forked from aniani/vim
		
	
		
			
				
	
	
		
			201 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			VimL
		
	
	
	
	
	
			
		
		
	
	
			201 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			VimL
		
	
	
	
	
	
| " Vim syntax file
 | |
| " Language: hog (Snort.conf + .rules)
 | |
| " Maintainer: Victor Roemer, <vroemer@badsec.org>.
 | |
| " Last Change: 2015 Oct 24  -> Rename syntax items from Snort -> Hog
 | |
| "              2012 Oct 24  -> Originalish release
 | |
| 
 | |
| if version < 600
 | |
|     syntax clear
 | |
| elseif exists("b:current_syntax")
 | |
|     finish
 | |
| endif
 | |
| 
 | |
| setlocal iskeyword-=:
 | |
| setlocal iskeyword+=-
 | |
| syn case ignore
 | |
| 
 | |
| " Hog ruletype crap
 | |
| syn keyword     HogRuleType       ruletype nextgroup=HogRuleTypeName skipwhite
 | |
| syn match       HogRuleTypeName   "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite
 | |
| syn region      HogRuleTypeBody   start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold
 | |
| syn keyword     HogRuleTypeType   type contained
 | |
| 
 | |
| " Hog Configurables
 | |
| syn keyword     HogPreproc    preprocessor nextgroup=HogConfigName skipwhite
 | |
| syn keyword     HogConfig     config nextgroup=HogConfigName skipwhite
 | |
| syn keyword     HogOutput     output nextgroup=HogConfigName skipwhite
 | |
| syn match       HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite
 | |
| syn region      HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment
 | |
| 
 | |
| " Event filter's and threshold's
 | |
| syn region      HogEvFilter         start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment
 | |
| syn keyword     HogEvFilterKeyword  skipwhite event_filter threshold
 | |
| syn keyword     HogEvFilterOptions  skipwhite type nextgroup=HogEvFilterTypes
 | |
| syn keyword     HogEvFilterTypes    skipwhite limit threshold both contained
 | |
| syn keyword     HogEvFilterOptions  skipwhite track nextgroup=HogEvFilterTrack
 | |
| syn keyword     HogEvFilterTrack    skipwhite by_src by_dst contained
 | |
| syn keyword     HogEvFilterOptions  skipwhite gen_id sig_id count seconds nextgroup=HogNumber
 | |
| 
 | |
| " Suppressions
 | |
| syn region      HogEvFilter         start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment
 | |
| syn keyword     HogSuppressKeyword  skipwhite suppress
 | |
| syn keyword     HogSuppressOptions  skipwhite gen_id sig_id nextgroup=HogNumber
 | |
| syn keyword     HogSuppressOptions  skipwhite track nextgroup=HogEvFilterTrack
 | |
| syn keyword     HogSuppressOptions  skipwhite ip nextgroup=HogIPAddr
 | |
| 
 | |
| " Attribute table
 | |
| syn keyword     HogAttribute        attribute_table nextgroup=HogAttributeFile
 | |
| syn match       HogAttributeFile    contained ".*$" contains=HogVar,HogAttributeType,HogComment
 | |
| syn keyword     HogAttributeType    filename
 | |
| 
 | |
| " Hog includes
 | |
| syn keyword     HogInclude    include nextgroup=HogIncludeFile skipwhite
 | |
| syn match       HogIncludeFile ".*$" contained contains=HogVar,HogComment
 | |
| 
 | |
| " Hog dynamic libraries
 | |
| syn keyword     HogDylib      dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite
 | |
| syn match       HogDylibFile  "\s.*$" contained contains=HogVar,HogDylibType,HogComment
 | |
| syn keyword     HogDylibType  directory file contained
 | |
| 
 | |
| " Variable dereferenced with '$'
 | |
| syn match       HogVar        "\$[[:alnum:]_]\+"
 | |
| 
 | |
| ", Variables declared with 'var'
 | |
| syn keyword     HogVarType    var nextgroup=HogVarSet skipwhite
 | |
| syn match       HogVarSet     "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite
 | |
| syn match       HogVarValue   ".*$" contained contains=HogString,HogNumber,HogVar,HogComment
 | |
| 
 | |
| " Variables declared with 'ipvar'
 | |
| syn keyword     HogIPVarType  ipvar nextgroup=HogIPVarSet skipwhite
 | |
| syn match       HogIPVarSet   "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite
 | |
| syn region      HogIPVarList  start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot
 | |
| 
 | |
| " Variables declared with 'portvar'
 | |
| syn keyword     HogPortVarType portvar nextgroup=HogPortVarSet skipwhite
 | |
| syn match       HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite
 | |
| syn region      HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot
 | |
| syn match       HogPort       "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange
 | |
| 
 | |
| " Generic stuff
 | |
| syn match       HogIPAddr     contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr
 | |
| syn match       HogIPAddr     contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr
 | |
| syn match       HogIPCidr     contained "\/\([0-2][0-9]\=\|3[0-2]\=\)"
 | |
| syn region      HogHexEsc     contained start='|' end='|' oneline
 | |
| syn region      HogString     contained start='"' end='"' extend oneline contains=HogHexEsc
