Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 1 | " Vim syntax file |
| 2 | " Language: hog (Snort.conf + .rules) |
| 3 | " Maintainer: Victor Roemer, <vroemer@badsec.org>. |
| 4 | " Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog |
| 5 | " 2012 Oct 24 -> Originalish release |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 6 | |
Bram Moolenaar | 89bcfda | 2016-08-30 23:26:57 +0200 | [diff] [blame] | 7 | " quit when a syntax file was already loaded |
| 8 | if exists("b:current_syntax") |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 9 | finish |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 10 | endif |
| 11 | |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 12 | setlocal iskeyword-=: |
| 13 | setlocal iskeyword+=- |
| 14 | syn case ignore |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 15 | |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 16 | " Hog ruletype crap |
| 17 | syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite |
| 18 | syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite |
| 19 | syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold |
| 20 | syn keyword HogRuleTypeType type contained |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 21 | |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 22 | " Hog Configurables |
| 23 | syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite |
| 24 | syn keyword HogConfig config nextgroup=HogConfigName skipwhite |
| 25 | syn keyword HogOutput output nextgroup=HogConfigName skipwhite |
| 26 | syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite |
| 27 | syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment |
| 28 | |
| 29 | " Event filter's and threshold's |
| 30 | syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment |
| 31 | syn keyword HogEvFilterKeyword skipwhite event_filter threshold |
| 32 | syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes |
| 33 | syn keyword HogEvFilterTypes skipwhite limit threshold both contained |
| 34 | syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack |
| 35 | syn keyword HogEvFilterTrack skipwhite by_src by_dst contained |
| 36 | syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber |
| 37 | |
| 38 | " Suppressions |
| 39 | syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment |
| 40 | syn keyword HogSuppressKeyword skipwhite suppress |
| 41 | syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber |
| 42 | syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack |
| 43 | syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr |
| 44 | |
| 45 | " Attribute table |
| 46 | syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile |
| 47 | syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment |
| 48 | syn keyword HogAttributeType filename |
| 49 | |
| 50 | " Hog includes |
| 51 | syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite |
| 52 | syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment |
| 53 | |
| 54 | " Hog dynamic libraries |
| 55 | syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite |
| 56 | syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment |
| 57 | syn keyword HogDylibType directory file contained |
| 58 | |
| 59 | " Variable dereferenced with '$' |
| 60 | syn match HogVar "\$[[:alnum:]_]\+" |
| 61 | |
| 62 | ", Variables declared with 'var' |
| 63 | syn keyword HogVarType var nextgroup=HogVarSet skipwhite |
| 64 | syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite |
| 65 | syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment |
| 66 | |
| 67 | " Variables declared with 'ipvar' |
| 68 | syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite |
| 69 | syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite |
| 70 | syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot |
| 71 | |
| 72 | " Variables declared with 'portvar' |
| 73 | syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite |
| 74 | syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite |
| 75 | syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot |
| 76 | syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange |
| 77 | |
| 78 | " Generic stuff |
| 79 | syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr |
| 80 | syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr |
| 81 | syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)" |
| 82 | syn region HogHexEsc contained start='|' end='|' oneline |
| 83 | syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc |
| 84 | syn match HogNumber contained display "\<\d\+\>" |
| 85 | syn match HogNumber contained display "\<\d\+\>" |
| 86 | syn match HogNumber contained display "0x\x\+\>" |
| 87 | syn keyword HogSpecial contained true false yes no default all any |
| 88 | syn keyword HogSpecialAny contained any |
| 89 | syn match HogOpNot "!" contained |
| 90 | syn match HogOpRange ":" contained |
| 91 | |
| 92 | " Rules |
