" Snort syntax file " Language: Snort Configuration File (see: http://www.snort.org) " Maintainer: Phil Wood, cornett@arpa.net " Last Change: $Date: 2004/10/23 21:30:04 $ " Filenames: *.hog *.rules snort.conf vision.conf " URL: http://home.lanl.gov/cpw/vim/syntax/hog.vim " Snort Version: 2.0 By Martin Roesch (roesch@clark.net, www.snort.org) " TODO include all 2.0 syntax " For version 5.x: Clear all syntax items if version < 600 syntax clear elseif exists("b:current_syntax") " For version 6.x: Quit when a syntax file was already loaded finish endif syn match hogComment +\s\#[^\-:.%#=*].*$+lc=1 contains=hogTodo,hogCommentString syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#' syn match hogNumber contained "\<\d\+\>" syn region hogText contained oneline start='\S' end=',' skipwhite syn match hogAscii contained "\<[\a\A]\+\>" syn match hogTexts contained "\<[a-zA-Z0-9\-_\.\:]\+\>" "syn match hogFileName contained "\<[a-zA-Z0-9\#\-\._/]*/[/_\.\#\-a-zA-Z0-9]*\>" "syn match hogFileName contained "\<[a-zA-Z\-\._/]*[/a-zA-Z\-\._]*\>" syn match hogFileName contained "[a-zA-Z0-9\#\-\._/]*[/_\.\#\-a-zA-Z0-9]*" syn match hogFileName contained "[a-zA-Z0-9\#\-\._/]*/[/_\.\#\-a-zA-Z0-9]*" " Environment Variables " ===================== "syn match hogEnvvar contained "[\!]\=\$\I\i*" "syn match hogEnvvar contained "[\!]\=\${\I\i*}" syn match hogEnvvar contained "\$\I\i*" syn match hogEnvvar contained "[\!]\=\${\I\i*}" syn match hogOperator contained "[\<\>=!]" syn region hogEscapeBrace oneline contained transparent start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1 syn match hogPatSep contained "\\[|()]" syn match hogNotPatSep contained "\\\\" "syn region hogString oneline start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1 contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline syn region hogString oneline start=+"+ skip=+""+ end=+"+ contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline " Beginners - Patterns that involve ^ " syn match hogLineComment +^[ \t]*#.*$+ contains=hogTodo,hogCommentString,hogCommentTitle syn match hogCommentTitle '#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained syn keyword hogTodo contained TODO " Rule keywords syn match hogARPCOpt contained "\d\+,\*,\*" syn match hogARPCOpt contained "\d\+,\d\+,\*" syn match hogARPCOpt contained "\d\+,\*,\d\+" syn match hogARPCOpt contained "\d\+,\d\+,\d" syn keyword hogATAGOpt contained session syn keyword hogATAGOpt contained host syn keyword hogATAGOpt contained dst syn keyword hogATAGOpt contained src syn keyword hogATAGOpt contained seconds syn keyword hogATAGOpt contained packets syn keyword hogATAGOpt contained bytes syn keyword hogATESTOpt contained relative syn keyword hogATESTOpt contained big syn keyword hogATESTOpt contained little syn keyword hogATESTOpt contained string syn keyword hogATESTOpt contained hex syn keyword hogATESTOpt contained dec syn keyword hogATESTOpt contained oct syn keyword hogAJUMPOpt contained align syn keyword hogISDATAOpt contained relative syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite syn keyword hogAReactOpt contained block warn msg skipwhite syn match hogAReactOpt contained "proxy\d\+" skipwhite syn keyword hogAFlowOpt contained to_server to_client from_server from_client stateless established skipwhite syn keyword hogAFOpt contained logto content_list skipwhite syn keyword hogAIPOptVal contained eol nop ts sec lsrr lsrre satid ssrr rr skipwhite syn keyword hogARefGrps contained arachnids skipwhite syn match hogARefGrps contained "[Bb]ugtraq" skipwhite syn match hogARefGrps contained "[Uu][Rr][Ll]" skipwhite syn match hogARefGrps contained "[Cc]ve" skipwhite syn keyword hogARefGrps contained symantec skipwhite syn keyword hogARefGrps contained nessus skipwhite syn match hogARefGrps contained "[Mm][Cc][Aa][Ff][Ee][Ee]" skipwhite syn keyword hogSessionVal contained printable all skipwhite syn match hogAFlagOpt contained "[0FSRPAUfsrpau21,]\+" skipwhite syn match hogAFragOpt contained "[DRMdrm]\+" skipwhite " " Output syslog options " Facilities syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0 syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER " Priorities syn keyword hogSysPri contained LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG " Options syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR syn keyword hogSysOpt contained LOG_PID " RuleTypes syn keyword hogRuleType contained log pass alert activate dynamic redalert " " hog rule handler '(.