blob: 7206815202e5cdef7e8c707338e7358c8a4384b7 [file] [log] [blame]
Bram Moolenaard7464be2015-11-01 16:49:04 +01001" Vim syntax file
2" Language: hog (Snort.conf + .rules)
3" Maintainer: Victor Roemer, <vroemer@badsec.org>.
4" Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog
5" 2012 Oct 24 -> Originalish release
Bram Moolenaar071d4272004-06-13 20:20:40 +00006
Bram Moolenaar89bcfda2016-08-30 23:26:57 +02007" quit when a syntax file was already loaded
8if exists("b:current_syntax")
Bram Moolenaard7464be2015-11-01 16:49:04 +01009 finish
Bram Moolenaar071d4272004-06-13 20:20:40 +000010endif
11
Bram Moolenaard7464be2015-11-01 16:49:04 +010012setlocal iskeyword-=:
13setlocal iskeyword+=-
14syn case ignore
Bram Moolenaar071d4272004-06-13 20:20:40 +000015
Bram Moolenaard7464be2015-11-01 16:49:04 +010016" Hog ruletype crap
17syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite
18syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite
19syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold
20syn keyword HogRuleTypeType type contained
Bram Moolenaar071d4272004-06-13 20:20:40 +000021
Bram Moolenaard7464be2015-11-01 16:49:04 +010022" Hog Configurables
23syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite
24syn keyword HogConfig config nextgroup=HogConfigName skipwhite
25syn keyword HogOutput output nextgroup=HogConfigName skipwhite
26syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite
27syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment
28
29" Event filter's and threshold's
30syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment
31syn keyword HogEvFilterKeyword skipwhite event_filter threshold
32syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes
33syn keyword HogEvFilterTypes skipwhite limit threshold both contained
34syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack
35syn keyword HogEvFilterTrack skipwhite by_src by_dst contained
36syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber
37
38" Suppressions
39syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment
40syn keyword HogSuppressKeyword skipwhite suppress
41syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber
42syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack
43syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr
44
45" Attribute table
46syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile
47syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment
48syn keyword HogAttributeType filename
49
50" Hog includes
51syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite
52syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment
53
54" Hog dynamic libraries
55syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite
56syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment
57syn keyword HogDylibType directory file contained
58
59" Variable dereferenced with '$'
60syn match HogVar "\$[[:alnum:]_]\+"
61
62", Variables declared with 'var'
63syn keyword HogVarType var nextgroup=HogVarSet skipwhite
64syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite
65syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment
66
67" Variables declared with 'ipvar'
68syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite
69syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite
70syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot
71
72" Variables declared with 'portvar'
73syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite
74syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite
75syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot
76syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange
77
78" Generic stuff
79syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr
80syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr
81syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)"
82syn region HogHexEsc contained start='|' end='|' oneline
83syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc
84syn match HogNumber contained display "\<\d\+\>"
85syn match HogNumber contained display "\<\d\+\>"
86syn match HogNumber contained display "0x\x\+\>"
87syn keyword HogSpecial contained true false yes no default all any
88syn keyword HogSpecialAny contained any
89syn match HogOpNot "!" contained
90syn match HogOpRange ":" contained
91
92" Rules
93syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock
94syn keyword HogRuleProto ip tcp udp icmp skipwhite contained nextgroup=HogRuleSrcIP
95syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort
96syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir
97syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP
98syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort
99syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock
100syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold
101",HogString,HogComment,HogVar,HogOptNot
102"syn region HogRuleOption start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber
103syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata content nocase rawbytes
104syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header
105syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg
106syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data
107syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data
108syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version
109syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window
110syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size
111syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter
112syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group
113
114syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber
115syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained
116syn match HogURLChars "\%(\.\|?\|=\)\+" contained
117
118" Hog File Type Rules
119syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP
120syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group
121syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln
122syn match NotASemiColn ".*$" contained
Bram Moolenaar071d4272004-06-13 20:20:40 +0000123
124
Bram Moolenaard7464be2015-11-01 16:49:04 +0100125" Comments
126syn keyword HogTodo XXX TODO NOTE contained
127syn match HogTodo "Step\s\+#\=\d\+" contained
128syn region HogComment start="#" end="$" contains=HogTodo,@Spell
Bram Moolenaar071d4272004-06-13 20:20:40 +0000129
Bram Moolenaard7464be2015-11-01 16:49:04 +0100130syn case match
Bram Moolenaar071d4272004-06-13 20:20:40 +0000131
Bram Moolenaard7464be2015-11-01 16:49:04 +0100132if !exists("hog_minlines")
133 let hog_minlines = 100
Bram Moolenaar071d4272004-06-13 20:20:40 +0000134endif
Bram Moolenaard7464be2015-11-01 16:49:04 +0100135exec "syn sync minlines=" . hog_minlines
136
137hi link HogRuleType Statement
138hi link HogRuleTypeName Type
139hi link HogRuleTypeType Keyword
140
141hi link HogPreproc Statement
142hi link HogConfig Statement
143hi link HogOutput Statement
144hi link HogConfigName Type
145
146"hi link HogEvFilter
147hi link HogEvFilterKeyword Statement
148hi link HogSuppressKeyword Statement
149hi link HogEvFilterTypes Constant
150hi link HogEvFilterTrack Constant
151
152hi link HogAttribute Statement
153hi link HogAttributeFile String
154hi link HogAttributeType Statement
155
156hi link HogInclude Statement
157hi link HogIncludeFile String
158
159hi link HogDylib Statement
160hi link HogDylibType Statement
161hi link HogDylibFile String
162
163" Variables
164" var
165hi link HogVar Identifier
166hi link HogVarType Keyword
167hi link HogVarSet Identifier
168hi link HogVarValue String
169" ipvar
170hi link HogIPVarType Keyword
171hi link HogIPVarSet Identifier
172" portvar
173hi link HogPortVarType Keyword
174hi link HogPortVarSet Identifier
175hi link HogPort Constant
176
177hi link HogTodo Todo
178hi link HogComment Comment
179hi link HogString String
180hi link HogHexEsc PreProc
181hi link HogNumber Number
182hi link HogSpecial Constant
183hi link HogSpecialAny Constant
184hi link HogIPAddr Constant
185hi link HogIPCidr Constant
186hi link HogOpNot Operator
187hi link HogOpRange Operator
188
189hi link HogRuleAction Statement
190hi link HogRuleProto Identifier
191hi link HogRuleDir Operator
192hi link HogRuleOption Keyword
193hi link HogRuleChars String
194
195hi link HogFileType HogRuleAction
196hi link HogFileTypeOpt HogRuleOption
197hi link NotASemiColn HogRuleChars
Bram Moolenaar071d4272004-06-13 20:20:40 +0000198
199let b:current_syntax = "hog"