[Snort-users] vim snort syntax file

Phil Wood cpw at ...440...
Wed Jan 24 20:01:59 EST 2007


I've just made a few changes the vim syntax file:

  /usr/share/vim/vim70/syntax/hog.vim

on my Debian box.  In the past this file was available at

  http://public.lanl.gov/cpw
  
from a file:

  hog-vim.tar.gz

However, due to draconion measures which I have yet to overcome,
I am not able to update the web site at this time.

Consequently, for the few of you that may use vi to modify your
snort rules, you will find attached my updated vim file.

-- 
Phil Wood (cpw_at-sign_lanl.gov)
-------------- next part --------------
" Snort syntax file
" Language:	      Snort Configuration File (see: http://www.snort.org)
" Maintainer:	  Phil Wood, cpw at ...440...
" Last Change:	  $Date: 2007/01/24 17:53:00 $
" Filenames:	  *.hog *.rules snort.conf vision.conf
" URL:		      http://public.lanl.gov/cpw/vim/syntax/hog.vim
" Snort Version:  2.3 By Martin Roesch (roesch at ...66..., www.snort.org)
" TODO            include syntax not reflected in current set of snort rules

" For version 5.x: Clear all syntax items
if version < 600
   syntax clear
elseif exists("b:current_syntax")
" For version 6.x: Quit when a syntax file was already loaded
   finish
endif

syn match  hogComment	+\s\#[^\-:.%#=*].*$+lc=1	contains=hogTodo,hogCommentString
syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#'

syn match   hogNumber contained	"\<\d\+\>"
syn region  hogText contained oneline start='\S' end=',' skipwhite
syn match   hogAscii contained "\<[\a\A]\+\>" 

syn match   hogTexts contained  "\<[a-zA-Z0-9\-_\.\:]\+\>"
"syn match   hogFileName contained  "\<[a-zA-Z0-9\#\-\._/]*/[/_\.\#\-a-zA-Z0-9]*\>"
"syn match   hogFileName contained  "\<[a-zA-Z\-\._/]*[/a-zA-Z\-\._]*\>"
syn match   hogFileName contained  "[a-zA-Z0-9\#\-\._/]*[/_\.\#\-a-zA-Z0-9]*"
syn match   hogFileName contained  "[a-zA-Z0-9\#\-\._/]*/[/_\.\#\-a-zA-Z0-9]*"

" Environment Variables
" =====================
"syn match hogEnvvar contained	"[\!]\=\$\I\i*"
"syn match hogEnvvar contained	"[\!]\=\${\I\i*}"
syn match hogEnvvar contained	"\$\I\i*"
syn match hogEnvvar contained	"[\!]\=\${\I\i*}"
syn match hogOperator contained "[\<\>=!&]"

syn region       hogEscapeBrace   oneline contained transparent     start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1
syn match        hogPatSep        contained        "\\[|()]"
syn match        hogNotPatSep     contained        "\\\\"
"syn region       hogString        oneline          start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1                contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline
syn region       hogString        oneline          start=+"+  skip=+""+  end=+"+ contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline

" Beginners - Patterns that involve ^
"
syn match  hogLineComment	+^[ \t]*#.*$+	contains=hogTodo,hogCommentString,hogCommentTitle
syn match  hogCommentTitle	'#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained
syn keyword hogTodo contained	TODO