| 93 | syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock |
| 94 | syn keyword HogRuleProto ip tcp udp icmp skipwhite contained nextgroup=HogRuleSrcIP |
| 95 | syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort |
| 96 | syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir |
| 97 | syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP |
| 98 | syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort |
| 99 | syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock |
| 100 | syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold |
| 101 | ",HogString,HogComment,HogVar,HogOptNot |
| 102 | "syn region HogRuleOption start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber |
| 103 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata content nocase rawbytes |
| 104 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header |
| 105 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg |
| 106 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data |
| 107 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data |
| 108 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version |
| 109 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window |
| 110 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size |
| 111 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter |
| 112 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group |
| 113 | |
| 114 | syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber |
| 115 | syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained |
| 116 | syn match HogURLChars "\%(\.\|?\|=\)\+" contained |
| 117 | |
| 118 | " Hog File Type Rules |
| 119 | syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP |
| 120 | syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group |
| 121 | syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln |
| 122 | syn match NotASemiColn ".*$" contained |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 123 | |
| 124 | |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 125 | " Comments |
| 126 | syn keyword HogTodo XXX TODO NOTE contained |
| 127 | syn match HogTodo "Step\s\+#\=\d\+" contained |
| 128 | syn region HogComment start="#" end="$" contains=HogTodo,@Spell |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 129 | |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 130 | syn case match |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 131 | |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 132 | if !exists("hog_minlines") |
| 133 | let hog_minlines = 100 |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 134 | endif |
Bram Moolenaar | d7464be | 2015-11-01 16:49:04 +0100 | [diff] [blame] | 135 | exec "syn sync minlines=" . hog_minlines |
| 136 | |
| 137 | hi link HogRuleType Statement |
| 138 | hi link HogRuleTypeName Type |
| 139 | hi link HogRuleTypeType Keyword |
| 140 | |
| 141 | hi link HogPreproc Statement |
| 142 | hi link HogConfig Statement |
| 143 | hi link HogOutput Statement |
| 144 | hi link HogConfigName Type |
| 145 | |
| 146 | "hi link HogEvFilter |
| 147 | hi link HogEvFilterKeyword Statement |
| 148 | hi link HogSuppressKeyword Statement |
| 149 | hi link HogEvFilterTypes Constant |
| 150 | hi link HogEvFilterTrack Constant |
| 151 | |
| 152 | hi link HogAttribute Statement |
| 153 | hi link HogAttributeFile String |
| 154 | hi link HogAttributeType Statement |
| 155 | |
| 156 | hi link HogInclude Statement |
| 157 | hi link HogIncludeFile String |
| 158 | |
| 159 | hi link HogDylib Statement |
| 160 | hi link HogDylibType Statement |
| 161 | hi link HogDylibFile String |
| 162 | |
| 163 | " Variables |
| 164 | " var |
| 165 | hi link HogVar Identifier |
| 166 | hi link HogVarType Keyword |
| 167 | hi link HogVarSet Identifier |
| 168 | hi link HogVarValue String |
| 169 | " ipvar |
| 170 | hi link HogIPVarType Keyword |
| 171 | hi link HogIPVarSet Identifier |
| 172 | " portvar |
| 173 | hi link HogPortVarType Keyword |
| 174 | hi link HogPortVarSet Identifier |
| 175 | hi link HogPort Constant |
| 176 | |
| 177 | hi link HogTodo Todo |
| 178 | hi link HogComment Comment |
| 179 | hi link HogString String |
| 180 | hi link HogHexEsc PreProc |
| 181 | hi link HogNumber Number |
| 182 | hi link HogSpecial Constant |
| 183 | hi link HogSpecialAny Constant |
| 184 | hi link HogIPAddr Constant |
| 185 | hi link HogIPCidr Constant |
| 186 | hi link HogOpNot Operator |
| 187 | hi link HogOpRange Operator |
| 188 | |
| 189 | hi link HogRuleAction Statement |
| 190 | hi link HogRuleProto Identifier |
| 191 | hi link HogRuleDir Operator |
| 192 | hi link HogRuleOption Keyword |
| 193 | hi link HogRuleChars String |
| 194 | |
| 195 | hi link HogFileType HogRuleAction |
| 196 | hi link HogFileTypeOpt HogRuleOption |
| 197 | hi link NotASemiColn HogRuleChars |
Bram Moolenaar | 071d427 | 2004-06-13 20:20:40 +0000 | [diff] [blame] | 198 | |
| 199 | let b:current_syntax = "hog" |