" Snort syntax file " Language: Snort Configuration File (see: http://www.snort.org) " Maintainer: Phil Wood, cornett@arpa.net " Last Change: $Date: 2004/06/13 17:41:17 $ " Filenames: *.hog *.rules snort.conf vision.conf " URL: http://home.lanl.gov/cpw/vim/syntax/hog.vim " Snort Version: 1.8 By Martin Roesch (roesch@clark.net, www.snort.org) " TODO include all 1.8 syntax " For version 5.x: Clear all syntax items if version < 600 syntax clear elseif exists("b:current_syntax") " For version 6.x: Quit when a syntax file was already loaded finish endif syn match hogComment +\s\#[^\-:.%#=*].*$+lc=1 contains=hogTodo,hogCommentString syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#' syn match hogJunk "\<\a\+|\s\+$" syn match hogNumber contained "\<\d\+\>" syn region hogText contained oneline start='\S' end=',' skipwhite syn region hogTexts contained oneline start='\S' end=';' skipwhite " Environment Variables " ===================== "syn match hogEnvvar contained "[\!]\=\$\I\i*" "syn match hogEnvvar contained "[\!]\=\${\I\i*}" syn match hogEnvvar contained "\$\I\i*" syn match hogEnvvar contained "[\!]\=\${\I\i*}" " String handling lifted from vim.vim written by Dr. Charles E. Campbell, Jr. " Try to catch strings, if nothing else matches (therefore it must precede the others!) " vmEscapeBrace handles ["] []"] (ie. stays as string) syn region hogEscapeBrace oneline contained transparent start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1 syn match hogPatSep contained "\\[|()]" syn match hogNotPatSep contained "\\\\" syn region hogString oneline start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1 contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline ""syn region hogString oneline start=+[^:a-zA-Z>!\\]'+lc=1 skip=+\\\\\|\\'+ end=+'+ contains=hogEscapeBrace,vimPatSep,hogNotPatSep "syn region hogString oneline start=+=!+lc=1 skip=+\\\\\|\\!+ end=+!+ contains=hogEscapeBrace,hogPatSep,hogNotPatSep "syn region hogString oneline start="=+"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep "syn region hogString oneline start="[^\\]+\s*[^a-zA-Z0-9.]"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep "syn region hogString oneline start="\s/\s*\A"lc=1 skip="\\\\\|\\+" end="/" contains=hogEscapeBrace,hogPatSep,hogNotPatSep "syn match hogString contained +"[^"]*\\$+ skipnl nextgroup=hogStringCont "syn match hogStringCont contained +\(\\\\\|.\)\{-}[^\\]"+ " Beginners - Patterns that involve ^ " syn match hogLineComment +^[ \t]*#.*$+ contains=hogTodo,hogCommentString,hogCommentTitle syn match hogCommentTitle '#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained syn keyword hogTodo contained TODO " Rule keywords syn match hogARPCOpt contained "\d\+,\*,\*" syn match hogARPCOpt contained "\d\+,\d\+,\*" syn match hogARPCOpt contained "\d\+,\*,\d\+" syn match hogARPCOpt contained "\d\+,\d\+,\d" syn match hogATAGOpt contained "session" syn match hogATAGOpt contained "host" syn match hogATAGOpt contained "dst" syn match hogATAGOpt contained "src" syn match hogATAGOpt contained "seconds" syn match hogATAGOpt contained "packets" syn match hogATAGOpt contained "bytes" syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite syn keyword hogAReactOpt contained block warn msg skipwhite syn match hogAReactOpt contained "proxy\d\+" skipwhite syn keyword hogAFOpt contained logto content_list skipwhite syn keyword hogAIPOptVal contained eol nop ts sec lsrr lsrre satid ssrr rr skipwhite syn keyword hogARefGrps contained arachnids skipwhite syn keyword hogARefGrps contained bugtraq skipwhite syn keyword hogARefGrps contained cve skipwhite syn keyword hogSessionVal contained printable all skipwhite syn match hogAFlagOpt contained "[0FSRPAUfsrpau21]\+" skipwhite syn match hogAFragOpt contained "[DRMdrm]\+" skipwhite " " Output syslog options " Facilities syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0 syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER " Priorities syn keyword hogSysPri contained LOG_EMERG ALERT LOG_CRIT LOG_ERR syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG " Options syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR syn keyword hogSysOpt contained LOG_PID " RuleTypes syn keyword hogRuleType contained log pass alert activate dynamic " Output log_database arguments and parameters " Type of database followed by , " syn keyword hogDBSQL contained mysql postgresql unixodbc " Parameters param=constant " are just various constants assigned to parameter names " Output log_database arguments and parameters " Type of database followed by , syn keyword hogDBType contained alert log syn keyword hogDBSRV contained mysql postgresql unixodbc " Parameters param=constant " are just various constants assigned to parameter names syn keyword hogDBParam contained dbname host port user password sensor_name " Output xml arguments and parameters " xml args syn keyword hogXMLArg contained log alert syn keyword hogXMLParam contained file protocol host port cert key ca server sanitize encoding detail " " hog rule handler '(.