" Rule keywords
syn keyword hogThreshTyp contained type
syn keyword hogThreshTypOpt contained limit both
syn keyword hogThreshTrk contained track
syn keyword hogThreshTrkOpt contained by_src by_dst
syn keyword hogThreshCnt contained count
syn keyword hogThreshSec contained seconds
syn match   hogARPCOpt contained "\d\+,\*,\*"
syn match   hogARPCOpt contained "\d\+,\d\+,\*"
syn match   hogARPCOpt contained "\d\+,\*,\d\+"
syn match   hogARPCOpt contained "\d\+,\d\+,\d"
syn keyword hogATAGOpt contained session
syn keyword hogATAGOpt contained host
syn keyword hogATAGOpt contained dst
syn keyword hogATAGOpt contained src
syn keyword hogATAGOpt contained seconds
syn keyword hogATAGOpt contained packets
syn keyword hogATAGOpt contained bytes
syn keyword hogATESTOpt contained relative
syn keyword hogATESTOpt contained big
syn keyword hogATESTOpt contained little
syn keyword hogATESTOpt contained string
syn keyword hogATESTOpt contained hex
syn keyword hogATESTOpt contained dec
syn keyword hogATESTOpt contained oct
syn keyword hogAJUMPOpt contained align
syn keyword hogISDATAOpt contained relative
syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite
syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite
syn keyword hogAReactOpt contained block warn msg skipwhite
syn match   hogAReactOpt contained "proxy\d\+" skipwhite
syn keyword hogAFlowOpt contained to_server to_client from_server from_client stateless established skipwhite
syn keyword hogAFlowBitOpt contained set noalert isset skipwhite
syn keyword hogAFOpt contained logto content_list skipwhite
syn keyword hogAIPOptVal contained  eol nop ts sec lsrr lsrre satid ssrr rr skipwhite
syn keyword hogARefGrps contained arachnids skipwhite
syn match   hogARefGrps contained "[Bb]ugtraq" skipwhite
syn match   hogARefGrps contained "[Uu][Rr][Ll]" skipwhite
syn match   hogARefGrps contained "[Cc]ve" skipwhite
syn keyword hogARefGrps contained symantec skipwhite
syn keyword hogARefGrps contained nessus skipwhite
syn match   hogARefGrps contained "[Mm][Cc][Aa][Ff][Ee][Ee]" skipwhite
syn keyword hogSessionVal contained  printable all skipwhite
syn match   hogAFlagOpt contained "[0FSRPAUfsrpau21,]\+" skipwhite
syn match   hogAFragOpt contained "[DRMdrm]\+" skipwhite
"
" Output syslog options
" Facilities
syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0 
syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 
syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER 
" Priorities
syn keyword hogSysPri contained LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR 
syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG 
" Options
syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR 
syn keyword hogSysOpt contained LOG_PID 
" RuleTypes
syn keyword hogRuleType contained log pass alert activate dynamic redalert
"
" hog rule handler '(.*)'
syn region  hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite
syn region  hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite

syn region  hogAOpt contained oneline start="byte_jump" end=":"me=e-1 nextgroup=hogAJUMPReq1Grp skipwhite
syn region  hogAJUMPReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogAJUMPReq2Grp skipwhite
syn region  hogAJUMPReq2Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogAJUMPOptGrp skipwhite
syn region  hogAJUMPOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogAJUMPOpt,hogATESTOpt skipwhite

syn region  hogAOpt contained oneline start="byte_test" end=":"me=e-1 nextgroup=hogATESTReq1Grp  skipwhite
syn region  hogATESTReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTReq2Grp skipwhite
syn region  hogATESTReq2Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogOperator skipwhite nextgroup=hogATESTReq3Grp skipwhite
syn region  hogATESTReq3Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTReq4Grp skipwhite
syn region  hogATESTReq4Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTOptGrp skipwhite
syn region  hogATESTOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATESTOpt nextgroup=hogATESTOptGrp skipwhite 

syn region  hogAOpt contained oneline start="threshold" end=":"me=e-1 nextgroup=hogThreshArg1  skipwhite
syn region  hogThreshArg1 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshTyp skipwhite nextgroup=hogThreshArg1Opt skipwhite
syn region  hogThreshArg1Opt contained oneline start="."hs=s+1 end=",[ ]*"me=e-1 contains=hogThreshTypOpt skipwhite nextgroup=hogThreshArg2 skipwhite
syn region  hogThreshArg2 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshTrk skipwhite nextgroup=hogThreshArg2Opt skipwhite
syn region  hogThreshArg2Opt contained oneline start="."hs=s+1 end=",[ ]*"me=e-1 contains=hogThreshTrkOpt skipwhite nextgroup=hogThreshArg3 skipwhite
syn region  hogThreshArg3 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshCnt skipwhite nextgroup=hogThreshArg3Opt skipwhite
syn region  hogThreshArg3Opt contained oneline start="."hs=s+1 end=",[ ]*"me=e-1 contains=hogNumber skipwhite nextgroup=hogThreshArg4 skipwhite
syn region  hogThreshArg4 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshSec skipwhite nextgroup=hogThreshArg4Opt skipwhite
syn region  hogThreshArg4Opt contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite


syn region  hogAOpt contained oneline start="isdataat" end=":"me=e-1 nextgroup=hogISDATAReq1Grp skipwhite
syn region  hogISDATAReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber nextgroup=hogISDATAOptGrp skipwhite
syn region  hogISDATAOptGrp contained oneline start="." end="[;]" contains=hogISDATAOpt skipwhite

