summaryrefslogtreecommitdiff
path: root/runtime/syntax/hog.vim
diff options
context:
space:
mode:
Diffstat (limited to 'runtime/syntax/hog.vim')
-rw-r--r--runtime/syntax/hog.vim350
1 files changed, 350 insertions, 0 deletions
diff --git a/runtime/syntax/hog.vim b/runtime/syntax/hog.vim
new file mode 100644
index 000000000..f39c171d3
--- /dev/null
+++ b/runtime/syntax/hog.vim
@@ -0,0 +1,350 @@
+" Snort syntax file
+" Language: Snort Configuration File (see: http://www.snort.org)
+" Maintainer: Phil Wood, cornett@arpa.net
+" Last Change: $Date$
+" Filenames: *.hog *.rules snort.conf vision.conf
+" URL: http://home.lanl.gov/cpw/vim/syntax/hog.vim
+" Snort Version: 1.8 By Martin Roesch (roesch@clark.net, www.snort.org)
+" TODO include all 1.8 syntax
+
+" For version 5.x: Clear all syntax items
+if version < 600
+ syntax clear
+elseif exists("b:current_syntax")
+" For version 6.x: Quit when a syntax file was already loaded
+ finish
+endif
+
+syn match hogComment +\s\#[^\-:.%#=*].*$+lc=1 contains=hogTodo,hogCommentString
+syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#'
+
+syn match hogJunk "\<\a\+|\s\+$"
+syn match hogNumber contained "\<\d\+\>"
+syn region hogText contained oneline start='\S' end=',' skipwhite
+syn region hogTexts contained oneline start='\S' end=';' skipwhite
+
+" Environment Variables
+" =====================
+"syn match hogEnvvar contained "[\!]\=\$\I\i*"
+"syn match hogEnvvar contained "[\!]\=\${\I\i*}"
+syn match hogEnvvar contained "\$\I\i*"
+syn match hogEnvvar contained "[\!]\=\${\I\i*}"
+
+
+" String handling lifted from vim.vim written by Dr. Charles E. Campbell, Jr.
+" Try to catch strings, if nothing else matches (therefore it must precede the others!)
+" vmEscapeBrace handles ["] []"] (ie. stays as string)
+syn region hogEscapeBrace oneline contained transparent start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1
+syn match hogPatSep contained "\\[|()]"
+syn match hogNotPatSep contained "\\\\"
+syn region hogString oneline start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1 contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline
+""syn region hogString oneline start=+[^:a-zA-Z>!\\]'+lc=1 skip=+\\\\\|\\'+ end=+'+ contains=hogEscapeBrace,vimPatSep,hogNotPatSep
+"syn region hogString oneline start=+=!+lc=1 skip=+\\\\\|\\!+ end=+!+ contains=hogEscapeBrace,hogPatSep,hogNotPatSep
+"syn region hogString oneline start="=+"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep
+"syn region hogString oneline start="[^\\]+\s*[^a-zA-Z0-9.]"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep
+"syn region hogString oneline start="\s/\s*\A"lc=1 skip="\\\\\|\\+" end="/" contains=hogEscapeBrace,hogPatSep,hogNotPatSep
+"syn match hogString contained +"[^"]*\\$+ skipnl nextgroup=hogStringCont
+"syn match hogStringCont contained +\(\\\\\|.\)\{-}[^\\]"+
+
+
+" Beginners - Patterns that involve ^
+"
+syn match hogLineComment +^[ \t]*#.*$+ contains=hogTodo,hogCommentString,hogCommentTitle
+syn match hogCommentTitle '#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained
+syn keyword hogTodo contained TODO
+
+" Rule keywords
+syn match hogARPCOpt contained "\d\+,\*,\*"
+syn match hogARPCOpt contained "\d\+,\d\+,\*"
+syn match hogARPCOpt contained "\d\+,\*,\d\+"
+syn match hogARPCOpt contained "\d\+,\d\+,\d"
+syn match hogATAGOpt contained "session"
+syn match hogATAGOpt contained "host"
+syn match hogATAGOpt contained "dst"
+syn match hogATAGOpt contained "src"
+syn match hogATAGOpt contained "seconds"
+syn match hogATAGOpt contained "packets"
+syn match hogATAGOpt contained "bytes"
+syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite
+syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite
+syn keyword hogAReactOpt contained block warn msg skipwhite
+syn match hogAReactOpt contained "proxy\d\+" skipwhite
+syn keyword hogAFOpt contained logto content_list skipwhite
+syn keyword hogAIPOptVal contained eol nop ts sec lsrr lsrre satid ssrr rr skipwhite
+syn keyword hogARefGrps contained arachnids skipwhite
+syn keyword hogARefGrps contained bugtraq skipwhite
+syn keyword hogARefGrps contained cve skipwhite