*)' syn region hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite syn region hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite syn region hogAOpt contained oneline start="byte_jump" end=":"me=e-1 nextgroup=hogAJUMPReq1Grp skipwhite syn region hogAJUMPReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogAJUMPReq2Grp skipwhite syn region hogAJUMPReq2Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogAJUMPOptGrp skipwhite syn region hogAJUMPOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogAJUMPOpt,hogATESTOpt skipwhite syn region hogAOpt contained oneline start="byte_test" end=":"me=e-1 nextgroup=hogATESTReq1Grp skipwhite syn region hogATESTReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTReq2Grp skipwhite syn region hogATESTReq2Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogOperator skipwhite nextgroup=hogATESTReq3Grp skipwhite syn region hogATESTReq3Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTReq4Grp skipwhite syn region hogATESTReq4Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber skipwhite nextgroup=hogATESTOptGrp skipwhite syn region hogATESTOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATESTOpt skipwhite nextgroup=hogATESTOptGrp syn region hogAOpt contained oneline start="threshold" end=":"me=e-1 nextgroup=hogThresReq skipwhite syn region hogThresReq contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogString skipwhite syn region hogAOpt contained oneline start="isdataat" end=":"me=e-1 nextgroup=hogISDATAReq1Grp skipwhite syn region hogISDATAReq1Grp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogNumber nextgroup=hogISDATAOptGrp skipwhite syn region hogISDATAOptGrp contained oneline start="." end="[;]" contains=hogISDATAOpt skipwhite syn region hogAOpt contained oneline start="pcre" end=":"me=e-1 nextgroup=hogPCREReq skipwhite syn region hogPCREReq contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogString skipwhite syn region hogAOpt contained oneline start="asn1" end=":"me=e-1 nextgroup=hogASN1Req skipwhite syn region hogASN1Req contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogString skipwhite syn region hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite syn region hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite " syn region hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend " syn region hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite syn region hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts " syn region hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite syn region hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts syn region hogAOpt contained start="flow" end=":"me=e-1 nextgroup=hogAFlowOpts skipwhite syn region hogAFlowOpts contained oneline start="." end="[,;]" contains=hogAFlowOpt skipwhite nextgroup=hogAFlowOpts syn region hogAOpt contained oneline start="distance\|within\|window\|depth\|seq\|ttl\|ack\|icmp_seq\|activates\|activated_by\|dsize\|icode\|icmp_id\|count\|itype\|tos\|sid\|rev\|id\|offset\|ip_proto" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite syn region hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend syn region hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogATextGrp skipwhite syn region hogATextGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogTexts skipwhite oneline keepend syn region hogAOpt contained oneline start="regex\|msg\|content\|uricontent" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite "syn region hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend "syn region hogAStrGrp contained oneline start="."hs=s+1 skip="\\;" end=";"me=e-1 contains=hogString skipwhite oneline keepend syn region hogAStrGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString skipwhite oneline keepend syn region hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite syn region hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite syn region hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite syn region hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite syn region hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite syn region hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend syn region hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFragOpt skipwhite oneline keepend syn region hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend "syn region hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite syn region hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite syn match nothing "$" syn region hogRules oneline contains=nothing start='$' end="$" syn region hogRules oneline contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite syn region hogRule contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend syn region hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite " ruletype command syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite syn region hogRuleName contained start="." end="\s" contains=hogFileName nextgroup=hogRTypeRegion " type ruletype sub type syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite syn region hogRuleTypes contained start="." end="\s" contains=hogRuleType nextgroup=hogOutStart " var command syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite syn region hogVarIdent contained start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite syn region hogVarRegion contained oneline start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogTexts,hogString,hogFileName end="$"he=s-1 keepend skipwhite " config command syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite syn region hogConfigTypeRegion contained oneline start=":"ms=s+1 end="$" contains=hogNumber,hogText,hogEnvvar keepend skipwhite " include command syn keyword hogIncStart include skipwhite nextgroup=hogIncRegion syn region hogIncRegion contained oneline start="\>" contains=hogFileName,hogEnvvar end="$" keepend " preprocessor command syn keyword hogPPrStart preprocessor skipwhite nextgroup=hogPPr syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrBO skipwhite syn match hogPPr contained "\" nextgroup=hogConvRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrHTTP skipwhite syn match hogPPr contained "\" nextgroup=hogPPrHTTPIgnore skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPS2Region skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogStream4Region skipwhite syn match hogPPr contained "\" nextgroup=hogStream4rRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite syn match hogPPr contained "\" nextgroup=hogPMRegion skipwhite "syn region hogPPrRegion contained oneline start=" " end=" " contains=hogTexts,hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend syn region hogPPrRegion contained oneline start=":" end="$" contains=hogTexts,hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend "syn region hogPPrRegion contained oneline start="$" end="$" keepend syn match hogHTTPOPTS "unicode" syn match hogHTTPOPTS "cginull" syn match hogHTTPOPTS "iis_alt_unicode" syn match hogHTTPOPTS "double_encode" syn match hogHTTPOPTS "abort_invalid_hex" syn match hogHTTPOPTS "drop_url_param" syn match hogHTTPOPTS "iis_flip_slash" syn match hogHTTPOPTS "full_whitespace" syn region hogPPrHTTP contained oneline start=":" end="$" contains=hogNumber,hogHTTPOPTS syn region hogPPrHTTPIgnore contained oneline start=":" end="$" contains=hogIPaddr syn match hogBOOPTS "-nobrute" syn region hogPPrBO contained oneline start=":" end="$" contains=hogNumber,hogBOOPTS syn keyword hogConvArgs contained allowed_ip_protocols timeout max_conversations alert_odd_protocols syn region hogConvRegion contained oneline start=":" end="$" contains=hogConvArgs,hogNumber,hogEnvvar,hogTexts skipwhite syn keyword hogPMArgs contained console flow events time syn region hogPMRegion contained oneline start=":" end="$" contains=hogPMArgs,hogNumber,hogFileName,hogEnvvar skipwhite syn keyword hogPS2Args contained log scanners_max targets_max target_limit port_limit timeout syn region hogPS2Region contained oneline start=":" end="$" contains=hogPS2Args,hogNumber,hogFileName,hogEnvvar skipwhite syn keyword hogStreamArgs contained timeout ports maxbytes syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber skipwhite syn keyword hogStream4Args contained noinspect keepstats detect_scans log_flushed_streams detect_state_problems disable_evasion_alerts timeout memcap ttl_limit min_ttl syn region hogStream4Region contained oneline start=":" end="$" contains=hogStream4Args,hogNumber skipwhite syn keyword hogStream4rArgs contained clientonly serveronly both noalerts favor_old favor_new ports syn region hogStream4rRegion contained oneline start=":" end="$" contains=hogStream4rArgs,hogNumber skipwhite " output command syn keyword hogOutStart output nextgroup=hogOut skipwhite " " SNMP syn match hogOut contained "\" nextgroup=hogSNMPRegion skipwhite syn region hogSNMPRegion contained start=":" end="$" contains=hogSNMPalert oneline skipwhite keepend syn match hogSNMPalert contained "\" nextgroup=hogSNMPid skipwhite syn region hogSNMPid contained start="," end="," contains=hogNumber nextgroup=hogSNMPtypes skipwhite syn match hogSNMPtypes contained "\" nextgroup=hogSNMPargs skipwhite syn match hogSNMPswitch contained "\<-v\|-u\|-l\|-a\|-A\|-x\|-X\|trap\|inform\>" nextgroup=hogSNMPargs skipwhite syn region hogSNMPargs contained oneline start=" " end="$" contains=hogSNMPswitch,hogNumber,hogEnvvar,hogAscii,hogTexts skipwhite " alert_syslog syn match hogOut contained "\" nextgroup=hogSyslogRegion skipwhite syn region hogSyslogRegion contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend " " alert_fast (full,smb,unixsock, and tcpdump) syn match hogOut contained "\" nextgroup=hogLogFileRegion skipwhite syn region hogLogFileRegion contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend " " unified syn keyword hogUNIType contained filename limit syn match hogOut contained "\" nextgroup=hogUNIGroups skipwhite syn region hogUNIGroups contained start=":" end="$" contains=hogUNIType,hogNumber,hogEnvvar,hogAscii,hogFileName skipwhite oneline " " Output database arguments and parameters " Type of database followed by , " syn keyword hogDBSQL contained mysql postgresql unixodbc " Parameters param=constant " are just various constants assigned to parameter names syn keyword hogDBType contained alert log " Parameters param=constant " are just various constants assigned to parameter names syn keyword hogDBParam contained dbname host port user password sensor_name " syn keyword hogDBSRV contained mysql postgresql unixodbc mssql " database syn match hogOut contained "\" nextgroup=hogDBTypes