[Snort-users] vim snort syntax file

This is a discussion on [Snort-users] vim snort syntax file within the Snort forums, part of the System Security and Security Related category; --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've just made a few changes the vim ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] vim snort syntax file

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 01-25-2007
Phil Wood
 
Posts: n/a
Default [Snort-users] vim snort syntax file

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I've just made a few changes the vim syntax file:

/usr/share/vim/vim70/syntax/hog.vim

on my Debian box. In the past this file was available at

http://public.lanl.gov/cpw

from a file:

hog-vim.tar.gz

However, due to draconion measures which I have yet to overcome,
I am not able to update the web site at this time.

Consequently, for the few of you that may use vi to modify your
snort rules, you will find attached my updated vim file.

--
Phil Wood (cpw_at-sign_lanl.gov)

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="hog.vim"

" Snort syntax file
" Language: Snort Configuration File (see: http://www.snort.org)
" Maintainer: Phil Wood, cpw@lanl.gov
" Last Change: $Date: 2007/01/24 17:53:00 $
" Filenames: *.hog *.rules snort.conf vision.conf
" URL: http://public.lanl.gov/cpw/vim/syntax/hog.vim
" Snort Version: 2.3 By Martin Roesch (roesch@clark.net, www.snort.org)
" TODO include syntax not reflected in current set of snort rules

" For version 5.x: Clear all syntax items
if version < 600
syntax clear
elseif exists("b:current_syntax")
" For version 6.x: Quit when a syntax file was already loaded
finish
endif

syn match hogComment +\s\#[^\-:.%#=*].*$+lc=1 contains=hogTodo,hogCommentString
syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#'

syn match hogNumber contained "\<\d\+\>"
syn region hogText contained oneline start='\S' end=',' skipwhite
syn match hogAscii contained "\<[\a\A]\+\>"

syn match hogTexts contained "\<[a-zA-Z0-9\-_\.\:]\+\>"
"syn match hogFileName contained "\<[a-zA-Z0-9\#\-\._/]*/[/_\.\#\-a-zA-Z0-9]*\>"
"syn match hogFileName contained "\<[a-zA-Z\-\._/]*[/a-zA-Z\-\._]*\>"
syn match hogFileName contained "[a-zA-Z0-9\#\-\._/]*[/_\.\#\-a-zA-Z0-9]*"
syn match hogFileName contained "[a-zA-Z0-9\#\-\._/]*/[/_\.\#\-a-zA-Z0-9]*"

" Environment Variables
" =====================
"syn match hogEnvvar contained "[\!]\=\$\I\i*"
"syn match hogEnvvar contained "[\!]\=\${\I\i*}"
syn match hogEnvvar contained "\$\I\i*"
syn match hogEnvvar contained "[\!]\=\${\I\i*}"
syn match hogOperator contained "[\<\>=!&]"

syn region hogEscapeBrace oneline contained transparent start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1
syn match hogPatSep contained "\\[|()]"
syn match hogNotPatSep contained "\\\\"
"syn region hogString oneline start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1 contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline
syn region hogString oneline start=+"+ skip=+""+ end=+"+ contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline

" Beginners - Patterns that involve ^
"
syn match hogLineComment +^[ \t]*#.*$+ contains=hogTodo,hogCommentString,hogCommentTitle
syn match hogCommentTitle '#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained
syn keyword hogTodo contained TODO