syn region  hogAOpt contained oneline start="pcre" end=":"me=e-1 nextgroup=hogPCREReq skipwhite
syn region  hogPCREReq contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogString skipwhite

syn region  hogAOpt contained oneline start="asn1" end=":"me=e-1 nextgroup=hogASN1Req skipwhite
syn region  hogASN1Req contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogString skipwhite

syn region  hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite
syn region  hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite
"
syn region  hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend
"
syn region  hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite
syn region  hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts
"
syn region  hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite
syn region  hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts

    syn region hogAOpt contained start="flow" end=":"me=e-1 nextgroup=hogAFlowOpts skipwhite
    syn region hogAFlowOpts contained oneline start="." end="[,;]" contains=hogAFlowOpt skipwhite nextgroup=hogAFlowOpts

syn region hogAOpt contained start="flowbits" end=":"me=e-1 nextgroup=hogAFlowBitsOpts skipwhite
syn region hogAFlowBitsOpts contained oneline start="." end="[,;]"me=e-1 contains=hogAFlowBitOpt nextgroup=hogAFlowBitsOpts skipwhite


syn region  hogAOpt contained oneline start="distance\|within\|window\|depth\|seq\|ttl\|ack\|icmp_seq\|activates\|activated_by\|dsize\|icode\|icmp_id\|count\|itype\|tos\|sid\|rev\|id\|offset\|ip_proto" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite
syn region  hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend

syn region  hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogATextGrp skipwhite
syn region hogATextGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogTexts skipwhite oneline keepend

syn region  hogAOpt contained oneline start="regex\|msg\|content\|uricontent" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite
"syn region  hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend
"syn region  hogAStrGrp contained oneline start="."hs=s+1 skip="\\;" end=";"me=e-1 contains=hogString skipwhite oneline keepend
syn region  hogAStrGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString skipwhite oneline keepend

syn region  hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite
syn region  hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite

syn region  hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite
syn region  hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite
syn region  hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite

syn region  hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend

syn region  hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFragOpt skipwhite oneline keepend

syn region  hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend

"syn region  hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite

syn region  hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite

syn match   nothing  "$"
syn region  hogRules oneline  contains=nothing start='$' end="$" 
syn region  hogRules oneline  contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite
syn region  hogRule  contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend
syn region  hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite


" ruletype command
syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite 
syn region  hogRuleName  contained  start="." end="\s" contains=hogFileName  nextgroup=hogRTypeRegion
" type ruletype sub type
syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart
syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite
syn region  hogRuleTypes  contained  start="." end="\s" contains=hogRuleType nextgroup=hogOutStart


" var command
syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite 
syn region  hogVarIdent contained  start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite 
syn region  hogVarRegion  contained  oneline  start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogTexts,hogString,hogFileName end="$"he=s-1 keepend skipwhite

" config command
syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType
syn match hogConfigType contained "\<order\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<alertfile\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<classification\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<decode_arp\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<detection\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<dump_chars_only\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<dump_payload\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<disable_decode_alerts\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<decode_data_link\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<no_promisc\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<bpf_file\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<set_gid\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<daemon\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<ghetto_msg\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<reference_net\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<interface\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<alert_with_interface_name\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<logdir\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<umask\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<pkt_count\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<nolog\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<obfuscate\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<no_promisc\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<snaplen\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<quiet\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<read_bin_file\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<chroot\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<checksum_mode\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<set_uid\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<utc\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<verbose\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<dump_payload_verbose\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<show_year\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<stateful\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<min_ttl\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<reference\>" nextgroup=hogConfigTypeRegion skipwhite
syn region  hogConfigTypeRegion contained oneline	start=":"ms=s+1 end="$" contains=hogNumber,hogText,hogEnvvar keepend skipwhite

" include command
syn keyword hogIncStart	include  skipwhite nextgroup=hogIncRegion
syn region  hogIncRegion  contained  oneline  start="\>" contains=hogFileName,hogEnvvar end="$" keepend