+syn keyword hogSessionVal contained printable all skipwhite
+syn match hogAFlagOpt contained "[0FSRPAUfsrpau21]\+" skipwhite
+syn match hogAFragOpt contained "[DRMdrm]\+" skipwhite
+"
+" Output syslog options
+" Facilities
+syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0
+syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4
+syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER
+" Priorities
+syn keyword hogSysPri contained LOG_EMERG ALERT LOG_CRIT LOG_ERR
+syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG
+" Options
+syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR
+syn keyword hogSysOpt contained LOG_PID
+" RuleTypes
+syn keyword hogRuleType contained log pass alert activate dynamic
+
+" Output log_database arguments and parameters
+" Type of database followed by ,
+" syn keyword hogDBSQL contained mysql postgresql unixodbc
+" Parameters param=constant
+" are just various constants assigned to parameter names
+
+" Output log_database arguments and parameters
+" Type of database followed by ,
+syn keyword hogDBType contained alert log
+syn keyword hogDBSRV contained mysql postgresql unixodbc
+" Parameters param=constant
+" are just various constants assigned to parameter names
+syn keyword hogDBParam contained dbname host port user password sensor_name
+
+" Output xml arguments and parameters
+" xml args
+syn keyword hogXMLArg contained log alert
+syn keyword hogXMLParam contained file protocol host port cert key ca server sanitize encoding detail
+"
+" hog rule handler '(.*)'
+syn region hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite
+syn region hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite
+
+syn region hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite
+syn region hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite
+"
+syn region hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend
+"
+syn region hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite
+syn region hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts
+"
+syn region hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite
+syn region hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts
+
+syn region hogAOpt contained oneline start="depth\|seq\|ttl\|ack\|icmp_seq\|activates\|activated_by\|dsize\|icode\|icmp_id\|count\|itype\|tos\|id\|offset" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite
+syn region hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend
+
+syn region hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite
+
+syn region hogAOpt contained oneline start="regex\|msg\|content" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite
+"syn region hogAStrGrp contained oneline start=+:\s*"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend
+syn region hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend
+
+syn region hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite
+syn region hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite
+
+syn region hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite
+syn region hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite
+syn region hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite
+
+syn region hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend
+
+syn region hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend
+
+syn region hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend
+
+"syn region hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite
+
+syn region hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite
+
+syn match nothing "$"
+syn region hogRules oneline contains=nothing start='$' end="$"
+syn region hogRules oneline contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite
+syn region hogRule contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend
+"syn region hogAOpts contained oneline start="." end="[;]"he=s-1 contains=hogAOpt skipwhite
+syn region hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite
+
+
+" ruletype command
+syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite
+syn region hogRuleName contained start="." end="\s" contains=hogFileName nextgroup=hogRTypeRegion
