any i in (2 .. #line) : (
            // ensure matches are nearby
            @line[i] - @line[i-1] <= 100 and
            // ensure matches are different strings
            hash.sha256(@line[i-1], !line[i-1]) != hash.sha256(@line[i], !line[i])
        )
}

This rule checks for two consecutive matches that are at most 100 bytes apart, measured from start to start. Of course, this would also match on two consecutive instances of the same string. But as I understand your problem, these have to be different strings. I wish I could just compare the two matches, e.g. $line[i-1] != $line[i], but that seems not to be possible. Therefore, the rule does not compare the strings, but their SHA256 hashes instead.

As said before, this might not be the exact solution to your problem, but hopefully will get you started.

[absurd121]

Thanks a lot for the detailed answer and help with the rule! I tested the approaches you suggested and settled on the second one.
When using the "-s" flag (.\yara64.exe -s .\rule.yar .\file), all lines from the regular expression that are contained in the file are output, not just those that satisfy the condition.
In order to see on which lines the rule is triggered, I added the "console" module to the condition:

import "hash"
import "console"

rule search_for_lines_regex
{
    strings:
        $line = /line\d+ from list/ ascii
    condition:
        #line >= 2 and
        for any i in (2 .. #line) : (
            @line[i] - @line[i-1] <= 100 and
            hash.sha256(@line[i-1], !line[i-1]) != hash.sha256(@line[i], !line[i]) and console.hex(@line[i-1]) and console.hex(@line[i])
        )
}

But in this case, only the addresses of the first two lines that satisfy the condition are displayed. It looks like the rule only looks for the first match. Then I replaced "any" with "(#line-1)" in the for loop:

          for (#line-1) i in (2 .. #line) : (
            @line[i] - @line[i-1] <= 100 and
            hash.sha256(@line[i-1], !line[i-1]) != hash.sha256(@line[i], !line[i]) and console.hex(@line[i-1]) and console.hex(@line[i])

Then the rule is applied to the entire file and the addresses of all matching lines are displayed. However, the file is not marked as matching the rule.
Is there a way built into yara to output strings rather than addresses that satisfy a condition? I found only a custom module for this https://devilinside.me/blogs/configuration-extraction-yara. But it requires compiling yar from source (errors occur on my centos 8).
Also, is it possible to have the rule look for all matches in the file, and not just the first one?