 | |
| syn match       HogNumber     contained display "\<\d\+\>"
 | |
| syn match       HogNumber     contained display "\<\d\+\>"
 | |
| syn match       HogNumber     contained display "0x\x\+\>"
 | |
| syn keyword     HogSpecial    contained true false yes no default all any
 | |
| syn keyword     HogSpecialAny contained any
 | |
| syn match       HogOpNot      "!" contained
 | |
| syn match       HogOpRange    ":" contained
 | |
| 
 | |
| " Rules
 | |
| syn keyword     HogRuleAction     activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock
 | |
| syn keyword     HogRuleProto      ip tcp udp icmp skipwhite contained nextgroup=HogRuleSrcIP
 | |
| syn match       HogRuleSrcIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort
 | |
| syn match       HogRuleSrcPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir
 | |
| syn match       HogRuleDir        "->\|<>" skipwhite contained nextgroup=HogRuleDstIP
 | |
| syn match       HogRuleDstIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort
 | |
| syn match       HogRuleDstPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock
 | |
| syn region      HogRuleBlock      start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold
 | |
| ",HogString,HogComment,HogVar,HogOptNot
 | |
| "syn region      HogRuleOption     start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata content nocase rawbytes
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter
 | |
| syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group
 | |
| 
 | |
| syn region      HogRuleSROP     start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber
 | |
| syn match       HogRuleChars    "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained
 | |
| syn match       HogURLChars     "\%(\.\|?\|=\)\+" contained
 | |
| 
 | |
| " Hog File Type Rules
 | |
| syn match       HogFileType   /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP
 | |
| syn keyword     HogFileTypeOpt  skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group 
 | |
| syn region      HogFileFROP  start=':' end=";" transparent keepend contained contains=NotASemicoln
 | |
| syn match       NotASemiColn   ".*$" contained
 | |
| 
 | |
| 
 | |
| " Comments
 | |
| syn keyword HogTodo   XXX TODO NOTE contained
 | |
| syn match   HogTodo   "Step\s\+#\=\d\+" contained
 | |
| syn region HogComment start="#" end="$" contains=HogTodo,@Spell
 | |
| 
 | |
| syn case match
 | |
| 
 | |
| if !exists("hog_minlines")
 | |
|     let hog_minlines = 100
 | |
| endif
 | |
| exec "syn sync minlines=" . hog_minlines
 | |
| 
 | |
| hi link HogRuleType           Statement
 | |
| hi link HogRuleTypeName       Type
 | |
| hi link HogRuleTypeType       Keyword
 | |
| 
 | |
| hi link HogPreproc            Statement
 | |
| hi link HogConfig             Statement
 | |
| hi link HogOutput             Statement
 | |
| hi link HogConfigName         Type
 | |
| 
 | |
| "hi link HogEvFilter
 | |
| hi link HogEvFilterKeyword    Statement
 | |
| hi link HogSuppressKeyword    Statement
 | |
| hi link HogEvFilterTypes      Constant
 | |
| hi link HogEvFilterTrack      Constant
 | |
| 
 | |
| hi link HogAttribute          Statement
 | |
| hi link HogAttributeFile      String
 | |
| hi link HogAttributeType      Statement
 | |
| 
 | |
| hi link HogInclude            Statement
 | |
| hi link HogIncludeFile        String
 | |
| 
 | |
| hi link HogDylib              Statement
 | |
| hi link HogDylibType          Statement
 | |
| hi link HogDylibFile          String
 | |
| 
 | |
| " Variables
 | |
| " var
 | |
| hi link HogVar                Identifier
 | |
| hi link HogVarType            Keyword
 | |
| hi link HogVarSet             Identifier
 | |
| hi link HogVarValue           String
 | |
| " ipvar
 | |
| hi link HogIPVarType          Keyword
 | |
| hi link HogIPVarSet           Identifier
 | |
| " portvar
 | |
| hi link HogPortVarType         Keyword
 | |
| hi link HogPortVarSet          Identifier
 | |
| hi link HogPort                Constant
 | |
| 
 | |
| hi link HogTodo               Todo
 | |
| hi link HogComment            Comment
 | |
| hi link HogString             String
 | |
| hi link HogHexEsc             PreProc
 | |
| hi link HogNumber             Number
 | |
| hi link HogSpecial            Constant
 | |
| hi link HogSpecialAny         Constant
 | |
| hi link HogIPAddr             Constant
 | |
| hi link HogIPCidr             Constant
 | |
| hi link HogOpNot              Operator
 | |
| hi link HogOpRange            Operator
 | |
| 
 | |
| hi link HogRuleAction         Statement
 | |
| hi link HogRuleProto          Identifier
 | |
| hi link HogRuleDir            Operator
 | |
| hi link HogRuleOption         Keyword
 | |
| hi link HogRuleChars           String 
 | |
| 
 | |
| hi link HogFileType    HogRuleAction
 | |
| hi link HogFileTypeOpt HogRuleOption
 | |
| hi link NotASemiColn     HogRuleChars
 | |
| 
 | |
| let b:current_syntax = "hog"
 |