runtime/syntax/hog.vim

" Vim syntax file
" Language: hog (Snort.conf + .rules)
" Maintainer: Victor Roemer, <vroemer@badsec.org>.
" Last Change: 2019 Sep 22
"              2012 Oct 24  -> Originalish release
"              2019 Sep 22  -> included PR 3069

" quit when a syntax file was already loaded
if exists("b:current_syntax")
    finish
endif

setlocal iskeyword-=:
setlocal iskeyword+=-
syn case ignore

" Hog ruletype crap
syn keyword     HogRuleType       ruletype nextgroup=HogRuleTypeName skipwhite
syn match       HogRuleTypeName   "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite
syn region      HogRuleTypeBody   start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold
syn keyword     HogRuleTypeType   type contained

" Hog Configurables
syn keyword     HogPreproc    preprocessor nextgroup=HogConfigName skipwhite
syn keyword     HogConfig     config nextgroup=HogConfigName skipwhite
syn keyword     HogOutput     output nextgroup=HogConfigName skipwhite
syn match       HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite
syn region      HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment

" Event filter's and threshold's
syn region      HogEvFilter         start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment
syn keyword     HogEvFilterKeyword  skipwhite event_filter threshold
syn keyword     HogEvFilterOptions  skipwhite type nextgroup=HogEvFilterTypes
syn keyword     HogEvFilterTypes    skipwhite limit threshold both contained
syn keyword     HogEvFilterOptions  skipwhite track nextgroup=HogEvFilterTrack
syn keyword     HogEvFilterTrack    skipwhite by_src by_dst contained
syn keyword     HogEvFilterOptions  skipwhite gen_id sig_id count seconds nextgroup=HogNumber

" Suppressions
syn region      HogEvFilter         start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment
syn keyword     HogSuppressKeyword  skipwhite suppress
syn keyword     HogSuppressOptions  skipwhite gen_id sig_id nextgroup=HogNumber
syn keyword     HogSuppressOptions  skipwhite track nextgroup=HogEvFilterTrack
syn keyword     HogSuppressOptions  skipwhite ip nextgroup=HogIPAddr

" Attribute table
syn keyword     HogAttribute        attribute_table nextgroup=HogAttributeFile
syn match       HogAttributeFile    contained ".*$" contains=HogVar,HogAttributeType,HogComment
syn keyword     HogAttributeType    filename

" Hog includes
syn keyword     HogInclude    include nextgroup=HogIncludeFile skipwhite
syn match       HogIncludeFile ".*$" contained contains=HogVar,HogComment

" Hog dynamic libraries
syn keyword     HogDylib      dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite
syn match       HogDylibFile  "\s.*$" contained contains=HogVar,HogDylibType,HogComment
syn keyword     HogDylibType  directory file contained

" Variable dereferenced with '$'
syn match       HogVar        "\$[[:alnum:]_]\+"

", Variables declared with 'var'
syn keyword     HogVarType    var nextgroup=HogVarSet skipwhite
syn match       HogVarSet     "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite
syn match       HogVarValue   ".*$" contained contains=HogString,HogNumber,HogVar,HogComment

" Variables declared with 'ipvar'
syn keyword     HogIPVarType  ipvar nextgroup=HogIPVarSet skipwhite
syn match       HogIPVarSet   "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite
syn region      HogIPVarList  start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot

" Variables declared with 'portvar'
syn keyword     HogPortVarType portvar nextgroup=HogPortVarSet skipwhite
syn match       HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite
syn region      HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot
syn match       HogPort       "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange

" Generic stuff
syn match       HogIPAddr     contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr
syn match       HogIPAddr     contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr
syn match       HogIPCidr     contained "\/\([0-2][0-9]\=\|3[0-2]\=\)"
syn region      HogHexEsc     contained start='|' end='|' oneline
syn region      HogString     contained start='"' end='"' extend oneline contains=HogHexEsc
syn match       HogNumber     contained display "\<\d\+\>"
syn match       HogNumber     contained display "\<\d\+\>"
syn match       HogNumber     contained display "0x\x\+\>"
syn keyword     HogSpecial    contained true false yes no default all any
syn keyword     HogSpecialAny contained any
syn match       HogOpNot      "!" contained
syn match       HogOpRange    ":" contained

