1" Snort syntax file 2" Language: Snort Configuration File (see: http://www.snort.org) 3" Maintainer: Phil Wood, cornett@arpa.net 4" Last Change: $Date: 2004/06/13 17:41:17 $ 5" Filenames: *.hog *.rules snort.conf vision.conf 6" URL: http://home.lanl.gov/cpw/vim/syntax/hog.vim 7" Snort Version: 1.8 By Martin Roesch (roesch@clark.net, www.snort.org) 8" TODO include all 1.8 syntax 9 10" For version 5.x: Clear all syntax items 11if version < 600 12 syntax clear 13elseif exists("b:current_syntax") 14" For version 6.x: Quit when a syntax file was already loaded 15 finish 16endif 17 18syn match hogComment +\s\#[^\-:.%#=*].*$+lc=1 contains=hogTodo,hogCommentString 19syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#' 20 21syn match hogJunk "\<\a\+|\s\+$" 22syn match hogNumber contained "\<\d\+\>" 23syn region hogText contained oneline start='\S' end=',' skipwhite 24syn region hogTexts contained oneline start='\S' end=';' skipwhite 25 26" Environment Variables 27" ===================== 28"syn match hogEnvvar contained "[\!]\=\$\I\i*" 29"syn match hogEnvvar contained "[\!]\=\${\I\i*}" 30syn match hogEnvvar contained "\$\I\i*" 31syn match hogEnvvar contained "[\!]\=\${\I\i*}" 32 33 34" String handling lifted from vim.vim written by Dr. Charles E. Campbell, Jr. 35" Try to catch strings, if nothing else matches (therefore it must precede the others!) 36" vmEscapeBrace handles ["] []"] (ie. stays as string) 37syn region hogEscapeBrace oneline contained transparent start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1 38syn match hogPatSep contained "\\[|()]" 39syn match hogNotPatSep contained "\\\\" 40syn region hogString oneline start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1 contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline 41""syn region hogString oneline start=+[^:a-zA-Z>!\\]'+lc=1 skip=+\\\\\|\\'+ end=+'+ contains=hogEscapeBrace,vimPatSep,hogNotPatSep 42"syn region hogString oneline start=+=!+lc=1 skip=+\\\\\|\\!+ end=+!+ contains=hogEscapeBrace,hogPatSep,hogNotPatSep 43"syn region hogString oneline start="=+"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep 44"syn region hogString oneline start="[^\\]+\s*[^a-zA-Z0-9.]"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep 45"syn region hogString oneline start="\s/\s*\A"lc=1 skip="\\\\\|\\+" end="/" contains=hogEscapeBrace,hogPatSep,hogNotPatSep 46"syn match hogString contained +"[^"]*\\$+ skipnl nextgroup=hogStringCont 47"syn match hogStringCont contained +\(\\\\\|.\)\{-}[^\\]"+ 48 49 50" Beginners - Patterns that involve ^ 51" 52syn match hogLineComment +^[ \t]*#.*$+ contains=hogTodo,hogCommentString,hogCommentTitle 53syn match hogCommentTitle '#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained 54syn keyword hogTodo contained TODO 55 56" Rule keywords 57syn match hogARPCOpt contained "\d\+,\*,\*" 58syn match hogARPCOpt contained "\d\+,\d\+,\*" 59syn match hogARPCOpt contained "\d\+,\*,\d\+" 60syn match hogARPCOpt contained "\d\+,\d\+,\d" 61syn match hogATAGOpt contained "session" 62syn match hogATAGOpt contained "host" 63syn match hogATAGOpt contained "dst" 64syn match hogATAGOpt contained "src" 65syn match hogATAGOpt contained "seconds" 66syn match hogATAGOpt contained "packets" 67syn match hogATAGOpt contained "bytes" 68syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite 69syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite 70syn keyword hogAReactOpt contained block warn msg skipwhite 71syn match hogAReactOpt contained "proxy\d\+" skipwhite 72syn keyword hogAFOpt contained logto content_list skipwhite 73syn keyword hogAIPOptVal contained eol nop ts sec lsrr lsrre satid ssrr rr skipwhite 74syn keyword hogARefGrps contained arachnids skipwhite 75syn keyword hogARefGrps contained bugtraq skipwhite 76syn keyword hogARefGrps contained cve skipwhite 77syn keyword hogSessionVal contained printable all skipwhite 78syn match hogAFlagOpt contained "[0FSRPAUfsrpau21]\+" skipwhite 79syn match hogAFragOpt contained "[DRMdrm]\+" skipwhite 80" 81" Output syslog options 82" Facilities 83syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0 84syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 85syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER 86" Priorities 87syn keyword hogSysPri contained LOG_EMERG ALERT LOG_CRIT LOG_ERR 88syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG 89" Options 90syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR 91syn keyword hogSysOpt contained LOG_PID 92" RuleTypes 93syn keyword hogRuleType contained log pass alert activate dynamic 94 95" Output log_database arguments and parameters 96" Type of database followed by , 97" syn keyword hogDBSQL contained mysql postgresql unixodbc 98" Parameters param=constant 99" are just various constants assigned to parameter names 100 101" Output log_database arguments and parameters 102" Type of database followed by , 103syn keyword hogDBType contained alert log 104syn keyword hogDBSRV contained mysql postgresql unixodbc 105" Parameters param=constant 106" are just various constants assigned to parameter names 107syn keyword hogDBParam contained dbname host port user password sensor_name 108 109" Output xml arguments and parameters 110" xml args 111syn keyword hogXMLArg contained log alert 112syn keyword hogXMLParam contained file protocol host port cert key ca server sanitize encoding detail 113" 114" hog rule handler '(.*)' 115syn region hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite 116syn region hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite 117 118syn region hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite 119syn region hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite 120" 121syn region hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend 122" 123syn region hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite 124syn region hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts 125" 126syn region hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite 127syn region hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts 128 129syn region hogAOpt contained oneline start="depth\|seq\|ttl\|ack\|icmp_seq\|activates\|activated_by\|dsize\|icode\|icmp_id\|count\|itype\|tos\|id\|offset" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite 130syn region hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend 131 132syn region hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite 133 134syn region hogAOpt contained oneline start="regex\|msg\|content" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite 135"syn region hogAStrGrp contained oneline start=+:\s*"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend 136syn region hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend 137 138syn region hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite 139syn region hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite 140 141syn region hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite 142syn region hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite 143syn region hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite 144 145syn region hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend 146 147syn region hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend 148 149syn region hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend 150 151"syn region hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite 152 153syn region hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite 154 155syn match nothing "$" 156syn region hogRules oneline contains=nothing start='$' end="$" 157syn region hogRules oneline contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite 158syn region hogRule contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend 159"syn region hogAOpts contained oneline start="." end="[;]"he=s-1 contains=hogAOpt skipwhite 160syn region hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite 161 162 163" ruletype command 164syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite 165syn region hogRuleName contained start="." end="\s" contains=hogFileName nextgroup=hogRTypeRegion 166" type ruletype sub type 167syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart 168syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite 169syn region hogRuleTypes contained start="." end="\s" contains=hogRuleType nextgroup=hogOutStart 170 171 172" var command 173syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite 174syn region hogVarIdent contained start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite 175syn region hogVarRegion contained oneline start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogString,hogFileName end="$"he=s-1 keepend skipwhite 176 177" config command 178syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType 179syn match hogConfigType contained "\<classification\>" nextgroup=hogConfigTypeRegion skipwhite 180syn region hogConfigTypeRegion contained oneline start=":"ms=s+1 end="$" contains=hogNumber,hogText keepend skipwhite 181 182 183" include command 184syn keyword hogIncStart include skipwhite nextgroup=hogIncRegion 185syn region hogIncRegion contained oneline start="\>" contains=hogFileName,hogEnvvar end="$" keepend 186 187" preprocessor command 188" http_decode, minfrag, portscan[-ignorehosts] 189syn keyword hogPPrStart preprocessor skipwhite nextgroup=hogPPr 190syn match hogPPr contained "\<spade\>" nextgroup=hogPPrRegion skipwhite 191syn match hogPPr contained "\<spade-homenet\>" nextgroup=hogPPrRegion skipwhite 192syn match hogPPr contained "\<spade-threshlearn\>" nextgroup=hogPPrRegion skipwhite 193syn match hogPPr contained "\<spade-adapt\>" nextgroup=hogPPrRegion skipwhite 194syn match hogPPr contained "\<spade-adapt2\>" nextgroup=hogPPrRegion skipwhite 195syn match hogPPr contained "\<spade-adapt3\>" nextgroup=hogPPrRegion skipwhite 196syn match hogPPr contained "\<spade-survey\>" nextgroup=hogPPrRegion skipwhite 197syn match hogPPr contained "\<defrag\>" nextgroup=hogPPrRegion skipwhite 198syn match hogPPr contained "\<telnet_decode\>" nextgroup=hogPPrRegion skipwhite 199syn match hogPPr contained "\<rpc_decode\>" nextgroup=hogPPrRegion skipwhite 200syn match hogPPr contained "\<bo\>" nextgroup=hogPPrRegion skipwhite 201syn match hogPPr contained "\<stream\>" nextgroup=hogStreamRegion skipwhite 202syn match hogPPr contained "\<stream2\>" nextgroup=hogStreamRegion skipwhite 203syn match hogPPr contained "\<stream3\>" nextgroup=hogStreamRegion skipwhite 204syn match hogPPr contained "\<http_decode\>" nextgroup=hogPPrRegion skipwhite 205syn match hogPPr contained "\<minfrag\>" nextgroup=hogPPrRegion skipwhite 206syn match hogPPr contained "\<portscan[-ignorehosts]*\>" nextgroup=hogPPrRegion skipwhite 207syn region hogPPrRegion contained oneline start="$" end="$" keepend 208syn region hogPPrRegion contained oneline start=":" end="$" contains=hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend 209syn keyword hogStreamArgs contained timeout ports maxbytes 210syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber 211 212" output command 213syn keyword hogOutStart output nextgroup=hogOut skipwhite 214" 215" alert_syslog 216syn match hogOut contained "\<alert_syslog\>" nextgroup=hogSyslogRegion skipwhite 217syn region hogSyslogRegion contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend 218" 219" alert_fast (full,smb,unixsock, and tcpdump) 220syn match hogOut contained "\<alert_fast\|alert_full\|alert_smb\|alert_unixsock\|log_tcpdump\>" nextgroup=hogLogFileRegion skipwhite 221syn region hogLogFileRegion contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend 222" 223" database 224syn match hogOut contained "\<database\>" nextgroup=hogDBTypes skipwhite 225syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite 226syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite 227syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam nextgroup=hogDBValues 228syn region hogDBValues contained start="." end="\>" contains=hogNumber,hogEnvvar,hogAscii nextgroup=hogDBParams oneline skipwhite 229syn match hogAscii contained "\<\a\+" 230" 231" log_tcpdump 232syn match hogOut contained "\<log_tcpdump\>" nextgroup=hogLogRegion skipwhite 233syn region hogLogRegion oneline start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend 234" 235" xml 236syn keyword hogXMLTrans contained http https tcp iap 237syn match hogOut contained "\<xml\>" nextgroup=hogXMLRegion skipwhite 238syn region hogXMLRegion contained start=":" end="," contains=hogXMLArg,hogEnvvar nextgroup=hogXMLParams skipwhite 239"syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLProto nextgroup=hogXMLProtos 