summaryrefslogtreecommitdiffstats
path: root/runtime/syntax/hog.vim
diff options
context:
space:
mode:
Diffstat (limited to 'runtime/syntax/hog.vim')
-rw-r--r--runtime/syntax/hog.vim208
1 files changed, 208 insertions, 0 deletions
diff --git a/runtime/syntax/hog.vim b/runtime/syntax/hog.vim
new file mode 100644
index 0000000..24aa203
--- /dev/null
+++ b/runtime/syntax/hog.vim
@@ -0,0 +1,208 @@
+" Vim syntax file
+" Language: hog (Snort.conf + .rules)
+" Maintainer: Victor Roemer, <vroemer@badsec.org>.
+" Last Change: 2019 Sep 22
+" 2012 Oct 24 -> Originalish release
+" 2019 Sep 22 -> included PR 3069
+
+" quit when a syntax file was already loaded
+if exists("b:current_syntax")
+ finish
+endif
+
+setlocal iskeyword-=:
+setlocal iskeyword+=-
+syn case ignore
+
+" Hog ruletype crap
+syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite
+syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite
+syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold
+syn keyword HogRuleTypeType type contained
+
+" Hog Configurables
+syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite
+syn keyword HogConfig config nextgroup=HogConfigName skipwhite
+syn keyword HogOutput output nextgroup=HogConfigName skipwhite
+syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite
+syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment
+
+" Event filter's and threshold's
+syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment
+syn keyword HogEvFilterKeyword skipwhite event_filter threshold
+syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes
+syn keyword HogEvFilterTypes skipwhite limit threshold both contained
+syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack
+syn keyword HogEvFilterTrack skipwhite by_src by_dst contained
+syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber
+
+" Suppressions
+syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment
+syn keyword HogSuppressKeyword skipwhite suppress
+syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber
+syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack
+syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr
+
+" Attribute table
+syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile
+syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment
+syn keyword HogAttributeType filename
+
+" Hog includes
+syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite
+syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment
+
+" Hog dynamic libraries
+syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite
+syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment
+syn keyword HogDylibType directory file contained
+
+" Variable dereferenced with '$'
+syn match HogVar "\$[[:alnum:]_]\+"
+
+", Variables declared with 'var'
+syn keyword HogVarType var nextgroup=HogVarSet skipwhite
+syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite
+syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment
+
+" Variables declared with 'ipvar'
+syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite
+syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite
+syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot
+
+" Variables declared with 'portvar'
+syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite
+syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite
+syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot
+syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange
+
+" Generic stuff
+syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr
+syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr
+syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)"
+syn region HogHexEsc contained start='|' end='|' oneline
+syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc
+syn match HogNumber contained display "\<\d\+\>"
+syn match HogNumber contained display "\<\d\+\>"
+syn match HogNumber contained display "0x\x\+\>"
+syn keyword HogSpecial contained true false yes no default all any
+syn keyword HogSpecialAny contained any
+syn match HogOpNot "!" contained
+syn match HogOpRange ":" contained
+
+" Rules
+syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock
+syn keyword HogRuleProto ip tcp tcp-pkt tcp-stream udp icmp http ftp tls smb dns dcerpc ssh smtp imap msn modbus dnp3 enip nfs ikev2 ntp skipwhite contained nextgroup=HogRuleSrcIP
+syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort
+syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir
+syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP
+syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort
+syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock
+syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold
+",HogString,HogComment,HogVar,HogOptNot
+"syn region HogRuleOption start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata target content nocase rawbytes
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth startswith offset distance within http_client_body http_cookie http_raw_cookie http_header
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_request_line http_method http_uri http_raw_uri http_protocol http_response_line http_stat_code http_stat_msg
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_user_agent http_accept http_accept_enc http_accept_lang http_connection http_content_type http_content_len
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_referer http_start http_header_names http_server_body http_host http_raw_host
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP filename fileext filemagic filestore filemd5 filesha1 filesha256 filesize
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP dns_query tls_cert_subject tls_cert_issuer tls_cert_serial tls_cert_fingerprint
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP tls_sni tls_cert_notbefore tls_cert_notafter tls_cert_expired tls_cert_valid
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP tls.version tls.subject tls.issuerdn tls.fingerprint tls.store ja3_hash ja3_string
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP modbus dnp3_func dnp3_ind dnp3_obj dnp3_data enip_command cip_service
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP app-layer-protocol app-layer-event xbits iprep lua luajit
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern prefilter uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpdata_command ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts geoip fragbits dsize flags flow flowbits flowint seq ack window
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter
+syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group
+
+syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber
+syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained
+syn match HogURLChars "\%(\.\|?\|=\)\+" contained
+
+" Hog File Type Rules
+syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP
+syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group
+syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln
+syn match NotASemiColn ".*$" contained
+
+
+" Comments
+syn keyword HogTodo XXX TODO NOTE contained
+syn match HogTodo "Step\s\+#\=\d\+" contained
+syn region HogComment start="#" end="$" contains=HogTodo,@Spell
+
+syn case match
+
+if !exists("hog_minlines")
+ let hog_minlines = 100
+endif
+exec "syn sync minlines=" . hog_minlines
+
+hi link HogRuleType Statement
+hi link HogRuleTypeName Type
+hi link HogRuleTypeType Keyword
+
+hi link HogPreproc Statement
+hi link HogConfig Statement
+hi link HogOutput Statement
+hi link HogConfigName Type
+
+"hi link HogEvFilter
+hi link HogEvFilterKeyword Statement
+hi link HogSuppressKeyword Statement
+hi link HogEvFilterTypes Constant
+hi link HogEvFilterTrack Constant
+
+hi link HogAttribute Statement
+hi link HogAttributeFile String
+hi link HogAttributeType Statement
+
+hi link HogInclude Statement
+hi link HogIncludeFile String
+
+hi link HogDylib Statement
+hi link HogDylibType Statement
+hi link HogDylibFile String
+
+" Variables
+" var
+hi link HogVar Identifier
+hi link HogVarType Keyword
+hi link HogVarSet Identifier
+hi link HogVarValue String
+" ipvar
+hi link HogIPVarType Keyword
+hi link HogIPVarSet Identifier
+" portvar
+hi link HogPortVarType Keyword
+hi link HogPortVarSet Identifier
+hi link HogPort Constant
+
+hi link HogTodo Todo
+hi link HogComment Comment
+hi link HogString String
+hi link HogHexEsc PreProc
+hi link HogNumber Number
+hi link HogSpecial Constant
+hi link HogSpecialAny Constant
+hi link HogIPAddr Constant
+hi link HogIPCidr Constant
+hi link HogOpNot Operator
+hi link HogOpRange Operator
+
+hi link HogRuleAction Statement
+hi link HogRuleProto Identifier
+hi link HogRuleDir Operator
+hi link HogRuleOption Keyword
+hi link HogRuleChars String
+
+hi link HogFileType HogRuleAction
+hi link HogFileTypeOpt HogRuleOption
+hi link NotASemiColn HogRuleChars
+
+let b:current_syntax = "hog"