Hello,

I recently had a use-case where I wanted to have a list of strings in the conditions block in a yara rule. I'm using yara v4.0.5. A minimal example is: comparing the SHA1 of a file with a known set of hashes. This is a working yara rule:

test.yar:

import "hash"

rule test {
    condition:
        hash.sha1(0,filesize) == "0a9fbc6dacd8887bd9d9065bc7d9a4905d7ea687" or
        hash.sha1(0,filesize) == "90cf88f9f3326d2616232d73e5adc1e85d28097f"
}

$ yara test.yar test.txt 
test test.txt

For readability, this is alright when there are, say, 5 hashes. But if there are 100 hashes, then the rule file becomes messy. Is there a way in yara to have non-search strings in one variable? And I'm not referring to the strings block because those strings are searched in the file. I'm referring to a string variable (containing a list of strings) which is not searched in the file and can purely be used in the conditions block. Also, I assume hash.sha1 will be computed only once? (caching: #592)

Something like:

import "hash"

rule test {
    condition:
        for any i in ("90cf88f9f3326d2616232d73e5adc1e85d28097f","0a9fbc6dacd8887bd9d9065bc7d9a4905d7ea687"):
            ( i == hash.sha1(0,filesize) )
}

The above doesn't work:

$ yara test.yar test.txt 
test.yar(5): error in rule "test": wrong type for enumeration item

Thanks for the help!