# HG changeset patch # User Christian Brabandt # Date 1446393605 -3600 # Node ID 3ba0f29ba1d1239378c3f400ac49ecf20a05202a # Parent 02e49375680866a7b568822005bd475a40b4f369 commit https://github.com/vim/vim/commit/d7464be9747fcaa8e6210e1f00a3882932df76e2 Author: Bram Moolenaar Date: Sun Nov 1 16:49:04 2015 +0100 Updated runtime files. diff --git a/runtime/doc/pi_netrw.txt b/runtime/doc/pi_netrw.txt --- a/runtime/doc/pi_netrw.txt +++ b/runtime/doc/pi_netrw.txt @@ -1,4 +1,4 @@ -*pi_netrw.txt* For Vim version 7.4. Last change: 2015 Oct 30 +*pi_netrw.txt* For Vim version 7.4. Last change: 2015 Oct 31 ------------------------------------------------ NETRW REFERENCE MANUAL by Charles E. Campbell @@ -3438,7 +3438,7 @@ 10. Problems and Fixes *netrw-proble You probably want netrw running as in a side window. If so, you will likely find that ":[N]Lexplore" does what you want. The optional "[N]" allows you to select the quantity of columns you - wish the Lexplorer window to start with (see |g:netrw_winsize| + wish the |:Lexplore|r window to start with (see |g:netrw_winsize| for how this parameter works). Previous solution: diff --git a/runtime/doc/todo.txt b/runtime/doc/todo.txt --- a/runtime/doc/todo.txt +++ b/runtime/doc/todo.txt @@ -1,4 +1,4 @@ -*todo.txt* For Vim version 7.4. Last change: 2015 Oct 30 +*todo.txt* For Vim version 7.4. Last change: 2015 Oct 31 VIM REFERENCE MANUAL by Bram Moolenaar @@ -222,6 +222,9 @@ Is this right? Patch to have CTRL-A and CTRL-X update the '[ and '] marks. (Yukihiro Nakadaira, 2015 Aug 23) +On MS-Windows viminfo file is always given the hidden attribute? (raulnac, +2015 Oct 30) + Patch to make getregtype() return the right size for non-linux systems. (Yasuhiro Matsumoto, 2014 Jul 8) Breaks test_eval. Inefficient, can we only compute y_width when needed? diff --git a/runtime/ftplugin/hog.vim b/runtime/ftplugin/hog.vim new file mode 100644 --- /dev/null +++ b/runtime/ftplugin/hog.vim @@ -0,0 +1,39 @@ +" Vim filetype plugin +" Language: hog (snort.conf) +" Maintainer: . Victor Roemer, . +" Last Change: Mar 1, 2013 + +if exists("b:did_ftplugin") + finish +endif +let b:did_ftplugin = 1 + +let s:undo_ftplugin = "setl fo< com< cms< def< inc<" + +let s:cpo_save = &cpo +set cpo&vim + +setlocal formatoptions=croq +setlocal comments=:# +setlocal commentstring=\c#\ %s +setlocal define=\c^\s\{-}var +setlocal include=\c^\s\{-}include + +" Move around configurations +let s:hog_keyword_match = '\c^\s*\<\(preprocessor\\|config\\|output\\|include\\|ipvar\\|portvar\\|var\\|dynamicpreprocessor\\|' . + \ 'dynamicengine\\|dynamicdetection\\|activate\\|alert\\|drop\\|block\\|dynamic\\|log\\|pass\\|reject\\|sdrop\\|sblock\)\>' + +exec "nnoremap ]] :call search('" . s:hog_keyword_match . "', 'W' )" +exec "nnoremap [[ :call search('" . s:hog_keyword_match . "', 'bW' )" + +if exists("loaded_matchit") + let b:match_words = + \ '^\s*\<\%(preprocessor\|config\|output\|include\|ipvar\|portvar' . + \ '\|var\|dynamicpreprocessor\|dynamicengine\|dynamicdetection' . + \ '\|activate\|alert\|drop\|block\|dynamic\|log\|pass\|reject' . + \ '\|sdrop\|sblock\>\):$,\::\,:;' + let b:match_skip = 'r:\\.\{-}$\|^\s*#.\{-}$\|^\s*$' +endif + +let &cpo = s:cpo_save +unlet s:cpo_save diff --git a/runtime/indent/hog.vim b/runtime/indent/hog.vim new file mode 100644 --- /dev/null +++ b/runtime/indent/hog.vim @@ -0,0 +1,77 @@ +" Vim indent file +" Language: hog (Snort.conf) +" Maintainer: Victor Roemer, +" Last Change: Mar 7, 2013 + +" Only load this indent file when no other was loaded. +if exists("b:did_indent") + finish +endif +let b:did_indent = 1 +let b:undo_indent = 'setlocal smartindent< indentexpr< indentkeys<' + +setlocal nosmartindent +setlocal indentexpr=GetHogIndent() +setlocal indentkeys+=!^F,o,O,0# + +" Only define the function once. +if exists("*GetHogIndent") + finish +endif + +let s:cpo_save = &cpo +set cpo&vim + +let s:syn_blocks = '\' + +function s:IsInBlock(lnum) + return synIDattr(synID(a:lnum, 1, 1), 'name') =~ s:syn_blocks +endfunction + +function GetHogIndent() + let prevlnum = prevnonblank(v:lnum-1) + + " Comment blocks have identical indent + if getline(v:lnum) =~ '^\s*#' && getline(prevlnum) =~ '^\s*#' + return indent(prevlnum) + endif + + " Ignore comment lines when calculating indent + while getline(prevlnum) =~ '^\s*#' + let prevlnum = prevnonblank(prevlnum-1) + if !prevlnum + return previndent + endif + endwhile + + " Continuation of a line that wasn't indented + let prevline = getline(prevlnum) + if prevline =~ '^\k\+.