Mercurial > vim

changeset 7188:3ba0f29ba1d1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
commit https://github.com/vim/vim/commit/d7464be9747fcaa8e6210e1f00a3882932df76e2 Author: Bram Moolenaar <Bram@vim.org> Date: Sun Nov 1 16:49:04 2015 +0100 Updated runtime files.
author Christian Brabandt <cb@256bit.org>
date Sun, 01 Nov 2015 17:00:05 +0100
parents 02e493756808
children 0b4387f570ec
files runtime/doc/pi_netrw.txt runtime/doc/todo.txt runtime/ftplugin/hog.vim runtime/indent/hog.vim runtime/syntax/hog.vim
diffstat 5 files changed, 295 insertions(+), 326 deletions(-) [+]
line wrap: on
line diff
--- a/runtime/doc/pi_netrw.txt
+++ b/runtime/doc/pi_netrw.txt
@@ -1,4 +1,4 @@
-*pi_netrw.txt*  For Vim version 7.4.  Last change: 2015 Oct 30
+*pi_netrw.txt*  For Vim version 7.4.  Last change: 2015 Oct 31
 
 	    ------------------------------------------------
 	    NETRW REFERENCE MANUAL    by Charles E. Campbell
@@ -3438,7 +3438,7 @@ 10. Problems and Fixes					*netrw-proble
 	     You probably want netrw running as in a side window.  If so, you
 	     will likely find that ":[N]Lexplore" does what you want.  The
 	     optional "[N]" allows you to select the quantity of columns you
-	     wish the Lexplorer window to start with (see |g:netrw_winsize|
+	     wish the |:Lexplore|r window to start with (see |g:netrw_winsize|
 	     for how this parameter works).
 
 	     Previous solution:
--- a/runtime/doc/todo.txt
+++ b/runtime/doc/todo.txt
@@ -1,4 +1,4 @@
-*todo.txt*      For Vim version 7.4.  Last change: 2015 Oct 30
+*todo.txt*      For Vim version 7.4.  Last change: 2015 Oct 31
 
 
 		  VIM REFERENCE MANUAL	  by Bram Moolenaar
@@ -222,6 +222,9 @@ Is this right?
 Patch to have CTRL-A and CTRL-X update the '[ and '] marks.
 (Yukihiro Nakadaira, 2015 Aug 23)
 
