diff options
Diffstat (limited to 'runtime/syntax/hog.vim')
-rw-r--r-- | runtime/syntax/hog.vim | 208 |
1 files changed, 208 insertions, 0 deletions
diff --git a/runtime/syntax/hog.vim b/runtime/syntax/hog.vim new file mode 100644 index 0000000..24aa203 --- /dev/null +++ b/runtime/syntax/hog.vim @@ -0,0 +1,208 @@ +" Vim syntax file +" Language: hog (Snort.conf + .rules) +" Maintainer: Victor Roemer, <vroemer@badsec.org>. +" Last Change: 2019 Sep 22 +" 2012 Oct 24 -> Originalish release +" 2019 Sep 22 -> included PR 3069 + +" quit when a syntax file was already loaded +if exists("b:current_syntax") + finish +endif + +setlocal iskeyword-=: +setlocal iskeyword+=- +syn case ignore + +" Hog ruletype crap +syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite +syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite +syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold +syn keyword HogRuleTypeType type contained + +" Hog Configurables +syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite +syn keyword HogConfig config nextgroup=HogConfigName skipwhite +syn keyword HogOutput output nextgroup=HogConfigName skipwhite +syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite +syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment + +" Event filter's and threshold's +syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment +syn keyword HogEvFilterKeyword skipwhite event_filter threshold +syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes +syn keyword HogEvFilterTypes skipwhite limit threshold both contained +syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack +syn keyword HogEvFilterTrack skipwhite by_src by_dst contained +syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber + +" Suppressions +syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment +syn keyword HogSuppressKeyword skipwhite suppress +syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber +syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack +syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr + +" Attribute table +syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile +syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment +syn keyword HogAttributeType filename + +" Hog includes +syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite +syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment + +" Hog dynamic libraries +syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite +syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment +syn keyword HogDylibType directory file contained + +" Variable dereferenced with '$' +syn match HogVar "\$[[:alnum:]_]\+" + +", Variables declared with 'var' +syn keyword HogVarType var nextgroup=HogVarSet skipwhite +syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite +syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment + +" Variables declared with 'ipvar' +syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite +syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite +syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot + +" Variables declared with 'portvar' +syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite +syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite +syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot +syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange + +" Generic stuff +syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr +syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr +syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)" +syn region HogHexEsc contained start='|' end='|' oneline +syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc +syn match HogNumber contained display "\<\d\+\>" +syn match HogNumber contained display "\<\d\+\>" +syn match HogNumber contained display "0x\x\+\>" +syn keyword HogSpecial contained true false yes no default all any +syn keyword HogSpecialAny contained any +syn match HogOpNot "!" contained +syn match HogOpRange ":" contained + +" Rules +syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock +syn keyword HogRuleProto ip tcp tcp-pkt tcp-stream udp icmp http ftp tls smb dns dcerpc ssh smtp imap msn modbus dnp3 enip nfs ikev2 ntp skipwhite contained nextgroup=HogRuleSrcIP +syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort +syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir +syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP +syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort +syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock +syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold +",HogString,HogComment,HogVar,HogOptNot +"syn region HogRuleOption start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata target content nocase rawbytes +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth startswith offset distance within http_client_body http_cookie http_raw_cookie http_header +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_request_line http_method http_uri http_raw_uri http_protocol http_response_line http_stat_code http_stat_msg +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_user_agent http_accept http_accept_enc http_accept_lang http_connection http_content_type http_content_len +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_referer http_start http_header_names http_server_body http_host http_raw_host +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP filename fileext filemagic filestore filemd5 filesha1 filesha256 filesize +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP dns_query tls_cert_subject tls_cert_issuer tls_cert_serial tls_cert_fingerprint +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP tls_sni tls_cert_notbefore tls_cert_notafter tls_cert_expired tls_cert_valid +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP tls.version tls.subject tls.issuerdn tls.fingerprint tls.store ja3_hash ja3_string +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP modbus dnp3_func dnp3_ind dnp3_obj dnp3_data enip_command cip_service +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP app-layer-protocol app-layer-event xbits iprep lua luajit +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern prefilter uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpdata_command ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts geoip fragbits dsize flags flow flowbits flowint seq ack window +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group + +syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber +syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained +syn match HogURLChars "\%(\.\|?\|=\)\+" contained + +" Hog File Type Rules +syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP +syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group +syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln +syn match NotASemiColn ".*$" contained + + +" Comments +syn keyword HogTodo XXX TODO NOTE contained +syn match HogTodo "Step\s\+#\=\d\+" contained +syn region HogComment start="#" end="$" contains=HogTodo,@Spell + +syn case match + +if !exists("hog_minlines") + let hog_minlines = 100 +endif +exec "syn sync minlines=" . hog_minlines + +hi link HogRuleType Statement +hi link HogRuleTypeName Type +hi link HogRuleTypeType Keyword + +hi link HogPreproc Statement +hi link HogConfig Statement +hi link HogOutput Statement +hi link HogConfigName Type + +"hi link HogEvFilter +hi link HogEvFilterKeyword Statement +hi link HogSuppressKeyword Statement +hi link HogEvFilterTypes Constant +hi link HogEvFilterTrack Constant + +hi link HogAttribute Statement +hi link HogAttributeFile String +hi link HogAttributeType Statement + +hi link HogInclude Statement +hi link HogIncludeFile String + +hi link HogDylib Statement +hi link HogDylibType Statement +hi link HogDylibFile String + +" Variables +" var +hi link HogVar Identifier +hi link HogVarType Keyword +hi link HogVarSet Identifier +hi link HogVarValue String +" ipvar +hi link HogIPVarType Keyword +hi link HogIPVarSet Identifier +" portvar +hi link HogPortVarType Keyword +hi link HogPortVarSet Identifier +hi link HogPort Constant + +hi link HogTodo Todo +hi link HogComment Comment +hi link HogString String +hi link HogHexEsc PreProc +hi link HogNumber Number +hi link HogSpecial Constant +hi link HogSpecialAny Constant +hi link HogIPAddr Constant +hi link HogIPCidr Constant +hi link HogOpNot Operator +hi link HogOpRange Operator + +hi link HogRuleAction Statement +hi link HogRuleProto Identifier +hi link HogRuleDir Operator +hi link HogRuleOption Keyword +hi link HogRuleChars String + +hi link HogFileType HogRuleAction +hi link HogFileTypeOpt HogRuleOption +hi link NotASemiColn HogRuleChars + +let b:current_syntax = "hog" |