" Rules
syn keyword     HogRuleAction     activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock
syn keyword     HogRuleProto      ip tcp tcp-pkt tcp-stream udp icmp http ftp tls smb dns dcerpc ssh smtp imap msn modbus dnp3 enip nfs ikev2 ntp skipwhite contained nextgroup=HogRuleSrcIP
syn match       HogRuleSrcIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort
syn match       HogRuleSrcPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir
syn match       HogRuleDir        "->\|<>" skipwhite contained nextgroup=HogRuleDstIP
syn match       HogRuleDstIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort
syn match       HogRuleDstPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock
syn region      HogRuleBlock      start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold
",HogString,HogComment,HogVar,HogOptNot
"syn region      HogRuleOption     start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata target content nocase rawbytes
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP depth startswith offset distance within http_client_body http_cookie http_raw_cookie http_header
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_raw_header http_request_line http_method http_uri http_raw_uri http_protocol http_response_line http_stat_code http_stat_msg
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_user_agent http_accept http_accept_enc http_accept_lang http_connection http_content_type http_content_len
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_referer http_start http_header_names http_server_body http_host http_raw_host
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP filename fileext filemagic filestore filemd5 filesha1 filesha256 filesize
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP dns_query tls_cert_subject tls_cert_issuer tls_cert_serial tls_cert_fingerprint
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP tls_sni tls_cert_notbefore tls_cert_notafter tls_cert_expired tls_cert_valid
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP tls.version tls.subject tls.issuerdn tls.fingerprint tls.store ja3_hash ja3_string
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP modbus dnp3_func dnp3_ind dnp3_obj dnp3_data enip_command cip_service
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP app-layer-protocol app-layer-event xbits iprep lua luajit
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP fast_pattern prefilter uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpdata_command ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts geoip fragbits dsize flags flow flowbits flowint seq ack window
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter
syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group

syn region      HogRuleSROP     start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber
syn match       HogRuleChars    "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained
syn match       HogURLChars     "\%(\.\|?\|=\)\+" contained

" Hog File Type Rules
syn match       HogFileType   /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP
syn keyword     HogFileTypeOpt  skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group 
syn region      HogFileFROP  start=':' end=";" transparent keepend contained contains=NotASemicoln
syn match       NotASemiColn   ".*$" contained


" Comments
syn keyword HogTodo   XXX TODO NOTE contained
syn match   HogTodo   "Step\s\+#\=\d\+" contained
syn region HogComment start="#" end="$" contains=HogTodo,@Spell

syn case match

if !exists("hog_minlines")
    let hog_minlines = 100
endif
exec "syn sync minlines=" . hog_minlines

hi link HogRuleType           Statement
hi link HogRuleTypeName       Type
hi link HogRuleTypeType       Keyword

hi link HogPreproc            Statement
hi link HogConfig             Statement
hi link HogOutput             Statement
hi link HogConfigName         Type

"hi link HogEvFilter
hi link HogEvFilterKeyword    Statement
hi link HogSuppressKeyword    Statement
hi link HogEvFilterTypes      Constant
hi link HogEvFilterTrack      Constant

hi link HogAttribute          Statement
hi link HogAttributeFile      String
hi link HogAttributeType      Statement

hi link HogInclude            Statement
hi link HogIncludeFile        String

hi link HogDylib              Statement
hi link HogDylibType          Statement
hi link HogDylibFile          String

" Variables
" var
hi link HogVar                Identifier
hi link HogVarType            Keyword
hi link HogVarSet             Identifier
hi link HogVarValue           String
" ipvar
hi link HogIPVarType          Keyword
hi link HogIPVarSet           Identifier
" portvar
hi link HogPortVarType         Keyword
hi link HogPortVarSet          Identifier
hi link HogPort                Constant

hi link HogTodo               Todo
hi link HogComment            Comment
hi link HogString             String
hi link HogHexEsc             PreProc
hi link HogNumber             Number
hi link HogSpecial            Constant
hi link HogSpecialAny         Constant
hi link HogIPAddr             Constant
hi link HogIPCidr             Constant
hi link HogOpNot              Operator
hi link HogOpRange            Operator

hi link HogRuleAction         Statement
hi link HogRuleProto          Identifier
hi link HogRuleDir            Operator
hi link HogRuleOption         Keyword
hi link HogRuleChars           String 

hi link HogFileType    HogRuleAction
hi link HogFileTypeOpt HogRuleOption
hi link NotASemiColn     HogRuleChars

let b:current_syntax = "hog"