*\\\s*$' + return &sw + endif + + " Continuation of a line that was indented + if prevline =~ '\k\+.*\\\s*$' + return indent(prevlnum) + endif + + " Indent the next line if previous line contained a start of a block + " definition ('{' or '('). + if prevline =~ '^\k\+[^#]*{}\@!\s*$' " TODO || prevline =~ '^\k\+[^#]*()\@!\s*$' + return &sw + endif + + " Match inside of a block + if s:IsInBlock(v:lnum) + if prevline =~ "^\k\+.*$" + return &sw + else + return indent(prevlnum) + endif + endif + + return 0 +endfunction + +let &cpo = s:cpo_save +unlet s:cpo_save diff --git a/runtime/syntax/hog.vim b/runtime/syntax/hog.vim --- a/runtime/syntax/hog.vim +++ b/runtime/syntax/hog.vim @@ -1,350 +1,200 @@ -" Snort syntax file -" Language: Snort Configuration File (see: http://www.snort.org) -" Maintainer: Phil Wood, cornett@arpa.net -" Last Change: $Date: 2004/06/13 17:41:17 $ -" Filenames: *.hog *.rules snort.conf vision.conf -" URL: http://home.lanl.gov/cpw/vim/syntax/hog.vim -" Snort Version: 1.8 By Martin Roesch (roesch@clark.net, www.snort.org) -" TODO include all 1.8 syntax +" Vim syntax file +" Language: hog (Snort.conf + .rules) +" Maintainer: Victor Roemer, . +" Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog +" 2012 Oct 24 -> Originalish release -" For version 5.x: Clear all syntax items if version < 600 - syntax clear + syntax clear elseif exists("b:current_syntax") -" For version 6.x: Quit when a syntax file was already loaded - finish + finish endif -syn match hogComment +\s\#[^\-:.%#=*].*$+lc=1 contains=hogTodo,hogCommentString -syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#' +setlocal iskeyword-=: +setlocal iskeyword+=- +syn case ignore -syn match hogJunk "\<\a\+|\s\+$" -syn match hogNumber contained "\<\d\+\>" -syn region hogText contained oneline start='\S' end=',' skipwhite -syn region hogTexts contained oneline start='\S' end=';' skipwhite +" Hog ruletype crap +syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite +syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite +syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold +syn keyword HogRuleTypeType type contained -" Environment Variables -" ===================== -"syn match hogEnvvar contained "[\!]\=\$\I\i*" -"syn match hogEnvvar contained "[\!]\=\${\I\i*}" -syn match hogEnvvar contained "\$\I\i*" -syn match hogEnvvar contained "[\!]\=\${\I\i*}" +" Hog Configurables +syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite +syn keyword HogConfig config nextgroup=HogConfigName skipwhite +syn keyword HogOutput output nextgroup=HogConfigName skipwhite +syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite +syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment +" Event filter's and threshold's +syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment +syn keyword HogEvFilterKeyword skipwhite event_filter threshold +syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes +syn keyword HogEvFilterTypes skipwhite limit threshold both contained +syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack +syn keyword HogEvFilterTrack skipwhite by_src by_dst contained +syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber -" String handling lifted from vim.vim written by Dr. Charles E. Campbell, Jr. -" Try to catch strings, if nothing else matches (therefore it must precede the others!) -" vmEscapeBrace handles ["] []"] (ie. stays as string) -syn region hogEscapeBrace oneline contained transparent start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1 -syn match hogPatSep contained "\\[|()]" -syn match hogNotPatSep contained "\\\\" -syn region hogString oneline start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1 contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline -""syn region hogString oneline start=+[^:a-zA-Z>!\\]'+lc=1 skip=+\\\\\|\\'+ end=+'+ contains=hogEscapeBrace,vimPatSep,hogNotPatSep -"syn region hogString oneline start=+=!+lc=1 skip=+\\\\\|\\!+ end=+!+ contains=hogEscapeBrace,hogPatSep,hogNotPatSep -"syn region hogString oneline start="=+"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep -"syn region hogString oneline start="[^\\]+\s*[^a-zA-Z0-9.]"lc=1 skip="\\\\\|\\+" end="+" contains=hogEscapeBrace,hogPatSep,hogNotPatSep -"syn region hogString oneline start="\s/\s*\A"lc=1 skip="\\\\\|\\+" end="/" contains=hogEscapeBrace,hogPatSep,hogNotPatSep -"syn match hogString contained +"[^"]*\\$+ skipnl nextgroup=hogStringCont -"syn match hogStringCont contained +\(\\\\\|.