209 lines
11 KiB
VimL
209 lines
11 KiB
VimL
|
" Vim syntax file
|
||
|
" Language: hog (Snort.conf + .rules)
|
||
|
" Maintainer: Victor Roemer, <vroemer@badsec.org>.
|
||
|
" Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog
|
||
|
" 2012 Oct 24 -> Originalish release
|
||
|
|
||
|
" quit when a syntax file was already loaded
|
||
|
if exists("b:current_syntax")
|
||
|
finish
|
||
|
endif
|
||
|
|
||
|
setlocal iskeyword-=:
|
||
|
setlocal iskeyword+=-
|
||
|
syn case ignore
|
||
|
|
||
|
" Hog ruletype crap
|
||
|
syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite
|
||
|
syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite
|
||
|
syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold
|
||
|
syn keyword HogRuleTypeType type contained
|
||
|
|
||
|
" Hog Configurables
|
||
|
syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite
|
||
|
syn keyword HogConfig config nextgroup=HogConfigName skipwhite
|
||
|
syn keyword HogOutput output nextgroup=HogConfigName skipwhite
|
||
|
syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite
|
||
|
syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment
|
||
|
|
||
|
" Event filter's and threshold's
|
||
|
syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment
|
||
|
syn keyword HogEvFilterKeyword skipwhite event_filter threshold
|
||
|
syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes
|
||
|
syn keyword HogEvFilterTypes skipwhite limit threshold both contained
|
||
|
syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack
|
||
|
syn keyword HogEvFilterTrack skipwhite by_src by_dst contained
|
||
|
syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber
|
||
|
|
||
|
" Suppressions
|
||
|
syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment
|
||
|
syn keyword HogSuppressKeyword skipwhite suppress
|
||
|
syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber
|
||
|
syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack
|
||
|
syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr
|
||
|
|
||
|
" Attribute table
|
||
|
syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile
|
||
|
syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment
|
||
|
syn keyword HogAttributeType filename
|
||
|
|
||
|
" Hog includes
|
||
|
syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite
|
||
|
syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment
|
||
|
|
||
|
" Hog dynamic libraries
|
||
|
syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite
|
||
|
syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment
|
||
|
syn keyword HogDylibType directory file contained
|
||
|
|
||
|
" Variable dereferenced with '$'
|
||
|
syn match HogVar "\$[[:alnum:]_]\+"
|
||
|
|
||
|
", Variables declared with 'var'
|
||
|
syn keyword HogVarType var nextgroup=HogVarSet skipwhite
|
||
|
syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite
|
||
|
syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment
|
||
|
|
||
|
" Variables declared with 'ipvar'
|
||
|
syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite
|
||
|
syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite
|
||
|
syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot
|
||
|
|
||
|
" Variables declared with 'portvar'
|
||
|
syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite
|
||
|
syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite
|
||
|
syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot
|
||
|
syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange
|
||
|
|
||
|
" Generic stuff
|
||
|
syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr
|
||
|
syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr
|
||
|
syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)"
|
||
|
syn region HogHexEsc contained start='|' end='|' oneline
|
||
|
syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc
|
||
|
|
||
|
" XXX
|
||
|
syn region HogRegexStr contained start='"' end='"' extend oneline
|
||
|
|
||
|
syn match HogNumber contained display "\<\d\+\>"
|
||
|
syn match HogNumber contained display "\<\d\+\>"
|
||
|
syn match HogNumber contained display "0x\x\+\>"
|
||
|
syn keyword HogSpecial contained true false yes no default all any