*)' syn region hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite syn region hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite syn region hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite syn region hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite " syn region hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend " syn region hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite syn region hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts " syn region hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite syn region hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts syn region hogAOpt contained oneline start="depth\|seq\|ttl\|ack\|icmp_seq\|activates\|activated_by\|dsize\|icode\|icmp_id\|count\|itype\|tos\|id\|offset" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite syn region hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend syn region hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite syn region hogAOpt contained oneline start="regex\|msg\|content" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite "syn region hogAStrGrp contained oneline start=+:\s*"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend syn region hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend syn region hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite syn region hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite syn region hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite syn region hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite syn region hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite syn region hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend syn region hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend syn region hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend "syn region hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite syn region hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite syn match nothing "$" syn region hogRules oneline contains=nothing start='$' end="$" syn region hogRules oneline contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite syn region hogRule contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend "syn region hogAOpts contained oneline start="." end="[;]"he=s-1 contains=hogAOpt skipwhite syn region hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite " ruletype command syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite syn region hogRuleName contained start="." end="\s" contains=hogFileName nextgroup=hogRTypeRegion " type ruletype sub type syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite syn region hogRuleTypes contained start="." end="\s" contains=hogRuleType nextgroup=hogOutStart " var command syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite syn region hogVarIdent contained start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite syn region hogVarRegion contained oneline start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogString,hogFileName end="$"he=s-1 keepend skipwhite " config command syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn region hogConfigTypeRegion contained oneline start=":"ms=s+1 end="$" contains=hogNumber,hogText keepend skipwhite " include command syn keyword hogIncStart include skipwhite nextgroup=hogIncRegion syn region hogIncRegion contained oneline start="\>" contains=hogFileName,hogEnvvar end="$" keepend " preprocessor command " http_decode, minfrag, portscan[-ignorehosts] syn keyword hogPPrStart preprocessor skipwhite nextgroup=hogPPr syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogStreamRegion skipwhite syn match hogPPr contained "\" nextgroup=hogStreamRegion skipwhite syn match hogPPr contained "\" nextgroup=hogStreamRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn region hogPPrRegion contained oneline start="$" end="$" keepend syn region hogPPrRegion contained oneline start=":" end="$" contains=hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend syn keyword hogStreamArgs contained timeout ports maxbytes syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber " output command syn keyword hogOutStart output nextgroup=hogOut skipwhite " " alert_syslog syn match hogOut contained "\" nextgroup=hogSyslogRegion skipwhite syn region hogSyslogRegion contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend " " alert_fast (full,smb,unixsock, and tcpdump) syn match hogOut contained "\" nextgroup=hogLogFileRegion skipwhite syn region hogLogFileRegion contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend " " database syn match hogOut contained "\" nextgroup=hogDBTypes skipwhite syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam nextgroup=hogDBValues syn region hogDBValues contained start="." end="\>" contains=hogNumber,hogEnvvar,hogAscii nextgroup=hogDBParams oneline skipwhite syn match hogAscii contained "\<\a\+" " " log_tcpdump syn match hogOut contained "\" nextgroup=hogLogRegion skipwhite syn region hogLogRegion oneline start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend " " xml syn keyword hogXMLTrans contained http https tcp iap syn match hogOut contained "\" nextgroup=hogXMLRegion skipwhite syn region hogXMLRegion contained start=":" end="," contains=hogXMLArg,hogEnvvar nextgroup=hogXMLParams skipwhite "syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLProto nextgroup=hogXMLProtos "syn region hogXMLProtos contained start="." end="\>" contains=hogXMLTrans nextgroup=hogXMLParams syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam nextgroup=hogXMLValue syn region hogXMLValue contained start="." end="\>" contains=hogNumber,hogIPaddr,hogEnvvar,hogAscii,hogFileName nextgroup=hogXMLParams oneline skipwhite keepend " " Filename syn match hogFileName contained "[-./[:alnum:]_~]\+" syn match hogFileName contained "[-./[:alnum:]_~]\+" " IP address syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" syn keyword hogProto tcp TCP ICMP icmp udp UDP " hog alert address port pairs " hog IPaddresses syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "\" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "\$\I\i*" nextgroup=hogPort skipwhite syn match hogIPaddrAndPort contained "\${\I\i*}" nextgroup=hogPort skipwhite "syn match hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite syn match hogPort contained "[\:]\=\d\+\>" syn match hogPort contained "[\!]\=\" skipwhite syn match hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite " action commands syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion syn keyword hogActStart alert skipwhite nextgroup=hogActRegion syn keyword hogActStart log skipwhite nextgroup=hogActRegion syn keyword hogActStart pass skipwhite nextgroup=hogActRegion syn region hogActRegion contained oneline start="tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2 oneline keepend skipwhite nextgroup=hogActDest syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$" oneline keepend syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1 oneline keepend skipwhite nextgroup=hogRules " ==================== if version >= 508 || !exists("did_hog_syn_inits") if version < 508 let did_hog_syn_inits = 1 command -nargs=+ HiLink hi link else command -nargs=+ HiLink hi def link endif " The default methods for highlighting. Can be overridden later HiLink hogComment Comment HiLink hogLineComment Comment HiLink hogAscii Constant HiLink hogCommentString Constant HiLink hogFileName Constant HiLink hogIPaddr Constant HiLink hogNotPatSep Constant HiLink hogNumber Constant HiLink hogText Constant HiLink hogString Constant HiLink hogSysFac Constant HiLink hogSysOpt Constant HiLink hogSysPri Constant " HiLink hogAStrGrp Error HiLink hogJunk Error HiLink hogEnvvar Identifier HiLink hogIPaddrAndPort Identifier HiLink hogVarIdent Identifier HiLink hogATAGOpt PreProc HiLink hogAIPOptVal PreProc HiLink hogARespOpt PreProc HiLink hogAReactOpt PreProc HiLink hogAFlagOpt PreProc HiLink hogAFragOpt PreProc HiLink hogCommentTitle PreProc HiLink hogDBType PreProc HiLink hogDBSRV PreProc HiLink hogPort PreProc HiLink hogARefGrps PreProc HiLink hogSessionVal PreProc HiLink hogXMLArg PreProc HiLink hogARPCOpt PreProc HiLink hogPatSep Special HiLink hog7Functions Statement HiLink hogActStart Statement HiLink hogIncStart Statement HiLink hogConfigStart Statement HiLink hogOutStart Statement HiLink hogPPrStart Statement HiLink hogVarStart Statement HiLink hogRTypeStart Statement HiLink hogTodo Todo HiLink hogRuleType Type HiLink hogAFOpt Type HiLink hogANoVal Type HiLink hogAStrOpt Type HiLink hogANOpt Type HiLink hogAOpt Type HiLink hogDBParam Type HiLink hogStreamArgs Type HiLink hogOut Type HiLink hogPPr Type HiLink hogConfigType Type HiLink hogActRegion Type HiLink hogProto Type HiLink hogXMLParam Type HiLink resp Todo HiLink cLabel Label delcommand HiLink endif let b:current_syntax = "hog" " hog: cpw=59