" Rule keywords
syn keyword hogThreshTyp contained type
syn keyword hogThreshTypOpt contained limit both
syn keyword hogThreshTrk contained track
syn keyword hogThreshTrkOpt contained by_src by_dst
syn keyword hogThreshCnt contained count
syn keyword hogThreshSec contained seconds
syn match hogARPCOpt contained "\d\+,\*,\*"
syn match hogARPCOpt contained "\d\+,\d\+,\*"
syn match hogARPCOpt contained "\d\+,\*,\d\+"
syn match hogARPCOpt contained "\d\+,\d\+,\d"
syn keyword hogATAGOpt contained session
syn keyword hogATAGOpt contained host
syn keyword hogATAGOpt contained dst
syn keyword hogATAGOpt contained src
syn keyword hogATAGOpt contained seconds
syn keyword hogATAGOpt contained packets
syn keyword hogATAGOpt contained bytes
syn keyword hogATESTOpt contained relative
syn keyword hogATESTOpt contained big
syn keyword hogATESTOpt contained little
syn keyword hogATESTOpt contained string
syn keyword hogATESTOpt contained hex
syn keyword hogATESTOpt contained dec
syn keyword hogATESTOpt contained oct
syn keyword hogAJUMPOpt contained align
syn keyword hogISDATAOpt contained relative
syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite
syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite
syn keyword hogAReactOpt contained block warn msg skipwhite
syn match hogAReactOpt contained "proxy\d\+" skipwhite
syn keyword hogAFlowOpt contained to_server to_client from_server from_client stateless established skipwhite
syn keyword hogAFlowBitOpt contained set noalert isset skipwhite
syn keyword hogAFOpt contained logto content_list skipwhite
syn keyword hogAIPOptVal contained eol nop ts sec lsrr lsrre satid ssrr rr skipwhite
syn keyword hogARefGrps contained arachnids skipwhite
syn match hogARefGrps contained "[Bb]ugtraq" skipwhite
syn match hogARefGrps contained "[Uu][Rr][Ll]" skipwhite
syn match hogARefGrps contained "[Cc]ve" skipwhite
syn keyword hogARefGrps contained symantec skipwhite
syn keyword hogARefGrps contained nessus skipwhite
syn match hogARefGrps contained "[Mm][Cc][Aa][Ff][Ee][Ee]" skipwhite
syn keyword hogSessionVal contained printable all skipwhite
syn match hogAFlagOpt contained "[0FSRPAUfsrpau21,]\+" skipwhite
syn match hogAFragOpt contained "[DRMdrm]\+" skipwhite
"
" Output syslog options
" Facilities
syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0
syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4
syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER
" Priorities
syn keyword hogSysPri contained LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR
syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG
" Options
syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR
syn keyword hogSysOpt contained LOG_PID
" RuleTypes
syn keyword hogRuleType contained log pass alert activate dynamic redalert
"
" hog rule handler '(.*)'
syn region hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite
syn region hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite

syn region hogAOpt contained oneline start="byte_jump" end=":"me=e-1 nextgroup=hogAJUMPReq1Grp skipwhite
syn region hogAJUMPReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogAJUMPReq2Grp skipwhite
syn region hogAJUMPReq2Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogAJUMPOptGrp skipwhite
syn region hogAJUMPOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogAJUMPOpt,hogATESTOpt skipwhite

syn region hogAOpt contained oneline start="byte_test" end=":"me=e-1 nextgroup=hogATESTReq1Grp skipwhite
syn region hogATESTReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTReq2Grp skipwhite
syn region hogATESTReq2Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogOperator skipwhite nextgroup=hogATESTReq3Grp skipwhite
syn region hogATESTReq3Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTReq4Grp skipwhite
syn region hogATESTReq4Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTOptGrp skipwhite
syn region hogATESTOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATESTOpt nextgroup=hogATESTOptGrp skipwhite

syn region hogAOpt contained oneline start="threshold" end=":"me=e-1 nextgroup=hogThreshArg1 skipwhite
syn region hogThreshArg1 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshTyp skipwhite nextgroup=hogThreshArg1Opt skipwhite
syn region hogThreshArg1Opt contained oneline start="."hs=s+1 end=",[ ]*"me=e-1 contains=hogThreshTypOpt skipwhite nextgroup=hogThreshArg2 skipwhite
syn region hogThreshArg2 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshTrk skipwhite nextgroup=hogThreshArg2Opt skipwhite
syn region hogThreshArg2Opt contained oneline start="."hs=s+1 end=",[ ]*"me=e-1 contains=hogThreshTrkOpt skipwhite nextgroup=hogThreshArg3 skipwhite
syn region hogThreshArg3 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshCnt skipwhite nextgroup=hogThreshArg3Opt skipwhite
syn region hogThreshArg3Opt contained oneline start="."hs=s+1 end=",[ ]*"me=e-1 contains=hogNumber skipwhite nextgroup=hogThreshArg4 skipwhite
syn region hogThreshArg4 contained oneline start="."hs=s+1 end=" "me=e-1 contains=hogThreshSec skipwhite nextgroup=hogThreshArg4Opt skipwhite
syn region hogThreshArg4Opt contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite


syn region hogAOpt contained oneline start="isdataat" end=":"me=e-1 nextgroup=hogISDATAReq1Grp skipwhite
syn region hogISDATAReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber nextgroup=hogISDATAOptGrp skipwhite
syn region hogISDATAOptGrp contained oneline start="." end="[;]" contains=hogISDATAOpt skipwhite

syn region hogAOpt contained oneline start="pcre" end=":"me=e-1 nextgroup=hogPCREReq skipwhite
syn region hogPCREReq contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogString skipwhite

syn region hogAOpt contained oneline start="asn1" end=":"me=e-1 nextgroup=hogASN1Req skipwhite
syn region hogASN1Req contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogString skipwhite

syn region hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite
syn region hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite
"
syn region hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend
"
syn region hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite
syn region hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts
"
syn region hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite
syn region hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts

syn region hogAOpt contained start="flow" end=":"me=e-1 nextgroup=hogAFlowOpts skipwhite
syn region hogAFlowOpts contained oneline start="." end="[,;]" contains=hogAFlowOpt skipwhite nextgroup=hogAFlowOpts

syn region hogAOpt contained start="flowbits" end=":"me=e-1 nextgroup=hogAFlowBitsOpts skipwhite
syn region hogAFlowBitsOpts contained oneline start="." end="[,;]"me=e-1 contains=hogAFlowBitOpt nextgroup=hogAFlowBitsOpts skipwhite


syn region hogAOpt contained oneline start="distance\|within\|window\|depth\|seq\|ttl\| ack\|icmp_seq\|activates\|activated_by\|dsize\|ico de\|icmp_id\|count\|itype\|tos\|sid\|rev\|id\|offs et\|ip_proto" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite
syn region hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend

syn region hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogATextGrp skipwhite
syn region hogATextGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogTexts skipwhite oneline keepend

syn region hogAOpt contained oneline start="regex\|msg\|content\|uricontent" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite
"syn region hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend
"syn region hogAStrGrp contained oneline start="."hs=s+1 skip="\\;" end=";"me=e-1 contains=hogString skipwhite oneline keepend
syn region hogAStrGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString skipwhite oneline keepend

syn region hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite
syn region hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite

syn region hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite
syn region hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite
syn region hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite

syn region hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend

syn region hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFragOpt skipwhite oneline keepend

syn region hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend

"syn region hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite

syn region hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite

syn match nothing "$"
syn region hogRules oneline contains=nothing start='$' end="$"
syn region hogRules oneline contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite
syn region hogRule contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend
syn region hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite


" ruletype command
syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite
syn region hogRuleName contained start="." end="\s" contains=hogFileName nextgroup=hogRTypeRegion
" type ruletype sub type
syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart
syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite
syn region hogRuleTypes contained start="." end="\s" contains=hogRuleType nextgroup=hogOutStart


" var command
syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite
syn region hogVarIdent contained start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite
syn region hogVarRegion contained oneline start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogTexts,ho gString,hogFileName end="$"he=s-1 keepend skipwhite

" config command
syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType
syn match hogConfigType contained "\<order\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<alertfile\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<classification\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<decode_arp\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<detection\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<dump_chars_only\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<dump_payload\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<disable_decode_alerts\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<decode_data_link\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<no_promisc\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<bpf_file\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<set_gid\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<daemon\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<ghetto_msg\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<reference_net\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<interface\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<alert_with_interface_name\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<logdir\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<umask\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<pkt_count\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<nolog\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<obfuscate\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<no_promisc\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<snaplen\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<quiet\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<read_bin_file\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<chroot\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<checksum_mode\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<set_uid\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<utc\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<verbose\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<dump_payload_verbose\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<show_year\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<stateful\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<min_ttl\>" nextgroup=hogConfigTypeRegion skipwhite
syn match hogConfigType contained "\<reference\>" nextgroup=hogConfigTypeRegion skipwhite
syn region hogConfigTypeRegion contained oneline start=":"ms=s+1 end="$" contains=hogNumber,hogText,hogEnvvar keepend skipwhite

