1" Vim syntax file 2" Language: hog (Snort.conf + .rules) 3" Maintainer: Victor Roemer, <[email protected]>. 4" Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog 5" 2012 Oct 24 -> Originalish release 6 7if version < 600 8 syntax clear 9elseif exists("b:current_syntax") 10 finish 11endif 12 13setlocal iskeyword-=: 14setlocal iskeyword+=- 15syn case ignore 16 17" Hog ruletype crap 18syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite 19syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite 20syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold 21syn keyword HogRuleTypeType type contained 22 23" Hog Configurables 24syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite 25syn keyword HogConfig config nextgroup=HogConfigName skipwhite 26syn keyword HogOutput output nextgroup=HogConfigName skipwhite 27syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite 28syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment 29 30" Event filter's and threshold's 31syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment 32syn keyword HogEvFilterKeyword skipwhite event_filter threshold 33syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes 34syn keyword HogEvFilterTypes skipwhite limit threshold both contained 35syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack 36syn keyword HogEvFilterTrack skipwhite by_src by_dst contained 37syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber 38 39" Suppressions 40syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment 41syn keyword HogSuppressKeyword skipwhite suppress 42syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber 43syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack 44syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr 45 46" Attribute table 47syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile 48syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment 49syn keyword HogAttributeType filename 50 51" Hog includes 52syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite 53syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment 54 55" Hog dynamic libraries 56syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite 57syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment 58syn keyword HogDylibType directory file contained 59 60" Variable dereferenced with '$' 61syn match HogVar "\$[[:alnum:]_]\+" 62 63", Variables declared with 'var' 64syn keyword HogVarType var nextgroup=HogVarSet skipwhite 65syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite 66syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment 67 68" Variables declared with 'ipvar' 69syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite 70syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite 71syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot 72 73" Variables declared with 'portvar' 74syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite 75syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite 76syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot 77syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange 78 79" Generic stuff 80syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr 81syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr 82syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)" 83syn region HogHexEsc contained start='|' end='|' oneline 84syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc 85syn match HogNumber contained display "\<\d\+\>" 86syn match HogNumber contained display "\<\d\+\>" 87syn match HogNumber contained display "0x\x\+\>" 88syn keyword HogSpecial contained true false yes no default all any 89syn keyword HogSpecialAny contained any 90syn match HogOpNot "!" contained 91syn match HogOpRange ":" contained 92 93" Rules 94syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock 95syn keyword HogRuleProto ip tcp udp icmp skipwhite contained nextgroup=HogRuleSrcIP 96syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort 97syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir 98syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP 99syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort 100syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock 101syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold 102",HogString,HogComment,HogVar,HogOptNot 103"syn region HogRuleOption start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber 104syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata content nocase rawbytes 105syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header 106syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg 107syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data 108syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data 109syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version 110syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window 111syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size 112syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter 113syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group 114 115syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber 116syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained 117syn match HogURLChars "\%(\.\|?\|=\)\+" contained 118 119" Hog File Type Rules 120syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP 121syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group 122syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln 123syn match NotASemiColn ".*$" contained 124 125 126" Comments 127syn keyword HogTodo XXX TODO NOTE contained 128syn match HogTodo "Step\s\+#\=\d\+" contained 129syn region HogComment start="#" end="$" contains=HogTodo,@Spell 130 131syn case match 132 133if !exists("hog_minlines") 134 let hog_minlines = 100 135endif 136exec "syn sync minlines=" . hog_minlines 137 138hi link HogRuleType Statement 139hi link HogRuleTypeName Type 140hi link HogRuleTypeType Keyword 141 142hi link HogPreproc Statement 143hi link HogConfig Statement 144hi link HogOutput Statement 145hi link HogConfigName Type 146 147"hi link HogEvFilter 148hi link HogEvFilterKeyword Statement 149hi link HogSuppressKeyword Statement 150hi link HogEvFilterTypes Constant 151hi link HogEvFilterTrack Constant 152 153hi link HogAttribute Statement 154hi link HogAttributeFile String 155hi link HogAttributeType Statement 156 157hi link HogInclude Statement 158hi link HogIncludeFile String 159 160hi link HogDylib Statement 161hi link HogDylibType Statement 162hi link HogDylibFile String 163 164" Variables 165" var 166hi link HogVar Identifier 167hi link HogVarType Keyword 168hi link HogVarSet Identifier 169hi link HogVarValue String 170" ipvar 171hi link HogIPVarType Keyword 172hi link HogIPVarSet Identifier 173" portvar 174hi link HogPortVarType Keyword 175hi link HogPortVarSet Identifier 176hi link HogPort Constant 177 178hi link HogTodo Todo 179hi link HogComment Comment 180hi link HogString String 181hi link HogHexEsc PreProc 182hi link HogNumber Number 183hi link HogSpecial Constant 184hi link HogSpecialAny Constant 185hi link HogIPAddr Constant 186hi link HogIPCidr Constant 187hi link HogOpNot Operator 188hi link HogOpRange Operator 189 190hi link HogRuleAction Statement 191hi link HogRuleProto Identifier 192hi link HogRuleDir Operator 193hi link HogRuleOption Keyword 194hi link HogRuleChars String 195 196hi link HogFileType HogRuleAction 197hi link HogFileTypeOpt HogRuleOption 198hi link NotASemiColn HogRuleChars 199 200let b:current_syntax = "hog" 201