|
||
|
syn keyword HogSpecialAny contained any
|
||
|
syn match HogOpNot "!" contained
|
||
|
syn match HogOpRange ":" contained
|
||
|
|
||
|
" Rules
|
||
|
syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock
|
||
|
syn keyword HogRuleProto ip tcp udp icmp http skipwhite contained nextgroup=HogRuleSrcIP,HogRuleBlock
|
||
|
syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort
|
||
|
syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir
|
||
|
syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP
|
||
|
syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort
|
||
|
syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock
|
||
|
syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold
|
||
|
",HogString,HogComment,HogVar,HogOptNot
|
||
|
"syn region HogRuleOption start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata service content nocase rawbytes
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_raw_body http_stat_code http_stat_msg
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pkt_data file_data base64_decode base64_data
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group
|
||
|
syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleRegex pcre regex
|
||
|
|
||
|
" XXX
|
||
|
syn region HogRuleRegex start=':' end=";" transparent keepend contained contains=HogRegexStr
|
||
|
|
||
|
syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber
|
||
|
syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained
|
||
|
syn match HogURLChars "\%(\.\|?\|=\)\+" contained
|
||
|
|
||
|
" Hog File Type Rules
|
||
|
syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP
|
||
|
syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group
|
||
|
syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln
|
||
|
syn match NotASemiColn ".*$" contained
|
||
|
|
||
|
|
||
|
" Comments
|
||
|
syn keyword HogTodo XXX TODO NOTE contained
|
||
|
syn match HogTodo "Step\s\+#\=\d\+" contained
|
||
|
syn region HogComment start="#" end="$" contains=HogTodo,@Spell
|
||
|
|
||
|
syn case match
|
||
|
|
||
|
if !exists("hog_minlines")
|
||
|
let hog_minlines = 100
|
||
|
endif
|
||
|
exec "syn sync minlines=" . hog_minlines
|
||
|
|
||
|
hi link HogRuleType Statement
|
||
|
hi link HogRuleTypeName Type
|
||
|
hi link HogRuleTypeType Keyword
|
||
|
|
||
|
hi link HogPreproc Statement
|
||
|
hi link HogConfig Statement
|
||
|
hi link HogOutput Statement
|
||
|
hi link HogConfigName Type
|
||
|
|
||
|
"hi link HogEvFilter
|
||
|
hi link HogEvFilterKeyword Statement
|
||
|
hi link HogSuppressKeyword Statement
|
||
|
hi link HogEvFilterTypes Constant
|
||
|
hi link HogEvFilterTrack Constant
|
||
|
|
||
|
hi link HogAttribute Statement
|
||
|
hi link HogAttributeFile String
|
||
|
hi link HogAttributeType Statement
|
||
|
|
||
|
hi link HogInclude Statement
|
||
|
hi link HogIncludeFile String
|
||
|
|
||
|
hi link HogDylib Statement
|
||
|
hi link HogDylibType Statement
|
||
|
hi link HogDylibFile String
|
||
|
|
||
|
" Variables
|
||
|
" var
|
||
|
hi link HogVar Identifier
|
||
|
hi link HogVarType Keyword
|
||
|
hi link HogVarSet Identifier
|
||
|
hi link HogVarValue String
|
||
|
" ipvar
|
||
|
hi link HogIPVarType Keyword
|
||
|
hi link HogIPVarSet Identifier
|
||
|
" portvar
|
||
|
hi link HogPortVarType Keyword
|
||
|
hi link HogPortVarSet Identifier
|
||
|
hi link HogPort Constant
|
||
|
|
||
|
hi link HogTodo Todo
|
||
|
hi link HogComment Comment
|
||
|
hi link HogString String
|
||
|
hi link HogRegexStr String
|
||
|
hi link HogHexEsc PreProc
|
||
|
hi link HogNumber Number
|
||
|
hi link HogSpecial Constant
|
||
|
hi link HogSpecialAny Constant
|
||
|
hi link HogIPAddr Constant
|
||
|
hi link HogIPCidr Constant
|
||
|
hi link HogOpNot Operator
|
||
|
hi link HogOpRange Operator
|
||
|
|
||
|
hi link HogRuleAction Statement
|
||
|
hi link HogRuleProto Identifier
|
||
|
hi link HogRuleDir Operator
|
||
|
hi link HogRuleOption Keyword
|
||
|
hi link HogRuleChars String
|
||
|
|
||
|
hi link HogFileType HogRuleAction
|
||
|
hi link HogFileTypeOpt HogRuleOption
|
||
|
hi link NotASemiColn HogRuleChars
|
||
|
|
||
|
let b:current_syntax = "hog"
|