" preprocessor command
syn keyword hogPPrStart	preprocessor  skipwhite nextgroup=hogPPr
syn match hogPPr   contained  "\<arpspoof\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<arpspoof_detect_host\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<asn1_decode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<bo\>" nextgroup=hogPPrBO skipwhite
syn match hogPPr   contained  "\<conversation\>" nextgroup=hogConvRegion skipwhite
syn match hogPPr   contained  "\<fnord\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<frag2\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<http_decode\>" nextgroup=hogPPrHTTP skipwhite
syn match hogPPr   contained  "\<http_decode_ignore\>" nextgroup=hogPPrHTTPIgnore skipwhite
syn match hogPPr     contained "\<portscan[-ignorehosts]*\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr     contained "\<portscan2\>" nextgroup=hogPS2Region skipwhite
syn match hogPPr     contained "\<scan2-ignorehosts\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<rpc_decode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<stream4\>" nextgroup=hogStream4Region skipwhite
syn match hogPPr   contained  "\<stream4_reassemble\>" nextgroup=hogStream4rRegion skipwhite
syn match hogPPr   contained  "\<telnet_neg\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<telnet_negotiation\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<telnet_decode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-homenet\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-correlate\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-threshlearn\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-stats\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-adapt\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-adapt2\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-adapt3\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<spade-survey\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<unidecode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<minfrag\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr   contained  "\<perfmonitor\>" nextgroup=hogPMRegion skipwhite
"syn region  hogPPrRegion contained oneline	start=" " end=" " contains=hogTexts,hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend
syn region  hogPPrRegion contained oneline	start=":" end="$" contains=hogTexts,hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend
"syn region  hogPPrRegion contained oneline	start="$" end="$" keepend
syn match hogHTTPOPTS "unicode"
syn match hogHTTPOPTS "cginull"
syn match hogHTTPOPTS "iis_alt_unicode"
syn match hogHTTPOPTS "double_encode"
syn match hogHTTPOPTS "abort_invalid_hex"
syn match hogHTTPOPTS "drop_url_param"
syn match hogHTTPOPTS "iis_flip_slash"
syn match hogHTTPOPTS "full_whitespace"

syn region hogPPrHTTP contained oneline start=":" end="$" contains=hogNumber,hogHTTPOPTS
syn region hogPPrHTTPIgnore contained oneline start=":" end="$" contains=hogIPaddr
syn match hogBOOPTS "-nobrute"
syn region hogPPrBO contained oneline start=":" end="$" contains=hogNumber,hogBOOPTS
syn keyword hogConvArgs contained allowed_ip_protocols timeout max_conversations alert_odd_protocols
syn region hogConvRegion contained oneline start=":" end="$" contains=hogConvArgs,hogNumber,hogEnvvar,hogTexts skipwhite
syn keyword hogPMArgs contained console flow events time
syn region hogPMRegion contained oneline start=":" end="$" contains=hogPMArgs,hogNumber,hogFileName,hogEnvvar skipwhite
syn keyword hogPS2Args contained log scanners_max targets_max target_limit port_limit timeout
syn region hogPS2Region contained oneline start=":" end="$" contains=hogPS2Args,hogNumber,hogFileName,hogEnvvar skipwhite
syn keyword hogStreamArgs contained timeout ports maxbytes
syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber skipwhite
syn keyword hogStream4Args contained noinspect keepstats detect_scans log_flushed_streams detect_state_problems disable_evasion_alerts timeout memcap ttl_limit min_ttl
syn region hogStream4Region contained oneline start=":" end="$" contains=hogStream4Args,hogNumber skipwhite
syn keyword hogStream4rArgs contained clientonly serveronly both noalerts favor_old favor_new ports
syn region hogStream4rRegion contained oneline start=":" end="$" contains=hogStream4rArgs,hogNumber skipwhite


" output command
syn keyword hogOutStart	output  nextgroup=hogOut skipwhite
"
" SNMP
syn match hogOut   contained "\<trap_snmp\>" nextgroup=hogSNMPRegion skipwhite
syn region hogSNMPRegion  contained start=":" end="$" contains=hogSNMPalert oneline skipwhite keepend
syn match hogSNMPalert contained "\<alert\>" nextgroup=hogSNMPid skipwhite
syn region hogSNMPid contained start="," end="," contains=hogNumber nextgroup=hogSNMPtypes skipwhite
syn match hogSNMPtypes contained "\<cpm\|c\|trap\|inform\>" nextgroup=hogSNMPargs skipwhite
syn match hogSNMPswitch contained "\<-v\|-u\|-l\|-a\|-A\|-x\|-X\|trap\|inform\>" nextgroup=hogSNMPargs skipwhite
syn region hogSNMPargs contained oneline start=" " end="$" contains=hogSNMPswitch,hogNumber,hogEnvvar,hogAscii,hogTexts skipwhite