\)\{-}[^\\]"+ +" Suppressions +syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment +syn keyword HogSuppressKeyword skipwhite suppress +syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber +syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack +syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr + +" Attribute table +syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile +syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment +syn keyword HogAttributeType filename +" Hog includes +syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite +syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment -" Beginners - Patterns that involve ^ -" -syn match hogLineComment +^[ \t]*#.*$+ contains=hogTodo,hogCommentString,hogCommentTitle -syn match hogCommentTitle '#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained -syn keyword hogTodo contained TODO +" Hog dynamic libraries +syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite +syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment +syn keyword HogDylibType directory file contained + +" Variable dereferenced with '$' +syn match HogVar "\$[[:alnum:]_]\+" + +", Variables declared with 'var' +syn keyword HogVarType var nextgroup=HogVarSet skipwhite +syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite +syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment -" Rule keywords -syn match hogARPCOpt contained "\d\+,\*,\*" -syn match hogARPCOpt contained "\d\+,\d\+,\*" -syn match hogARPCOpt contained "\d\+,\*,\d\+" -syn match hogARPCOpt contained "\d\+,\d\+,\d" -syn match hogATAGOpt contained "session" -syn match hogATAGOpt contained "host" -syn match hogATAGOpt contained "dst" -syn match hogATAGOpt contained "src" -syn match hogATAGOpt contained "seconds" -syn match hogATAGOpt contained "packets" -syn match hogATAGOpt contained "bytes" -syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite -syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite -syn keyword hogAReactOpt contained block warn msg skipwhite -syn match hogAReactOpt contained "proxy\d\+" skipwhite -syn keyword hogAFOpt contained logto content_list skipwhite -syn keyword hogAIPOptVal contained eol nop ts sec lsrr lsrre satid ssrr rr skipwhite -syn keyword hogARefGrps contained arachnids skipwhite -syn keyword hogARefGrps contained bugtraq skipwhite -syn keyword hogARefGrps contained cve skipwhite -syn keyword hogSessionVal contained printable all skipwhite -syn match hogAFlagOpt contained "[0FSRPAUfsrpau21]\+" skipwhite -syn match hogAFragOpt contained "[DRMdrm]\+" skipwhite -" -" Output syslog options -" Facilities -syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0 -syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 -syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER -" Priorities -syn keyword hogSysPri contained LOG_EMERG ALERT LOG_CRIT LOG_ERR -syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG -" Options -syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR -syn keyword hogSysOpt contained LOG_PID -" RuleTypes -syn keyword hogRuleType contained log pass alert activate dynamic +" Variables declared with 'ipvar' +syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite +syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite +syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot + +" Variables declared with 'portvar' +syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite +syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite +syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot +syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange -" Output log_database arguments and parameters -" Type of database followed by , -" syn keyword hogDBSQL contained mysql postgresql unixodbc -" Parameters param=constant -" are just various constants assigned to parameter names - -" Output log_database arguments and parameters -" Type of database followed by , -syn keyword hogDBType contained alert log -syn keyword hogDBSRV contained mysql postgresql unixodbc -" Parameters param=constant -" are just various constants assigned to parameter names -syn keyword hogDBParam contained dbname host port user password sensor_name +" Generic stuff +syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr +syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr +syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)" +syn region HogHexEsc contained start='|' end='|' oneline +syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc +syn match HogNumber contained display "\<\d\+\>" +syn match HogNumber contained display "\<\d\+\>" +syn match HogNumber contained display "0x\x\+\>" +syn keyword HogSpecial contained true false yes no default all any +syn keyword HogSpecialAny contained any +syn match HogOpNot "!" contained +syn match HogOpRange ":" contained -" Output xml arguments and parameters -" xml args -syn keyword hogXMLArg contained log alert -syn keyword hogXMLParam contained file protocol host port cert key ca server sanitize encoding detail -" -" hog rule handler '(.