+" type ruletype sub type
+syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart
+syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite
+syn region hogRuleTypes contained start="." end="\s" contains=hogRuleType nextgroup=hogOutStart
+
+
+" var command
+syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite
+syn region hogVarIdent contained start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite
+syn region hogVarRegion contained oneline start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogString,hogFileName end="$"he=s-1 keepend skipwhite
+
+" config command
+syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType
+syn match hogConfigType contained "\<classification\>" nextgroup=hogConfigTypeRegion skipwhite
+syn region hogConfigTypeRegion contained oneline start=":"ms=s+1 end="$" contains=hogNumber,hogText keepend skipwhite
+
+
+" include command
+syn keyword hogIncStart include skipwhite nextgroup=hogIncRegion
+syn region hogIncRegion contained oneline start="\>" contains=hogFileName,hogEnvvar end="$" keepend
+
+" preprocessor command
+" http_decode, minfrag, portscan[-ignorehosts]
+syn keyword hogPPrStart preprocessor skipwhite nextgroup=hogPPr
+syn match hogPPr contained "\<spade\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<spade-homenet\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<spade-threshlearn\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<spade-adapt\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<spade-adapt2\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<spade-adapt3\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<spade-survey\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<defrag\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<telnet_decode\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<rpc_decode\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<bo\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<stream\>" nextgroup=hogStreamRegion skipwhite
+syn match hogPPr contained "\<stream2\>" nextgroup=hogStreamRegion skipwhite
+syn match hogPPr contained "\<stream3\>" nextgroup=hogStreamRegion skipwhite
+syn match hogPPr contained "\<http_decode\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<minfrag\>" nextgroup=hogPPrRegion skipwhite
+syn match hogPPr contained "\<portscan[-ignorehosts]*\>" nextgroup=hogPPrRegion skipwhite
+syn region hogPPrRegion contained oneline start="$" end="$" keepend
+syn region hogPPrRegion contained oneline start=":" end="$" contains=hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend
+syn keyword hogStreamArgs contained timeout ports maxbytes
+syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber
+
+" output command
+syn keyword hogOutStart output nextgroup=hogOut skipwhite
+"
+" alert_syslog
+syn match hogOut contained "\<alert_syslog\>" nextgroup=hogSyslogRegion skipwhite
+syn region hogSyslogRegion contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend
+"
+" alert_fast (full,smb,unixsock, and tcpdump)
+syn match hogOut contained "\<alert_fast\|alert_full\|alert_smb\|alert_unixsock\|log_tcpdump\>" nextgroup=hogLogFileRegion skipwhite
+syn region hogLogFileRegion contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend
+"
+" database
+syn match hogOut contained "\<database\>" nextgroup=hogDBTypes skipwhite
+syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite
+syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite
+syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam nextgroup=hogDBValues
+syn region hogDBValues contained start="." end="\>" contains=hogNumber,hogEnvvar,hogAscii nextgroup=hogDBParams oneline skipwhite
+syn match hogAscii contained "\<\a\+"
+"
+" log_tcpdump
+syn match hogOut contained "\<log_tcpdump\>" nextgroup=hogLogRegion skipwhite
+syn region hogLogRegion oneline start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend
+"
+" xml
+syn keyword hogXMLTrans contained http https tcp iap
+syn match hogOut contained "\<xml\>" nextgroup=hogXMLRegion skipwhite
+syn region hogXMLRegion contained start=":" end="," contains=hogXMLArg,hogEnvvar nextgroup=hogXMLParams skipwhite