+On MS-Windows viminfo file is always given the hidden attribute? (raulnac,
+2015 Oct 30)
+
 Patch to make getregtype() return the right size for non-linux systems.
 (Yasuhiro Matsumoto, 2014 Jul 8)
 Breaks test_eval.  Inefficient, can we only compute y_width when needed?
new file mode 100644
--- /dev/null
+++ b/runtime/ftplugin/hog.vim
@@ -0,0 +1,39 @@
+" Vim filetype plugin
+" Language:     hog (snort.conf)
+" Maintainer: . Victor Roemer, <vroemer@badsec.org>.
+" Last Change:  Mar 1, 2013
+
+if exists("b:did_ftplugin")
+    finish
+endif
+let b:did_ftplugin = 1
+
+let s:undo_ftplugin = "setl fo< com< cms< def< inc<"
+
+let s:cpo_save = &cpo
+set cpo&vim
+
+setlocal formatoptions=croq
+setlocal comments=:#
+setlocal commentstring=\c#\ %s
+setlocal define=\c^\s\{-}var
+setlocal include=\c^\s\{-}include
+
+" Move around configurations 
+let s:hog_keyword_match = '\c^\s*\<\(preprocessor\\|config\\|output\\|include\\|ipvar\\|portvar\\|var\\|dynamicpreprocessor\\|' . 
+                        \ 'dynamicengine\\|dynamicdetection\\|activate\\|alert\\|drop\\|block\\|dynamic\\|log\\|pass\\|reject\\|sdrop\\|sblock\)\>'
+
+exec "nnoremap <buffer><silent> ]] :call search('" . s:hog_keyword_match . "', 'W' )<CR>"
+exec "nnoremap <buffer><silent> [[ :call search('" . s:hog_keyword_match . "', 'bW' )<CR>"
+
+if exists("loaded_matchit")
+    let b:match_words =
+                  \ '^\s*\<\%(preprocessor\|config\|output\|include\|ipvar\|portvar' . 
+                  \ '\|var\|dynamicpreprocessor\|dynamicengine\|dynamicdetection' . 
+                  \ '\|activate\|alert\|drop\|block\|dynamic\|log\|pass\|reject' . 
+                  \ '\|sdrop\|sblock\>\):$,\::\,:;'
+    let b:match_skip = 'r:\\.\{-}$\|^\s*#.\{-}$\|^\s*$'
+endif
+
+let &cpo = s:cpo_save
+unlet s:cpo_save
new file mode 100644
--- /dev/null
+++ b/runtime/indent/hog.vim
@@ -0,0 +1,77 @@
+" Vim indent file
+" Language:     hog (Snort.conf)
+" Maintainer:   Victor Roemer, <vroemer@badsec.org>
+" Last Change:  Mar 7, 2013
+
+" Only load this indent file when no other was loaded.
+if exists("b:did_indent")
+    finish
+endif
+let b:did_indent = 1
+let b:undo_indent = 'setlocal smartindent< indentexpr< indentkeys<'
+
+setlocal nosmartindent
+setlocal indentexpr=GetHogIndent()
+setlocal indentkeys+=!^F,o,O,0#
+
+" Only define the function once.
+if exists("*GetHogIndent")
+    finish
+endif
+
+let s:cpo_save = &cpo
+set cpo&vim
+
+let s:syn_blocks = '\<SnortRuleTypeBody\>'
+
+function s:IsInBlock(lnum)
+    return synIDattr(synID(a:lnum, 1, 1), 'name') =~ s:syn_blocks 
+endfunction
+
+function GetHogIndent()
+    let prevlnum = prevnonblank(v:lnum-1)
+
+    " Comment blocks have identical indent
+    if getline(v:lnum) =~ '^\s*#' && getline(prevlnum) =~ '^\s*#'
+            return indent(prevlnum)
+    endif
+
+    " Ignore comment lines when calculating indent
+    while getline(prevlnum) =~ '^\s*#'
+        let prevlnum = prevnonblank(prevlnum-1)
+        if !prevlnum
+            return previndent
+        endif
+    endwhile
+
+    " Continuation of a line that wasn't indented
+    let prevline = getline(prevlnum)
+    if prevline =~ '^\k\+.*\\\s*$'
+        return &sw 
+    endif
+
+    " Continuation of a line that was indented
+    if prevline =~ '\k\+.*\\\s*$'
+        return indent(prevlnum)
+    endif
+
+    " Indent the next line if previous line contained a start of a block
+    " definition ('{' or '(').
+    if prevline =~ '^\k\+[^#]*{}\@!\s*$' " TODO || prevline =~ '^\k\+[^#]*()\@!\s*$'
+        return &sw
+    endif
+
+    " Match inside of a block
+    if s:IsInBlock(v:lnum)
+        if prevline =~ "^\k\+.*$"
+            return &sw
+        else
+            return indent(prevlnum)
+        endif
+    endif
+
+    return 0 
+endfunction
+
+let &cpo = s:cpo_save
+unlet s:cpo_save
--- a/runtime/syntax/hog.vim
+++ b/runtime/syntax/hog.vim
@@ -1,350 +1,200 @@
-" Snort syntax file
-" Language:	  Snort Configuration File (see: http://www.snort.org)
-" Maintainer:	  Phil Wood, cornett@arpa.net
-" Last Change:	  $Date: 2004/06/13 17:41:17 $
-" Filenames:	  *.hog *.rules snort.conf vision.conf
-" URL:		  http://home.lanl.gov/cpw/vim/syntax/hog.vim
-" Snort Version:  1.8 By Martin Roesch (roesch@clark.net, www.snort.org)
-" TODO		  include all 1.8 syntax
+" Vim syntax file
+" Language: hog (Snort.conf + .rules)
+" Maintainer: Victor Roemer, <vroemer@badsec.org>.
+" Last Change: 2015 Oct 24  -> Rename syntax items from Snort -> Hog
+"              2012 Oct 24  -> Originalish release
 
-" For version 5.x: Clear all syntax items
 if version < 600
-   syntax clear
+    syntax clear
 elseif exists("b:current_syntax")
-" For version 6.x: Quit when a syntax file was already loaded
-   finish
+    finish
 endif
 
-syn match  hogComment	+\s\#[^\-:.%#=*].*$+lc=1	contains=hogTodo,hogCommentString
-syn region hogCommentString contained oneline start='\S\s\+\#+'ms=s+1 end='\#'
+setlocal iskeyword-=:
+setlocal iskeyword+=-
+syn case ignore
 
-syn match   hogJunk "\<\a\+|\s\+$"
-syn match   hogNumber contained	"\<\d\+\>"
-syn region  hogText contained oneline start='\S' end=',' skipwhite
-syn region  hogTexts contained oneline start='\S' end=';' skipwhite
+" Hog ruletype crap
+syn keyword     HogRuleType       ruletype nextgroup=HogRuleTypeName skipwhite
+syn match       HogRuleTypeName   "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite
+syn region      HogRuleTypeBody   start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold
+syn keyword     HogRuleTypeType   type contained
 
