1" Vim syntax file
2" Language: hog (Snort.conf + .rules)
3" Maintainer: Victor Roemer, <vroemer@badsec.org>.
4" Last Change: 2019 Sep 22
5"              2012 Oct 24  -> Originalish release
6"              2019 Sep 22  -> included PR 3069
7
8" quit when a syntax file was already loaded
9if exists("b:current_syntax")
10    finish
11endif
12
13setlocal iskeyword-=:
14setlocal iskeyword+=-
15syn case ignore
16
17" Hog ruletype crap
18syn keyword     HogRuleType       ruletype nextgroup=HogRuleTypeName skipwhite
19syn match       HogRuleTypeName   "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite
20syn region      HogRuleTypeBody   start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold
21syn keyword     HogRuleTypeType   type contained
22
23" Hog Configurables
24syn keyword     HogPreproc    preprocessor nextgroup=HogConfigName skipwhite
25syn keyword     HogConfig     config nextgroup=HogConfigName skipwhite
26syn keyword     HogOutput     output nextgroup=HogConfigName skipwhite
27syn match       HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite
28syn region      HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment
29
30" Event filter's and threshold's
31syn region      HogEvFilter         start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment
32syn keyword     HogEvFilterKeyword  skipwhite event_filter threshold
33syn keyword     HogEvFilterOptions  skipwhite type nextgroup=HogEvFilterTypes
34syn keyword     HogEvFilterTypes    skipwhite limit threshold both contained
35syn keyword     HogEvFilterOptions  skipwhite track nextgroup=HogEvFilterTrack
36syn keyword     HogEvFilterTrack    skipwhite by_src by_dst contained
37syn keyword     HogEvFilterOptions  skipwhite gen_id sig_id count seconds nextgroup=HogNumber
38
39" Suppressions
40syn region      HogEvFilter         start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment
41syn keyword     HogSuppressKeyword  skipwhite suppress
42syn keyword     HogSuppressOptions  skipwhite gen_id sig_id nextgroup=HogNumber
43syn keyword     HogSuppressOptions  skipwhite track nextgroup=HogEvFilterTrack
44syn keyword     HogSuppressOptions  skipwhite ip nextgroup=HogIPAddr
45
46" Attribute table
47syn keyword     HogAttribute        attribute_table nextgroup=HogAttributeFile
48syn match       HogAttributeFile    contained ".*$" contains=HogVar,HogAttributeType,HogComment
49syn keyword     HogAttributeType    filename
50
51" Hog includes
52syn keyword     HogInclude    include nextgroup=HogIncludeFile skipwhite
53syn match       HogIncludeFile ".*$" contained contains=HogVar,HogComment
54
55" Hog dynamic libraries
56syn keyword     HogDylib      dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite
57syn match       HogDylibFile  "\s.*$" contained contains=HogVar,HogDylibType,HogComment
58syn keyword     HogDylibType  directory file contained
59
60" Variable dereferenced with '$'
61syn match       HogVar        "\$[[:alnum:]_]\+"
62
63", Variables declared with 'var'
64syn keyword     HogVarType    var nextgroup=HogVarSet skipwhite
65syn match       HogVarSet     "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite
66syn match       HogVarValue   ".*$" contained contains=HogString,HogNumber,HogVar,HogComment
67
68" Variables declared with 'ipvar'
69syn keyword     HogIPVarType  ipvar nextgroup=HogIPVarSet skipwhite
70syn match       HogIPVarSet   "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite
71syn region      HogIPVarList  start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot
72
73" Variables declared with 'portvar'
74syn keyword     HogPortVarType portvar nextgroup=HogPortVarSet skipwhite
75syn match       HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite
76syn region      HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot
77syn match       HogPort       "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange
78
79" Generic stuff
80syn match       HogIPAddr     contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr
81syn match       HogIPAddr     contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr
82syn match       HogIPCidr     contained "\/\([0-2][0-9]\=\|3[0-2]\=\)"
83syn region      HogHexEsc     contained start='|' end='|' oneline
84syn region      HogString     contained start='"' end='"' extend oneline contains=HogHexEsc
85syn match       HogNumber     contained display "\<\d\+\>"
86syn match       HogNumber     contained display "\<\d\+\>"
87syn match       HogNumber     contained display "0x\x\+\>"
88syn keyword     HogSpecial    contained true false yes no default all any
89syn keyword     HogSpecialAny contained any
90syn match       HogOpNot      "!" contained
91syn match       HogOpRange    ":" contained
92
93" Rules
94syn keyword     HogRuleAction     activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock
95syn keyword     HogRuleProto      ip tcp tcp-pkt tcp-stream udp icmp http ftp tls smb dns dcerpc ssh smtp imap msn modbus dnp3 enip nfs ikev2 ntp skipwhite contained nextgroup=HogRuleSrcIP
96syn match       HogRuleSrcIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort
97syn match       HogRuleSrcPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir
98syn match       HogRuleDir        "->\|<>" skipwhite contained nextgroup=HogRuleDstIP
99syn match       HogRuleDstIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort
100syn match       HogRuleDstPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock
101syn region      HogRuleBlock      start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold
102",HogString,HogComment,HogVar,HogOptNot
103"syn region      HogRuleOption     start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber
104syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata target content nocase rawbytes
105syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP depth startswith offset distance within http_client_body http_cookie http_raw_cookie http_header
106syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_raw_header http_request_line http_method http_uri http_raw_uri http_protocol http_response_line http_stat_code http_stat_msg
107syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_user_agent http_accept http_accept_enc http_accept_lang http_connection http_content_type http_content_len
108syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_referer http_start http_header_names http_server_body http_host http_raw_host
109syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP filename fileext filemagic filestore filemd5 filesha1 filesha256 filesize
110syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP dns_query tls_cert_subject tls_cert_issuer tls_cert_serial tls_cert_fingerprint
111syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP tls_sni tls_cert_notbefore tls_cert_notafter tls_cert_expired tls_cert_valid
112syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP tls.version tls.subject tls.issuerdn tls.fingerprint tls.store ja3_hash ja3_string
113syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP modbus dnp3_func dnp3_ind dnp3_obj dnp3_data enip_command cip_service
114syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP app-layer-protocol app-layer-event xbits iprep lua luajit
115syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP fast_pattern prefilter uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data
116syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpdata_command ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data
117syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version
118syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts geoip fragbits dsize flags flow flowbits flowint seq ack window
119syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size
120syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter
121syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group
122
123syn region      HogRuleSROP     start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber
124syn match       HogRuleChars    "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained
125syn match       HogURLChars     "\%(\.\|?\|=\)\+" contained
126
127" Hog File Type Rules
128syn match       HogFileType   /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP
129syn keyword     HogFileTypeOpt  skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group
130syn region      HogFileFROP  start=':' end=";" transparent keepend contained contains=NotASemicoln
131syn match       NotASemiColn   ".*$" contained
132
133
134" Comments
135syn keyword HogTodo   XXX TODO NOTE contained
136syn match   HogTodo   "Step\s\+#\=\d\+" contained
137syn region HogComment start="#" end="$" contains=HogTodo,@Spell
138
139syn case match
140
141if !exists("hog_minlines")
142    let hog_minlines = 100
143endif
144exec "syn sync minlines=" . hog_minlines
145
146hi link HogRuleType           Statement
147hi link HogRuleTypeName       Type
148hi link HogRuleTypeType       Keyword
149
150hi link HogPreproc            Statement
151hi link HogConfig             Statement
152hi link HogOutput             Statement
153hi link HogConfigName         Type
154
155"hi link HogEvFilter
156hi link HogEvFilterKeyword    Statement
157hi link HogSuppressKeyword    Statement
158hi link HogEvFilterTypes      Constant
159hi link HogEvFilterTrack      Constant
160
161hi link HogAttribute          Statement
162hi link HogAttributeFile      String
163hi link HogAttributeType      Statement
164
165hi link HogInclude            Statement
166hi link HogIncludeFile        String
167
168hi link HogDylib              Statement
169hi link HogDylibType          Statement
170hi link HogDylibFile          String
171
172" Variables
173" var
174hi link HogVar                Identifier
175hi link HogVarType            Keyword
176hi link HogVarSet             Identifier
177hi link HogVarValue           String
178" ipvar
179hi link HogIPVarType          Keyword
180hi link HogIPVarSet           Identifier
181" portvar
182hi link HogPortVarType         Keyword
183hi link HogPortVarSet          Identifier
184hi link HogPort                Constant
185
186hi link HogTodo               Todo
187hi link HogComment            Comment
188hi link HogString             String
189hi link HogHexEsc             PreProc
190hi link HogNumber             Number
191hi link HogSpecial            Constant
192hi link HogSpecialAny         Constant
193hi link HogIPAddr             Constant
194hi link HogIPCidr             Constant
195hi link HogOpNot              Operator
196hi link HogOpRange            Operator
197
198hi link HogRuleAction         Statement
199hi link HogRuleProto          Identifier
200hi link HogRuleDir            Operator
201hi link HogRuleOption         Keyword
202hi link HogRuleChars           String
203
204hi link HogFileType    HogRuleAction
205hi link HogFileTypeOpt HogRuleOption
206hi link NotASemiColn     HogRuleChars
207
208let b:current_syntax = "hog"
209