" Vim syntax file " Language: hog (Snort.conf + .rules) " Maintainer: Victor Roemer, . " Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog " 2012 Oct 24 -> Originalish release " quit when a syntax file was already loaded if exists("b:current_syntax") finish endif setlocal iskeyword-=: setlocal iskeyword+=- syn case ignore " Hog ruletype crap syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold syn keyword HogRuleTypeType type contained " Hog Configurables syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite syn keyword HogConfig config nextgroup=HogConfigName skipwhite syn keyword HogOutput output nextgroup=HogConfigName skipwhite syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment " Event filter's and threshold's syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment syn keyword HogEvFilterKeyword skipwhite event_filter threshold syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes syn keyword HogEvFilterTypes skipwhite limit threshold both contained syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack syn keyword HogEvFilterTrack skipwhite by_src by_dst contained syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber " Suppressions syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment syn keyword HogSuppressKeyword skipwhite suppress syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr " Attribute table syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment syn keyword HogAttributeType filename " Hog includes syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment " Hog dynamic libraries syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment syn keyword HogDylibType directory file contained " Variable dereferenced with '$' syn match HogVar "\$[[:alnum:]_]\+" ", Variables declared with 'var' syn keyword HogVarType var nextgroup=HogVarSet skipwhite syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment " Variables declared with 'ipvar' syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot " Variables declared with 'portvar' syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange " Generic stuff syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)" syn region HogHexEsc contained start='|' end='|' oneline syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc " XXX syn region HogRegexStr contained start='"' end='"' extend oneline syn match HogNumber contained display "\<\d\+\>" syn match HogNumber contained display "\<\d\+\>" syn match HogNumber contained display "0x\x\+\>" syn keyword HogSpecial contained true false yes no default all any syn keyword HogSpecialAny contained any syn match HogOpNot "!" contained syn match HogOpRange ":" contained " Rules syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock syn keyword HogRuleProto ip tcp udp icmp http skipwhite contained nextgroup=HogRuleSrcIP,HogRuleBlock syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold ",HogString,HogComment,HogVar,HogOptNot "syn region HogRuleOption start="\" end="\ze;" skipwhite contained contains=HogNumber syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata service content nocase rawbytes syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_raw_body http_stat_code http_stat_msg syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pkt_data file_data base64_decode base64_data syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleRegex pcre regex " XXX syn region HogRuleRegex start=':' end=";" transparent keepend contained contains=HogRegexStr syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained syn match HogURLChars "\%(\.\|?\|=\)\+" contained " Hog File Type Rules syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln syn match NotASemiColn ".*$" contained " Comments syn keyword HogTodo XXX TODO NOTE contained syn match HogTodo "Step\s\+#\=\d\+" contained syn region HogComment start="#" end="$" contains=HogTodo,@Spell syn case match if !exists("hog_minlines") let hog_minlines = 100 endif exec "syn sync minlines=" . hog_minlines hi link HogRuleType Statement hi link HogRuleTypeName Type hi link HogRuleTypeType Keyword hi link HogPreproc Statement hi link HogConfig Statement hi link HogOutput Statement hi link HogConfigName Type "hi link HogEvFilter hi link HogEvFilterKeyword Statement hi link HogSuppressKeyword Statement hi link HogEvFilterTypes Constant hi link HogEvFilterTrack Constant hi link HogAttribute Statement hi link HogAttributeFile String hi link HogAttributeType Statement hi link HogInclude Statement hi link HogIncludeFile String hi link HogDylib Statement hi link HogDylibType Statement hi link HogDylibFile String " Variables " var hi link HogVar Identifier hi link HogVarType Keyword hi link HogVarSet Identifier hi link HogVarValue String " ipvar hi link HogIPVarType Keyword hi link HogIPVarSet Identifier " portvar hi link HogPortVarType Keyword hi link HogPortVarSet Identifier hi link HogPort Constant hi link HogTodo Todo hi link HogComment Comment hi link HogString String hi link HogRegexStr String hi link HogHexEsc PreProc hi link HogNumber Number hi link HogSpecial Constant hi link HogSpecialAny Constant hi link HogIPAddr Constant hi link HogIPCidr Constant hi link HogOpNot Operator hi link HogOpRange Operator hi link HogRuleAction Statement hi link HogRuleProto Identifier hi link HogRuleDir Operator hi link HogRuleOption Keyword hi link HogRuleChars String hi link HogFileType HogRuleAction hi link HogFileTypeOpt HogRuleOption hi link NotASemiColn HogRuleChars let b:current_syntax = "hog"