-" Environment Variables
-" =====================
-"syn match hogEnvvar contained	"[\!]\=\$\I\i*"
-"syn match hogEnvvar contained	"[\!]\=\${\I\i*}"
-syn match hogEnvvar contained	"\$\I\i*"
-syn match hogEnvvar contained	"[\!]\=\${\I\i*}"
+" Hog Configurables
+syn keyword     HogPreproc    preprocessor nextgroup=HogConfigName skipwhite
+syn keyword     HogConfig     config nextgroup=HogConfigName skipwhite
+syn keyword     HogOutput     output nextgroup=HogConfigName skipwhite
+syn match       HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite
+syn region      HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment
 
+" Event filter's and threshold's
+syn region      HogEvFilter         start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment
+syn keyword     HogEvFilterKeyword  skipwhite event_filter threshold
+syn keyword     HogEvFilterOptions  skipwhite type nextgroup=HogEvFilterTypes
+syn keyword     HogEvFilterTypes    skipwhite limit threshold both contained
+syn keyword     HogEvFilterOptions  skipwhite track nextgroup=HogEvFilterTrack
+syn keyword     HogEvFilterTrack    skipwhite by_src by_dst contained
+syn keyword     HogEvFilterOptions  skipwhite gen_id sig_id count seconds nextgroup=HogNumber
 
-" String handling lifted from vim.vim written by Dr. Charles E. Campbell, Jr.
-" Try to catch strings, if nothing else matches (therefore it must precede the others!)
-" vmEscapeBrace handles ["]  []"] (ie. stays as string)
-syn region       hogEscapeBrace   oneline contained transparent     start="[^\\]\(\\\\\)*\[\^\=\]\=" skip="\\\\\|\\\]" end="\]"me=e-1
-syn match	 hogPatSep	  contained	   "\\[|()]"
-syn match	 hogNotPatSep	  contained	   "\\\\"
-syn region	 hogString	  oneline	   start=+[^:a-zA-Z\->!\\]"+hs=e+1 skip=+\\\\\|\\"+ end=+"\s*;+he=s-1		     contains=hogEscapeBrace,hogPatSep,hogNotPatSep oneline
-""syn region	   hogString	    oneline	     start=+[^:a-zA-Z>!\\]'+lc=1 skip=+\\\\\|\\'+ end=+'+		 contains=hogEscapeBrace,vimPatSep,hogNotPatSep
-"syn region	  hogString	   oneline	    start=+=!+lc=1   skip=+\\\\\|\\!+ end=+!+				contains=hogEscapeBrace,hogPatSep,hogNotPatSep
-"syn region	  hogString	   oneline	    start="=+"lc=1   skip="\\\\\|\\+" end="+"				contains=hogEscapeBrace,hogPatSep,hogNotPatSep
-"syn region	  hogString	   oneline	    start="[^\\]+\s*[^a-zA-Z0-9.]"lc=1 skip="\\\\\|\\+" end="+"		contains=hogEscapeBrace,hogPatSep,hogNotPatSep
-"syn region	  hogString	   oneline	    start="\s/\s*\A"lc=1 skip="\\\\\|\\+" end="/"			contains=hogEscapeBrace,hogPatSep,hogNotPatSep
-"syn match	  hogString	   contained	    +"[^"]*\\$+      skipnl nextgroup=hogStringCont
-"syn match	  hogStringCont    contained	    +\(\\\\\|.\)\{-}[^\\]"+
+" Suppressions
+syn region      HogEvFilter         start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment
+syn keyword     HogSuppressKeyword  skipwhite suppress
+syn keyword     HogSuppressOptions  skipwhite gen_id sig_id nextgroup=HogNumber
+syn keyword     HogSuppressOptions  skipwhite track nextgroup=HogEvFilterTrack
+syn keyword     HogSuppressOptions  skipwhite ip nextgroup=HogIPAddr
+
+" Attribute table
+syn keyword     HogAttribute        attribute_table nextgroup=HogAttributeFile
+syn match       HogAttributeFile    contained ".*$" contains=HogVar,HogAttributeType,HogComment
+syn keyword     HogAttributeType    filename
 
+" Hog includes
+syn keyword     HogInclude    include nextgroup=HogIncludeFile skipwhite
+syn match       HogIncludeFile ".*$" contained contains=HogVar,HogComment
 