*)' -syn region hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite -syn region hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite - -syn region hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite -syn region hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite -" -syn region hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend -" -syn region hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite -syn region hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts -" -syn region hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite -syn region hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts - -syn region hogAOpt contained oneline start="depth\|seq\|ttl\|ack\|icmp_seq\|activates\|activated_by\|dsize\|icode\|icmp_id\|count\|itype\|tos\|id\|offset" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite -syn region hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend - -syn region hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite - -syn region hogAOpt contained oneline start="regex\|msg\|content" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite -"syn region hogAStrGrp contained oneline start=+:\s*"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend -syn region hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend +" Rules +syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock +syn keyword HogRuleProto ip tcp udp icmp skipwhite contained nextgroup=HogRuleSrcIP +syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort +syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir +syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP +syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort +syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock +syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold +",HogString,HogComment,HogVar,HogOptNot +"syn region HogRuleOption start="\" end="\ze;" skipwhite contained contains=HogNumber +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata content nocase rawbytes +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter +syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group -syn region hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite -syn region hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite - -syn region hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite -syn region hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite -syn region hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite - -syn region hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend - -syn region hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend - -syn region hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend - -"syn region hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite +syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber +syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained +syn match HogURLChars "\%(\.\|?\|=\)\+" contained -syn region hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite - -syn match nothing "$" -syn region hogRules oneline contains=nothing start='$' end="$" -syn region hogRules oneline contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite -syn region hogRule contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend -"syn region hogAOpts contained oneline start="." end="[;]"he=s-1 contains=hogAOpt skipwhite -syn region hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite - - -" ruletype command -syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite -syn region hogRuleName contained start="." end="\s" contains=hogFileName nextgroup=hogRTypeRegion -" type ruletype sub type -syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart -syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite -syn region hogRuleTypes contained start="." end="\s" contains=hogRuleType nextgroup=hogOutStart +" Hog File Type Rules +syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP +syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group +syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln +syn match NotASemiColn ".