" include command
syn keyword hogIncStart include skipwhite nextgroup=hogIncRegion
syn region hogIncRegion contained oneline start="\>" contains=hogFileName,hogEnvvar end="$" keepend

" preprocessor command
syn keyword hogPPrStart preprocessor skipwhite nextgroup=hogPPr
syn match hogPPr contained "\<arpspoof\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<arpspoof_detect_host\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<asn1_decode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<bo\>" nextgroup=hogPPrBO skipwhite
syn match hogPPr contained "\<conversation\>" nextgroup=hogConvRegion skipwhite
syn match hogPPr contained "\<fnord\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<frag2\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<http_decode\>" nextgroup=hogPPrHTTP skipwhite
syn match hogPPr contained "\<http_decode_ignore\>" nextgroup=hogPPrHTTPIgnore skipwhite
syn match hogPPr contained "\<portscan[-ignorehosts]*\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<portscan2\>" nextgroup=hogPS2Region skipwhite
syn match hogPPr contained "\<scan2-ignorehosts\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<rpc_decode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<stream4\>" nextgroup=hogStream4Region skipwhite
syn match hogPPr contained "\<stream4_reassemble\>" nextgroup=hogStream4rRegion skipwhite
syn match hogPPr contained "\<telnet_neg\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<telnet_negotiation\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<telnet_decode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-homenet\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-correlate\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-threshlearn\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-stats\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-adapt\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-adapt2\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-adapt3\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<spade-survey\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<unidecode\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<minfrag\>" nextgroup=hogPPrRegion skipwhite
syn match hogPPr contained "\<perfmonitor\>" nextgroup=hogPMRegion skipwhite
"syn region hogPPrRegion contained oneline start=" " end=" " contains=hogTexts,hogNumber,hogIPaddr,hogEnvvar,ho gFileName keepend
syn region hogPPrRegion contained oneline start=":" end="$" contains=hogTexts,hogNumber,hogIPaddr,hogEnvvar,ho gFileName keepend
"syn region hogPPrRegion contained oneline start="$" end="$" keepend
syn match hogHTTPOPTS "unicode"
syn match hogHTTPOPTS "cginull"
syn match hogHTTPOPTS "iis_alt_unicode"
syn match hogHTTPOPTS "double_encode"
syn match hogHTTPOPTS "abort_invalid_hex"
syn match hogHTTPOPTS "drop_url_param"
syn match hogHTTPOPTS "iis_flip_slash"
syn match hogHTTPOPTS "full_whitespace"

syn region hogPPrHTTP contained oneline start=":" end="$" contains=hogNumber,hogHTTPOPTS
syn region hogPPrHTTPIgnore contained oneline start=":" end="$" contains=hogIPaddr
syn match hogBOOPTS "-nobrute"
syn region hogPPrBO contained oneline start=":" end="$" contains=hogNumber,hogBOOPTS
syn keyword hogConvArgs contained allowed_ip_protocols timeout max_conversations alert_odd_protocols
syn region hogConvRegion contained oneline start=":" end="$" contains=hogConvArgs,hogNumber,hogEnvvar,hogTexts skipwhite
syn keyword hogPMArgs contained console flow events time
syn region hogPMRegion contained oneline start=":" end="$" contains=hogPMArgs,hogNumber,hogFileName,hogEnvvar skipwhite
syn keyword hogPS2Args contained log scanners_max targets_max target_limit port_limit timeout
syn region hogPS2Region contained oneline start=":" end="$" contains=hogPS2Args,hogNumber,hogFileName,hogEnvva r skipwhite
syn keyword hogStreamArgs contained timeout ports maxbytes
syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber skipwhite
syn keyword hogStream4Args contained noinspect keepstats detect_scans log_flushed_streams detect_state_problems disable_evasion_alerts timeout memcap ttl_limit min_ttl
syn region hogStream4Region contained oneline start=":" end="$" contains=hogStream4Args,hogNumber skipwhite
syn keyword hogStream4rArgs contained clientonly serveronly both noalerts favor_old favor_new ports
syn region hogStream4rRegion contained oneline start=":" end="$" contains=hogStream4rArgs,hogNumber skipwhite


