1" Vim syntax file 2" Language: hog (Snort.conf + .rules) 3" Maintainer: Victor Roemer, <[email protected]>. 4" Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog 5" 2012 Oct 24 -> Originalish release 6 7" quit when a syntax file was already loaded 8if exists("b:current_syntax") 9 finish 10endif 11 12setlocal iskeyword-=: 13setlocal iskeyword+=- 14syn case ignore 15 16" Hog ruletype crap 17syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite 18syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite 19syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold 20syn keyword HogRuleTypeType type contained 21 22" Hog Configurables 23syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite 24syn keyword HogConfig config nextgroup=HogConfigName skipwhite 25syn keyword HogOutput output nextgroup=HogConfigName skipwhite 26syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite 27syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment 28 29" Event filter's and threshold's 30syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment 31syn keyword HogEvFilterKeyword skipwhite event_filter threshold 32syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes 33syn keyword HogEvFilterTypes skipwhite limit threshold both contained 34syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack 35syn keyword HogEvFilterTrack skipwhite by_src by_dst contained 36syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber 37 38" Suppressions 39syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment 40syn keyword HogSuppressKeyword skipwhite suppress 41syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber 42syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack 43syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr 44 45" Attribute table 46syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile 47syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment 48syn keyword HogAttributeType filename 49 50" Hog includes 51syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite 52syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment 53 54" Hog dynamic libraries 55syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite 56syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment 57syn keyword HogDylibType directory file contained 58 59" Variable dereferenced with '$' 60syn match HogVar "\$[[:alnum:]_]\+" 61 62", Variables declared with 'var' 63syn keyword HogVarType var nextgroup=HogVarSet skipwhite 64syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite 65syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment 66 67" Variables declared with 'ipvar' 68syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite 69syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite 70syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot 71 72" Variables declared with 'portvar' 73syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite 74syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite 75syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot 76syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange 77 78" Generic stuff 79syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr 80syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr 81syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)" 82syn region HogHexEsc contained start='|' end='|' oneline 83syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc 84syn match HogNumber contained display "\<\d\+\>" 85syn match HogNumber contained display "\<\d\+\>" 86syn match HogNumber contained display "0x\x\+\>" 87syn keyword HogSpecial contained true false yes no default all any 88syn keyword HogSpecialAny contained any 89syn match HogOpNot "!" contained 90syn match HogOpRange ":" contained 91 92" Rules 93syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock 94syn keyword HogRuleProto ip tcp udp icmp skipwhite contained nextgroup=HogRuleSrcIP 95syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort 96syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir 97syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP 98syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort 99syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock 100syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold 101",HogString,HogComment,HogVar,HogOptNot 102"syn region HogRuleOption start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber 103syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata content nocase rawbytes 104syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header 105syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg 106syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data 107syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data 108syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version 109syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window 110syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size 111syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter 112syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group 113 114syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber 115syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained 116syn match HogURLChars "\%(\.\|?\|=\)\+" contained 117 118" Hog File Type Rules 119syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP 120syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group 121syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln 122syn match NotASemiColn ".*$" contained 123 124 125" Comments 126syn keyword HogTodo XXX TODO NOTE contained 127syn match HogTodo "Step\s\+#\=\d\+" contained 128syn region HogComment start="#" end="$" contains=HogTodo,@Spell 129 130syn case match 131 132if !exists("hog_minlines") 133 let hog_minlines = 100 134endif 135exec "syn sync minlines=" . hog_minlines 136 137hi link HogRuleType Statement 138hi link HogRuleTypeName Type 139hi link HogRuleTypeType Keyword 140 141hi link HogPreproc Statement 142hi link HogConfig Statement 143hi link HogOutput Statement 144hi link HogConfigName Type 145 146"hi link HogEvFilter 147hi link HogEvFilterKeyword Statement 148hi link HogSuppressKeyword Statement 149hi link HogEvFilterTypes Constant 150hi link HogEvFilterTrack Constant 151 152hi link HogAttribute Statement 153hi link HogAttributeFile String 154hi link HogAttributeType Statement 155 156hi link HogInclude Statement 157hi link HogIncludeFile String 158 159hi link HogDylib Statement 160hi link HogDylibType Statement 161hi link HogDylibFile String 162 163" Variables 164" var 165hi link HogVar Identifier 166hi link HogVarType Keyword 167hi link HogVarSet Identifier 168hi link HogVarValue String 169" ipvar 170hi link HogIPVarType Keyword 171hi link HogIPVarSet Identifier 172" portvar 173hi link HogPortVarType Keyword 174hi link HogPortVarSet Identifier 175hi link HogPort Constant 176 177hi link HogTodo Todo 178hi link HogComment Comment 179hi link HogString String 180hi link HogHexEsc PreProc 181hi link HogNumber Number 182hi link HogSpecial Constant 183hi link HogSpecialAny Constant 184hi link HogIPAddr Constant 185hi link HogIPCidr Constant 186hi link HogOpNot Operator 187hi link HogOpRange Operator 188 189hi link HogRuleAction Statement 190hi link HogRuleProto Identifier 191hi link HogRuleDir Operator 192hi link HogRuleOption Keyword 193hi link HogRuleChars String 194 195hi link HogFileType HogRuleAction 196hi link HogFileTypeOpt HogRuleOption 197hi link NotASemiColn HogRuleChars 198 199let b:current_syntax = "hog" 200