*$" contained -" var command -syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite -syn region hogVarIdent contained start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite -syn region hogVarRegion contained oneline start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogString,hogFileName end="$"he=s-1 keepend skipwhite +" Comments +syn keyword HogTodo XXX TODO NOTE contained +syn match HogTodo "Step\s\+#\=\d\+" contained +syn region HogComment start="#" end="$" contains=HogTodo,@Spell -" config command -syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType -syn match hogConfigType contained "\" nextgroup=hogConfigTypeRegion skipwhite -syn region hogConfigTypeRegion contained oneline start=":"ms=s+1 end="$" contains=hogNumber,hogText keepend skipwhite - - -" include command -syn keyword hogIncStart include skipwhite nextgroup=hogIncRegion -syn region hogIncRegion contained oneline start="\>" contains=hogFileName,hogEnvvar end="$" keepend +syn case match -" preprocessor command -" http_decode, minfrag, portscan[-ignorehosts] -syn keyword hogPPrStart preprocessor skipwhite nextgroup=hogPPr -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogStreamRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogStreamRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogStreamRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn match hogPPr contained "\" nextgroup=hogPPrRegion skipwhite -syn region hogPPrRegion contained oneline start="$" end="$" keepend -syn region hogPPrRegion contained oneline start=":" end="$" contains=hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend -syn keyword hogStreamArgs contained timeout ports maxbytes -syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber +if !exists("hog_minlines") + let hog_minlines = 100 +endif +exec "syn sync minlines=" . hog_minlines + +hi link HogRuleType Statement +hi link HogRuleTypeName Type +hi link HogRuleTypeType Keyword -" output command -syn keyword hogOutStart output nextgroup=hogOut skipwhite -" -" alert_syslog -syn match hogOut contained "\" nextgroup=hogSyslogRegion skipwhite -syn region hogSyslogRegion contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend -" -" alert_fast (full,smb,unixsock, and tcpdump) -syn match hogOut contained "\" nextgroup=hogLogFileRegion skipwhite -syn region hogLogFileRegion contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend -" -" database -syn match hogOut contained "\" nextgroup=hogDBTypes skipwhite -syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite -syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite -syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam nextgroup=hogDBValues -syn region hogDBValues contained start="." end="\>" contains=hogNumber,hogEnvvar,hogAscii nextgroup=hogDBParams oneline skipwhite -syn match hogAscii contained "\<\a\+" -" -" log_tcpdump -syn match hogOut contained "\" nextgroup=hogLogRegion skipwhite -syn region hogLogRegion oneline start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend -" -" xml -syn keyword hogXMLTrans contained http https tcp iap -syn match hogOut contained "\" nextgroup=hogXMLRegion skipwhite -syn region hogXMLRegion contained start=":" end="," contains=hogXMLArg,hogEnvvar nextgroup=hogXMLParams skipwhite -"syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLProto nextgroup=hogXMLProtos -"syn region hogXMLProtos contained start="." end="\>" contains=hogXMLTrans nextgroup=hogXMLParams -syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam nextgroup=hogXMLValue -syn region hogXMLValue contained start="." end="\>" contains=hogNumber,hogIPaddr,hogEnvvar,hogAscii,hogFileName nextgroup=hogXMLParams oneline skipwhite keepend -" -" Filename -syn match hogFileName contained "[-./[:alnum:]_~]\+" -syn match hogFileName contained "[-./[:alnum:]_~]\+" -" IP address -syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" -syn match hogIPaddr "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" +hi link HogPreproc Statement +hi link HogConfig Statement +hi link HogOutput Statement +hi link HogConfigName Type -syn keyword hogProto tcp TCP ICMP icmp udp UDP +"hi link HogEvFilter +hi link HogEvFilterKeyword Statement +hi link HogSuppressKeyword Statement +hi link HogEvFilterTypes Constant +hi link HogEvFilterTrack Constant + +hi link