" output command
syn keyword hogOutStart output nextgroup=hogOut skipwhite
"
" SNMP
syn match hogOut contained "\<trap_snmp\>" nextgroup=hogSNMPRegion skipwhite
syn region hogSNMPRegion contained start=":" end="$" contains=hogSNMPalert oneline skipwhite keepend
syn match hogSNMPalert contained "\<alert\>" nextgroup=hogSNMPid skipwhite
syn region hogSNMPid contained start="," end="," contains=hogNumber nextgroup=hogSNMPtypes skipwhite
syn match hogSNMPtypes contained "\<cpm\|c\|trap\|inform\>" nextgroup=hogSNMPargs skipwhite
syn match hogSNMPswitch contained "\<-v\|-u\|-l\|-a\|-A\|-x\|-X\|trap\|inform\>" nextgroup=hogSNMPargs skipwhite
syn region hogSNMPargs contained oneline start=" " end="$" contains=hogSNMPswitch,hogNumber,hogEnvvar,hogAsci i,hogTexts skipwhite

" alert_syslog
syn match hogOut contained "\<alert_syslog\>" nextgroup=hogSyslogRegion skipwhite
syn region hogSyslogRegion contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend
"
" alert_fast (full,smb,unixsock, and tcpdump)
syn match hogOut contained "\<alert_fast\|alert_full\|alert_smb\|alert_unixso ck\|log_tcpdump\>" nextgroup=hogLogFileRegion skipwhite
syn region hogLogFileRegion contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend
"
" unified
syn keyword hogUNIType contained filename limit
syn match hogOut contained "\<alert_unified\|log_unified\>" nextgroup=hogUNIGroups skipwhite
syn region hogUNIGroups contained start=":" end="$" contains=hogUNIType,hogNumber,hogEnvvar,hogAscii,h ogFileName skipwhite oneline
"
" Output database arguments and parameters
" Type of database followed by ,
" syn keyword hogDBSQL contained mysql postgresql unixodbc
" Parameters param=constant
" are just various constants assigned to parameter names
syn keyword hogDBType contained alert log
" Parameters param=constant
" are just various constants assigned to parameter names
syn keyword hogDBParam contained dbname host port user password sensor_name
"
syn keyword hogDBSRV contained mysql postgresql unixodbc mssql
" database
syn match hogOut contained "\<database\>" nextgroup=hogDBTypes skipwhite
syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite
syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite
syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam nextgroup=hogDBValues skipwhite
syn region hogDBValues contained start="." end="\>" contains=hogEnvvar,hogNumber,hogTexts nextgroup=hogDBParams skipwhite

"
" log_tcpdump
syn match hogOut contained "\<log_tcpdump\>" nextgroup=hogLogRegion skipwhite
syn region hogLogRegion oneline start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend
"
" xml args
syn match hogOut contained "\<xml\>" nextgroup=hogXMLTypes skipwhite
syn region hogXMLTypes contained start=":" end="," contains=hogXMLType,hogEnvvar nextgroup=hogXMLParams skipwhite
syn keyword hogXMLType contained log alert
"
syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam nextgroup=hogXMLValues
syn keyword hogXMLParam contained protocol file host port cert key ca server sanitize encoding detail
syn region hogXMLValues contained start="." end=" \|$" contains=hogFilename,hogXMLTrans,hogTexts,hogNumbe r,hogIPaddr,hogEnvvar nextgroup=hogXMLParams oneline keepend
syn keyword hogXMLTrans contained http https tcp iap
"
" IP address
syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>"
syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>"

syn keyword hogProto tcp TCP ICMP icmp udp UDP

" hog alert address port pairs
" hog IPaddresses
syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "[\[]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>[\]\s]" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "[\[]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>[\]\s]" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "\<any\>" skipwhite nextgroup=hogPort
syn match hogIPaddrAndPort contained "\$\I\i*" nextgroup=hogPort skipwhite
syn match hogIPaddrAndPort contained "\${\I\i*}" nextgroup=hogPort skipwhite
"syn match hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite
syn match hogPort contained "[\:]\=\d\+\>" skipwhite
syn match hogPort contained "[\!]\=\<any\>" skipwhite
syn match hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite

" action commands
syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion
syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion
syn keyword hogActStart alert skipwhite nextgroup=hogActRegion
syn keyword hogActStart redalert skipwhite nextgroup=hogActRegion
syn keyword hogActStart log skipwhite nextgroup=hogActRegion
syn keyword hogActStart pass skipwhite nextgroup=hogActRegion

syn region hogActRegion contained oneline start="ip\|IP\|tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite
syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2 oneline keepend skipwhite nextgroup=hogActDest
syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$" oneline keepend
syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1 oneline keepend skipwhite nextgroup=hogRules


" ====================
if version >= 508 || !exists("did_hog_syn_inits")
if version < 508
let did_hog_syn_inits = 1
command -nargs=+ HiLink hi link <args>
else
command -nargs=+ HiLink hi def link <args>
endif
" The default methods for highlighting. Can be overridden later
HiLink hogComment Comment
HiLink hogLineComment Comment
HiLink hogAscii Constant
HiLink hogCommentString Constant
HiLink hogFileName Constant
HiLink hogTexts Constant
HiLink hogIPaddr Constant
HiLink hogNotPatSep Constant
HiLink hogNumber Constant
HiLink hogOperator Constant
HiLink hogText Constant
HiLink hogString Constant
HiLink hogSysFac Constant
HiLink hogSysOpt Constant
HiLink hogSysPri Constant
HiLink hogSNMPopts Constant
HiLink hogISDATAOpt Constant
" HiLink hogAStrGrp Error
HiLink hogJunk Error
HiLink hogEnvvar Identifier
HiLink hogIPaddrAndPort Identifier
HiLink hogVarIdent Identifier
HiLink hogATAGOpt PreProc
HiLink hogATESTOpt PreProc
HiLink hogAJUMPOpt PreProc
HiLink hogAIPOptVal PreProc
HiLink hogARespOpt PreProc
HiLink hogAReactOpt PreProc
HiLink hogAFlowOpt PreProc
HiLink hogAFlowBitOpt PreProc
HiLink hogAFlagOpt PreProc
HiLink hogAFragOpt PreProc
HiLink hogCommentTitle PreProc
HiLink hogDBType PreProc
HiLink hogUNIType PreProc
HiLink hogDBSRV PreProc
HiLink hogPort PreProc
HiLink hogARefGrps PreProc
HiLink hogSessionVal PreProc
HiLink hogXMLType PreProc
HiLink hogXMLTrans PreProc
HiLink hogARPCOpt PreProc
HiLink hogPatSep Special
HiLink hog7Functions Statement
HiLink hogActStart Statement
HiLink hogIncStart Statement
HiLink hogConfigStart Statement
HiLink hogOutStart Statement
HiLink hogTypeStart Statement
HiLink hogPPrStart Statement
HiLink hogVarStart Statement
HiLink hogRTypeStart Statement
HiLink hogTodo Todo
HiLink hogRuleType Type
HiLink hogAFOpt Type
HiLink hogANoVal Type
HiLink hogAStrOpt Type
HiLink hogANOpt Type
HiLink hogAOpt Type
HiLink hogDBParam Type
HiLink hogStreamArgs Type
HiLink hogConvArgs PreProc
HiLink hogPS2Args PreProc
HiLink hogPMArgs PreProc
HiLink hogStream4Args PreProc
HiLink hogStream4rArgs PreProc
HiLink hogSNMPalert PreProc
HiLink hogHTTPOPTS PreProc
HiLink hogBOOPTS PreProc
HiLink hogSNMPtypes Type
HiLink hogSNMPswitch Type
HiLink hogOut Type
HiLink hogPPr Type
HiLink hogConfigType Type
HiLink hogActRegion Type
HiLink hogProto Type
HiLink hogXMLParam Type
HiLink hogXMLParam2 Type
HiLink resp Todo
HiLink cLabel Label
HiLink hogThreshTypOpt Constant
HiLink hogThreshTrkOpt Constant
HiLink hogThreshTyp PreProc
HiLink hogThreshTrk PreProc
HiLink hogThreshCnt PreProc
HiLink hogThreshSec PreProc

delcommand HiLink
endif

let b:current_syntax = "hog"

" hog: cpw=59

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--2oS5YaxWCcQjTEyO--

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 03:37 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0