+"syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLProto nextgroup=hogXMLProtos
+"syn region hogXMLProtos contained start="." end="\>" contains=hogXMLTrans nextgroup=hogXMLParams
+syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam nextgroup=hogXMLValue
+syn region hogXMLValue contained start="." end="\>" contains=hogNumber,hogIPaddr,hogEnvvar,hogAscii,hogFileName nextgroup=hogXMLParams oneline skipwhite keepend
+"
+" Filename
+syn match hogFileName contained "[-./[:alnum:]_~]\+"
+syn match hogFileName contained "[-./[:alnum:]_~]\+"
+" IP address
+syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>"
+syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>"
+
+syn keyword hogProto tcp TCP ICMP icmp udp UDP
+
+" hog alert address port pairs
+" hog IPaddresses
+syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort
+syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort
+syn match hogIPaddrAndPort contained "\<any\>" skipwhite nextgroup=hogPort
+syn match hogIPaddrAndPort contained "\$\I\i*" nextgroup=hogPort skipwhite
+syn match hogIPaddrAndPort contained "\${\I\i*}" nextgroup=hogPort skipwhite
+"syn match hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite
+syn match hogPort contained "[\:]\=\d\+\>"
+syn match hogPort contained "[\!]\=\<any\>" skipwhite
+syn match hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite
+
+" action commands
+syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion
+syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion
+syn keyword hogActStart alert skipwhite nextgroup=hogActRegion
+syn keyword hogActStart log skipwhite nextgroup=hogActRegion
+syn keyword hogActStart pass skipwhite nextgroup=hogActRegion
+
+syn region hogActRegion contained oneline start="tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite
+syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2 oneline keepend skipwhite nextgroup=hogActDest
+syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$" oneline keepend
+syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1 oneline keepend skipwhite nextgroup=hogRules
+
+
+" ====================
+if version >= 508 || !exists("did_hog_syn_inits")
+ if version < 508
+ let did_hog_syn_inits = 1
+ command -nargs=+ HiLink hi link <args>
+ else
+ command -nargs=+ HiLink hi def link <args>
+ endif
+" The default methods for highlighting. Can be overridden later
+ HiLink hogComment Comment
+ HiLink hogLineComment Comment
+ HiLink hogAscii Constant
+ HiLink hogCommentString Constant
+ HiLink hogFileName Constant
+ HiLink hogIPaddr Constant
+ HiLink hogNotPatSep Constant
+ HiLink hogNumber Constant
+ HiLink hogText Constant
+ HiLink hogString Constant
+ HiLink hogSysFac Constant
+ HiLink hogSysOpt Constant
+ HiLink hogSysPri Constant
+" HiLink hogAStrGrp Error
+ HiLink hogJunk Error
+ HiLink hogEnvvar Identifier
+ HiLink hogIPaddrAndPort Identifier
+ HiLink hogVarIdent Identifier
+ HiLink hogATAGOpt PreProc
+ HiLink hogAIPOptVal PreProc
+ HiLink hogARespOpt PreProc
+ HiLink hogAReactOpt PreProc
+ HiLink hogAFlagOpt PreProc
+ HiLink hogAFragOpt PreProc
+ HiLink hogCommentTitle PreProc
+ HiLink hogDBType PreProc
+ HiLink hogDBSRV PreProc
+ HiLink hogPort PreProc
+ HiLink hogARefGrps PreProc
+ HiLink hogSessionVal PreProc
+ HiLink hogXMLArg PreProc
+ HiLink hogARPCOpt PreProc
+ HiLink hogPatSep Special
+ HiLink hog7Functions Statement
+ HiLink hogActStart Statement
+ HiLink hogIncStart Statement
+ HiLink hogConfigStart Statement
+ HiLink hogOutStart Statement
+ HiLink hogPPrStart Statement
+ HiLink hogVarStart Statement
+ HiLink hogRTypeStart Statement
+ HiLink hogTodo Todo
+ HiLink hogRuleType Type
+ HiLink hogAFOpt Type
+ HiLink hogANoVal Type
+ HiLink hogAStrOpt Type
+ HiLink hogANOpt Type
+ HiLink hogAOpt Type
+ HiLink hogDBParam Type
+ HiLink hogStreamArgs Type
+ HiLink hogOut Type
+ HiLink hogPPr Type
+ HiLink hogConfigType Type
+ HiLink hogActRegion Type
+ HiLink hogProto Type
+ HiLink hogXMLParam Type
+ HiLink resp Todo
+ HiLink cLabel Label
+ delcommand HiLink
+endif
+
+let b:current_syntax = "hog"
+
+" hog: cpw=59