HogAttribute Statement +hi link HogAttributeFile String +hi link HogAttributeType Statement + +hi link HogInclude Statement +hi link HogIncludeFile String -" hog alert address port pairs -" hog IPaddresses -syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite nextgroup=hogPort -syn match hogIPaddrAndPort contained "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite nextgroup=hogPort -syn match hogIPaddrAndPort contained "\" skipwhite nextgroup=hogPort -syn match hogIPaddrAndPort contained "\$\I\i*" nextgroup=hogPort skipwhite -syn match hogIPaddrAndPort contained "\${\I\i*}" nextgroup=hogPort skipwhite -"syn match hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite -syn match hogPort contained "[\:]\=\d\+\>" -syn match hogPort contained "[\!]\=\" skipwhite -syn match hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite +hi link HogDylib Statement +hi link HogDylibType Statement +hi link HogDylibFile String -" action commands -syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion -syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion -syn keyword hogActStart alert skipwhite nextgroup=hogActRegion -syn keyword hogActStart log skipwhite nextgroup=hogActRegion -syn keyword hogActStart pass skipwhite nextgroup=hogActRegion - -syn region hogActRegion contained oneline start="tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite -syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2 oneline keepend skipwhite nextgroup=hogActDest -syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$" oneline keepend -syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1 oneline keepend skipwhite nextgroup=hogRules - +" Variables +" var +hi link HogVar Identifier +hi link HogVarType Keyword +hi link HogVarSet Identifier +hi link HogVarValue String +" ipvar +hi link HogIPVarType Keyword +hi link HogIPVarSet Identifier +" portvar +hi link HogPortVarType Keyword +hi link HogPortVarSet Identifier +hi link HogPort Constant -" ==================== -if version >= 508 || !exists("did_hog_syn_inits") - if version < 508 - let did_hog_syn_inits = 1 - command -nargs=+ HiLink hi link - else - command -nargs=+ HiLink hi def link - endif -" The default methods for highlighting. Can be overridden later - HiLink hogComment Comment - HiLink hogLineComment Comment - HiLink hogAscii Constant - HiLink hogCommentString Constant - HiLink hogFileName Constant - HiLink hogIPaddr Constant - HiLink hogNotPatSep Constant - HiLink hogNumber Constant - HiLink hogText Constant - HiLink hogString Constant - HiLink hogSysFac Constant - HiLink hogSysOpt Constant - HiLink hogSysPri Constant -" HiLink hogAStrGrp Error - HiLink hogJunk Error - HiLink hogEnvvar Identifier - HiLink hogIPaddrAndPort Identifier - HiLink hogVarIdent Identifier - HiLink hogATAGOpt PreProc - HiLink hogAIPOptVal PreProc - HiLink hogARespOpt PreProc - HiLink hogAReactOpt PreProc - HiLink hogAFlagOpt PreProc - HiLink hogAFragOpt PreProc - HiLink hogCommentTitle PreProc - HiLink hogDBType PreProc - HiLink hogDBSRV PreProc - HiLink hogPort PreProc - HiLink hogARefGrps PreProc - HiLink hogSessionVal PreProc - HiLink hogXMLArg PreProc - HiLink hogARPCOpt PreProc - HiLink hogPatSep Special - HiLink hog7Functions Statement - HiLink hogActStart Statement - HiLink hogIncStart Statement - HiLink hogConfigStart Statement - HiLink hogOutStart Statement - HiLink hogPPrStart Statement - HiLink hogVarStart Statement - HiLink hogRTypeStart Statement - HiLink hogTodo Todo - HiLink hogRuleType Type - HiLink hogAFOpt Type - HiLink hogANoVal Type - HiLink hogAStrOpt Type - HiLink hogANOpt Type - HiLink hogAOpt Type - HiLink hogDBParam Type - HiLink hogStreamArgs Type - HiLink hogOut Type - HiLink hogPPr Type - HiLink hogConfigType Type - HiLink hogActRegion Type - HiLink hogProto Type - HiLink hogXMLParam Type - HiLink resp Todo - HiLink cLabel Label - delcommand HiLink -endif +hi link HogTodo Todo +hi link HogComment Comment +hi link HogString String +hi link HogHexEsc PreProc +hi link HogNumber Number +hi link HogSpecial Constant +hi link HogSpecialAny Constant +hi link HogIPAddr Constant +hi link HogIPCidr Constant +hi link HogOpNot Operator +hi link HogOpRange Operator + +hi link HogRuleAction Statement +hi link HogRuleProto Identifier +hi link HogRuleDir Operator +hi link HogRuleOption Keyword +hi link HogRuleChars String + +hi link HogFileType HogRuleAction +hi link HogFileTypeOpt HogRuleOption +hi link NotASemiColn HogRuleChars let b:current_syntax = "hog" - -" hog: cpw=59