" alert_syslog 
syn match hogOut   contained  "\<alert_syslog\>" nextgroup=hogSyslogRegion skipwhite
syn region hogSyslogRegion  contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend
"
" alert_fast (full,smb,unixsock, and tcpdump)
syn match hogOut   contained  "\<alert_fast\|alert_full\|alert_smb\|alert_unixsock\|log_tcpdump\>" nextgroup=hogLogFileRegion skipwhite
syn region hogLogFileRegion  contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend
"
" unified
syn keyword hogUNIType contained filename limit
syn match hogOut  contained "\<alert_unified\|log_unified\>" nextgroup=hogUNIGroups skipwhite
syn region hogUNIGroups contained start=":" end="$" contains=hogUNIType,hogNumber,hogEnvvar,hogAscii,hogFileName skipwhite oneline
"
" Output database arguments and parameters
" Type of database followed by ,
" syn keyword hogDBSQL contained mysql postgresql unixodbc
" Parameters param=constant
" are just various constants assigned to parameter names
syn keyword hogDBType contained alert log
" Parameters param=constant
" are just various constants assigned to parameter names
syn keyword hogDBParam contained dbname host port user password sensor_name 
"
syn keyword hogDBSRV contained mysql postgresql unixodbc mssql
" database
syn match hogOut  contained "\<database\>" nextgroup=hogDBTypes skipwhite
syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite 
syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite 
syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam  nextgroup=hogDBValues skipwhite
syn region hogDBValues contained start="." end="\>" contains=hogEnvvar,hogNumber,hogTexts nextgroup=hogDBParams skipwhite

"
" log_tcpdump
syn match hogOut   contained  "\<log_tcpdump\>" nextgroup=hogLogRegion skipwhite
syn region  hogLogRegion  oneline	start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend
"
" xml args
syn match hogOut     contained "\<xml\>" nextgroup=hogXMLTypes skipwhite
syn region hogXMLTypes contained start=":" end="," contains=hogXMLType,hogEnvvar nextgroup=hogXMLParams skipwhite 
syn keyword hogXMLType  contained log alert
"
syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam nextgroup=hogXMLValues
syn keyword hogXMLParam contained protocol file host port cert key ca server sanitize encoding detail
syn region hogXMLValues contained start="." end=" \|$" contains=hogFilename,hogXMLTrans,hogTexts,hogNumber,hogIPaddr,hogEnvvar nextgroup=hogXMLParams oneline keepend
syn keyword hogXMLTrans contained http https tcp iap
"
" IP address
syn match   hogIPaddr   "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>"
syn match   hogIPaddr   "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>"

syn keyword hogProto	tcp TCP ICMP icmp udp UDP

" hog alert address port pairs
" hog IPaddresses
syn match   hogIPaddrAndPort contained  "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort
syn match   hogIPaddrAndPort contained  "[\[]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort
syn match   hogIPaddrAndPort contained  "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort
syn match   hogIPaddrAndPort contained  "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>[\]\s]" skipwhite nextgroup=hogPort
syn match   hogIPaddrAndPort contained  "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite         nextgroup=hogPort
syn match   hogIPaddrAndPort contained  "[\[]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort
syn match   hogIPaddrAndPort contained  "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort
syn match   hogIPaddrAndPort contained  "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>[\]\s]" skipwhite nextgroup=hogPort
syn match   hogIPaddrAndPort contained "\<any\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained     "\$\I\i*" nextgroup=hogPort skipwhite
syn match hogIPaddrAndPort contained     "\${\I\i*}" nextgroup=hogPort skipwhite
"syn match   hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite
syn match   hogPort contained "[\:]\=\d\+\>"  skipwhite
syn match   hogPort contained "[\!]\=\<any\>" skipwhite
syn match   hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite

" action commands
syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion
syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion
syn keyword hogActStart alert skipwhite nextgroup=hogActRegion
syn keyword hogActStart redalert skipwhite nextgroup=hogActRegion
syn keyword hogActStart log skipwhite nextgroup=hogActRegion
syn keyword hogActStart pass skipwhite nextgroup=hogActRegion

syn region hogActRegion contained oneline start="ip\|IP\|tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite
syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2  oneline keepend skipwhite nextgroup=hogActDest
syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$"  oneline keepend
syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1  oneline keepend skipwhite nextgroup=hogRules