skipwhite syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam nextgroup=hogDBValues skipwhite syn region hogDBValues contained start="." end="\>" contains=hogEnvvar,hogNumber,hogTexts nextgroup=hogDBParams skipwhite " " log_tcpdump syn match hogOut contained "\" nextgroup=hogLogRegion skipwhite syn region hogLogRegion oneline start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend " " xml args syn match hogOut contained "\" nextgroup=hogXMLTypes skipwhite syn region hogXMLTypes contained start=":" end="," contains=hogXMLType,hogEnvvar nextgroup=hogXMLParams skipwhite syn keyword hogXMLType contained log alert " syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam nextgroup=hogXMLValues syn keyword hogXMLParam contained protocol file host port cert key ca server sanitize encoding detail syn region hogXMLValues contained start="." end=" \|$" contains=hogFilename,hogXMLTrans,hogTexts,hogNumber,hogIPaddr,hogEnvvar nextgroup=hogXMLParams oneline keepend syn keyword hogXMLTrans contained http https tcp iap " " IP address syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" syn keyword hogProto tcp TCP ICMP icmp udp UDP " hog alert address port pairs " hog IPaddresses syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "[\[]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>[\]\s]" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "[\[]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "[,]\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>[\]\s]" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "\" skipwhite nextgroup=hogPort syn match hogIPaddrAndPort contained "\$\I\i*" nextgroup=hogPort skipwhite syn match hogIPaddrAndPort contained "\${\I\i*}" nextgroup=hogPort skipwhite "syn match hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite syn match hogPort contained "[\:]\=\d\+\>" skipwhite syn match hogPort contained "[\!]\=\" skipwhite syn match hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite " action commands syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion syn keyword hogActStart alert skipwhite nextgroup=hogActRegion syn keyword hogActStart redalert skipwhite nextgroup=hogActRegion syn keyword hogActStart log skipwhite nextgroup=hogActRegion syn keyword hogActStart pass skipwhite nextgroup=hogActRegion syn region hogActRegion contained oneline start="ip\|IP\|tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2 oneline keepend skipwhite nextgroup=hogActDest syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$" oneline keepend syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1 oneline keepend skipwhite nextgroup=hogRules " ==================== if version >= 508 || !exists("did_hog_syn_inits") if version < 508 let did_hog_syn_inits = 1 command -nargs=+ HiLink hi link else command -nargs=+ HiLink hi def link endif " The default methods for highlighting. Can be overridden later HiLink hogComment Comment HiLink hogLineComment Comment HiLink hogAscii Constant HiLink hogCommentString Constant HiLink hogFileName Constant HiLink hogTexts Constant HiLink hogIPaddr Constant HiLink hogNotPatSep Constant HiLink hogNumber Constant HiLink hogOperator Constant HiLink hogText Constant HiLink hogString Constant HiLink hogSysFac Constant HiLink hogSysOpt Constant HiLink hogSysPri Constant HiLink hogSNMPopts Constant HiLink hogISDATAOpt Constant " HiLink hogAStrGrp Error HiLink hogJunk Error HiLink hogEnvvar Identifier HiLink hogIPaddrAndPort Identifier HiLink hogVarIdent Identifier HiLink hogATAGOpt PreProc HiLink hogATESTOpt PreProc HiLink hogAJUMPOpt PreProc HiLink hogAIPOptVal PreProc HiLink hogARespOpt PreProc HiLink hogAReactOpt PreProc HiLink hogAFlowOpt PreProc HiLink hogAFlagOpt PreProc HiLink hogAFragOpt PreProc HiLink hogCommentTitle PreProc HiLink hogDBType PreProc HiLink hogUNIType PreProc HiLink hogDBSRV PreProc HiLink hogPort PreProc HiLink hogARefGrps PreProc HiLink hogSessionVal PreProc HiLink hogXMLType PreProc HiLink hogXMLTrans PreProc HiLink hogARPCOpt PreProc HiLink hogPatSep Special HiLink hog7Functions Statement HiLink hogActStart Statement HiLink hogIncStart Statement HiLink hogConfigStart Statement HiLink hogOutStart Statement HiLink hogTypeStart Statement HiLink hogPPrStart Statement HiLink hogVarStart Statement HiLink hogRTypeStart Statement HiLink hogTodo Todo HiLink hogRuleType Type HiLink hogAFOpt Type HiLink hogANoVal Type HiLink hogAStrOpt Type HiLink hogANOpt Type HiLink hogAOpt Type HiLink hogDBParam Type HiLink hogStreamArgs Type HiLink hogConvArgs PreProc HiLink hogPS2Args PreProc HiLink hogPMArgs PreProc HiLink hogStream4Args PreProc HiLink hogStream4rArgs PreProc HiLink hogSNMPalert PreProc HiLink hogHTTPOPTS PreProc HiLink hogBOOPTS PreProc HiLink hogSNMPtypes Type HiLink hogSNMPswitch Type HiLink hogOut Type HiLink hogPPr Type HiLink hogConfigType Type HiLink hogActRegion Type HiLink hogProto Type HiLink hogXMLParam Type HiLink hogXMLParam2 Type HiLink resp Todo HiLink cLabel Label delcommand HiLink endif let b:current_syntax = "hog" " hog: cpw=59