240"syn region hogXMLProtos contained start="." end="\>" contains=hogXMLTrans nextgroup=hogXMLParams 241syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam nextgroup=hogXMLValue 242syn region hogXMLValue contained start="." end="\>" contains=hogNumber,hogIPaddr,hogEnvvar,hogAscii,hogFileName nextgroup=hogXMLParams oneline skipwhite keepend 243" 244" Filename 245syn match hogFileName contained "[-./[:alnum:]_~]\+" 246syn match hogFileName contained "[-./[:alnum:]_~]\+" 247" IP address 248syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" 249syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" 250 251syn keyword hogProto tcp TCP ICMP icmp udp UDP 252 253" hog alert address port pairs 254" hog IPaddresses 255syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort 256syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort 257syn match hogIPaddrAndPort contained "\<any\>" skipwhite nextgroup=hogPort 258syn match hogIPaddrAndPort contained "\$\I\i*" nextgroup=hogPort skipwhite 259syn match hogIPaddrAndPort contained "\${\I\i*}" nextgroup=hogPort skipwhite 260"syn match hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite 261syn match hogPort contained "[\:]\=\d\+\>" 262syn match hogPort contained "[\!]\=\<any\>" skipwhite 263syn match hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite 264 265" action commands 266syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion 267syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion 268syn keyword hogActStart alert skipwhite nextgroup=hogActRegion 269syn keyword hogActStart log skipwhite nextgroup=hogActRegion 270syn keyword hogActStart pass skipwhite nextgroup=hogActRegion 271 272syn region hogActRegion contained oneline start="tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite 273syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2 oneline keepend skipwhite nextgroup=hogActDest 274syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$" oneline keepend 275syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1 oneline keepend skipwhite nextgroup=hogRules 276 277 278" ==================== 279if version >= 508 || !exists("did_hog_syn_inits") 280 if version < 508 281 let did_hog_syn_inits = 1 282 command -nargs=+ HiLink hi link <args> 283 else 284 command -nargs=+ HiLink hi def link <args> 285 endif 286" The default methods for highlighting. Can be overridden later 287 HiLink hogComment Comment 288 HiLink hogLineComment Comment 289 HiLink hogAscii Constant 290 HiLink hogCommentString Constant 291 HiLink hogFileName Constant 292 HiLink hogIPaddr Constant 293 HiLink hogNotPatSep Constant 294 HiLink hogNumber Constant 295 HiLink hogText Constant 296 HiLink hogString Constant 297 HiLink hogSysFac Constant 298 HiLink hogSysOpt Constant 299 HiLink hogSysPri Constant 300" HiLink hogAStrGrp Error 301 HiLink hogJunk Error 302 HiLink hogEnvvar Identifier 303 HiLink hogIPaddrAndPort Identifier 304 HiLink hogVarIdent Identifier 305 HiLink hogATAGOpt PreProc 306 HiLink hogAIPOptVal PreProc 307 HiLink hogARespOpt PreProc 308 HiLink hogAReactOpt PreProc 309 HiLink hogAFlagOpt PreProc 310 HiLink hogAFragOpt PreProc 311 HiLink hogCommentTitle PreProc 312 HiLink hogDBType PreProc 313 HiLink hogDBSRV PreProc 314 HiLink hogPort PreProc 315 HiLink hogARefGrps PreProc 316 HiLink hogSessionVal PreProc 317 HiLink hogXMLArg PreProc 318 HiLink hogARPCOpt PreProc 319 HiLink hogPatSep Special 320 HiLink hog7Functions Statement 321 HiLink hogActStart Statement 322 HiLink hogIncStart Statement 323 HiLink hogConfigStart Statement 324 HiLink hogOutStart Statement 325 HiLink hogPPrStart Statement 326 HiLink hogVarStart Statement 327 HiLink hogRTypeStart Statement 328 HiLink hogTodo Todo 329 HiLink hogRuleType Type 330 HiLink hogAFOpt Type 331 HiLink hogANoVal Type 332 HiLink hogAStrOpt Type 333 HiLink hogANOpt Type 334 HiLink hogAOpt Type 335 HiLink hogDBParam Type 336 HiLink hogStreamArgs Type 337 HiLink hogOut Type 338 HiLink hogPPr Type 339 HiLink hogConfigType Type 340 HiLink hogActRegion Type 341 HiLink hogProto Type 342 HiLink hogXMLParam Type 343 HiLink resp Todo 344 HiLink cLabel Label 345 delcommand HiLink 346endif 347 348let b:current_syntax = "hog" 349 350" hog: cpw=59 351