" ====================
if version >= 508 || !exists("did_hog_syn_inits")
  if version < 508
    let did_hog_syn_inits = 1
    command -nargs=+ HiLink hi link <args>
  else
    command -nargs=+ HiLink hi def link <args> 
  endif
" The default methods for highlighting.  Can be overridden later
  HiLink hogComment			Comment
  HiLink hogLineComment		Comment
  HiLink hogAscii			Constant
  HiLink hogCommentString	Constant
  HiLink hogFileName		Constant
  HiLink hogTexts			Constant
  HiLink hogIPaddr			Constant
  HiLink hogNotPatSep		Constant
  HiLink hogNumber			Constant
  HiLink hogOperator		Constant
  HiLink hogText			Constant
  HiLink hogString			Constant
  HiLink hogSysFac			Constant
  HiLink hogSysOpt			Constant
  HiLink hogSysPri			Constant
  HiLink hogSNMPopts		Constant
  HiLink hogISDATAOpt		Constant
"  HiLink hogAStrGrp		Error
  HiLink hogJunk			Error
  HiLink hogEnvvar			Identifier
  HiLink hogIPaddrAndPort	Identifier
  HiLink hogVarIdent		Identifier
  HiLink hogATAGOpt			PreProc
  HiLink hogATESTOpt		PreProc
  HiLink hogAJUMPOpt		PreProc
  HiLink hogAIPOptVal		PreProc
  HiLink hogARespOpt		PreProc
  HiLink hogAReactOpt		PreProc
  HiLink hogAFlowOpt		PreProc
  HiLink hogAFlowBitOpt		PreProc
  HiLink hogAFlagOpt		PreProc
  HiLink hogAFragOpt		PreProc
  HiLink hogCommentTitle	PreProc
  HiLink hogDBType			PreProc
  HiLink hogUNIType			PreProc
  HiLink hogDBSRV			PreProc
  HiLink hogPort			PreProc
  HiLink hogARefGrps		PreProc
  HiLink hogSessionVal		PreProc
  HiLink hogXMLType			PreProc
  HiLink hogXMLTrans		PreProc
  HiLink hogARPCOpt			PreProc
  HiLink hogPatSep			Special
  HiLink hog7Functions		Statement
  HiLink hogActStart		Statement
  HiLink hogIncStart		Statement
  HiLink hogConfigStart		Statement
  HiLink hogOutStart		Statement
  HiLink hogTypeStart		Statement
  HiLink hogPPrStart		Statement
  HiLink hogVarStart		Statement
  HiLink hogRTypeStart		Statement
  HiLink hogTodo			Todo
  HiLink hogRuleType		Type
  HiLink hogAFOpt			Type
  HiLink hogANoVal			Type
  HiLink hogAStrOpt			Type
  HiLink hogANOpt			Type
  HiLink hogAOpt			Type
  HiLink hogDBParam			Type
  HiLink hogStreamArgs		Type
  HiLink hogConvArgs		PreProc
  HiLink hogPS2Args			PreProc
  HiLink hogPMArgs			PreProc
  HiLink hogStream4Args		PreProc
  HiLink hogStream4rArgs	PreProc
  HiLink hogSNMPalert		PreProc
  HiLink hogHTTPOPTS		PreProc
  HiLink hogBOOPTS			PreProc
  HiLink hogSNMPtypes		Type
  HiLink hogSNMPswitch		Type
  HiLink hogOut				Type
  HiLink hogPPr				Type
  HiLink hogConfigType		Type
  HiLink hogActRegion		Type
  HiLink hogProto			Type
  HiLink hogXMLParam		Type
  HiLink hogXMLParam2		Type
  HiLink resp				Todo
  HiLink cLabel        		Label   
  HiLink hogThreshTypOpt    Constant
  HiLink hogThreshTrkOpt    Constant
  HiLink hogThreshTyp       PreProc
  HiLink hogThreshTrk       PreProc
  HiLink hogThreshCnt		PreProc
  HiLink hogThreshSec		PreProc

  delcommand HiLink
endif

let b:current_syntax = "hog"

" hog: cpw=59


More information about the Snort-users mailing list