-" Beginners - Patterns that involve ^
-"
-syn match  hogLineComment	+^[ \t]*#.*$+	contains=hogTodo,hogCommentString,hogCommentTitle
-syn match  hogCommentTitle	'#\s*\u\a*\(\s\+\u\a*\)*:'ms=s+1 contained
-syn keyword hogTodo contained	TODO
+" Hog dynamic libraries
+syn keyword     HogDylib      dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite
+syn match       HogDylibFile  "\s.*$" contained contains=HogVar,HogDylibType,HogComment
+syn keyword     HogDylibType  directory file contained
+
+" Variable dereferenced with '$'
+syn match       HogVar        "\$[[:alnum:]_]\+"
+
+", Variables declared with 'var'
+syn keyword     HogVarType    var nextgroup=HogVarSet skipwhite
+syn match       HogVarSet     "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite
+syn match       HogVarValue   ".*$" contained contains=HogString,HogNumber,HogVar,HogComment
 
-" Rule keywords
-syn match   hogARPCOpt contained "\d\+,\*,\*"
-syn match   hogARPCOpt contained "\d\+,\d\+,\*"
-syn match   hogARPCOpt contained "\d\+,\*,\d\+"
-syn match   hogARPCOpt contained "\d\+,\d\+,\d"
-syn match   hogATAGOpt contained "session"
-syn match   hogATAGOpt contained "host"
-syn match   hogATAGOpt contained "dst"
-syn match   hogATAGOpt contained "src"
-syn match   hogATAGOpt contained "seconds"
-syn match   hogATAGOpt contained "packets"
-syn match   hogATAGOpt contained "bytes"
-syn keyword hogARespOpt contained rst_snd rst_rcv rst_all skipwhite
-syn keyword hogARespOpt contained icmp_net icmp_host icmp_port icmp_all skipwhite
-syn keyword hogAReactOpt contained block warn msg skipwhite
-syn match   hogAReactOpt contained "proxy\d\+" skipwhite
-syn keyword hogAFOpt contained logto content_list skipwhite
-syn keyword hogAIPOptVal contained  eol nop ts sec lsrr lsrre satid ssrr rr skipwhite
-syn keyword hogARefGrps contained arachnids skipwhite
-syn keyword hogARefGrps contained bugtraq skipwhite
-syn keyword hogARefGrps contained cve skipwhite
-syn keyword hogSessionVal contained  printable all skipwhite
-syn match   hogAFlagOpt contained "[0FSRPAUfsrpau21]\+" skipwhite
-syn match   hogAFragOpt contained "[DRMdrm]\+" skipwhite
-"
-" Output syslog options
-" Facilities
-syn keyword hogSysFac contained LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0
-syn keyword hogSysFac contained LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4
-syn keyword hogSysFac contained LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER
-" Priorities
-syn keyword hogSysPri contained LOG_EMERG ALERT LOG_CRIT LOG_ERR
-syn keyword hogSysPri contained LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG
-" Options
-syn keyword hogSysOpt contained LOG_CONS LOG_NDELAY LOG_PERROR
-syn keyword hogSysOpt contained LOG_PID
-" RuleTypes
-syn keyword hogRuleType contained log pass alert activate dynamic
+" Variables declared with 'ipvar'
+syn keyword     HogIPVarType  ipvar nextgroup=HogIPVarSet skipwhite
+syn match       HogIPVarSet   "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite
+syn region      HogIPVarList  start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot
+
+" Variables declared with 'portvar'
+syn keyword     HogPortVarType portvar nextgroup=HogPortVarSet skipwhite
+syn match       HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite
+syn region      HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot
+syn match       HogPort       "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange
 
-" Output log_database arguments and parameters
-" Type of database followed by ,
-" syn keyword hogDBSQL contained mysql postgresql unixodbc
-" Parameters param=constant
-" are just various constants assigned to parameter names
-
-" Output log_database arguments and parameters
-" Type of database followed by ,
-syn keyword hogDBType contained alert log
-syn keyword hogDBSRV contained mysql postgresql unixodbc
-" Parameters param=constant
-" are just various constants assigned to parameter names
-syn keyword hogDBParam contained dbname host port user password sensor_name
+" Generic stuff
+syn match       HogIPAddr     contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr
+syn match       HogIPAddr     contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr
+syn match       HogIPCidr     contained "\/\([0-2][0-9]\=\|3[0-2]\=\)"
+syn region      HogHexEsc     contained start='|' end='|' oneline
+syn region      HogString     contained start='"' end='"' extend oneline contains=HogHexEsc
+syn match       HogNumber     contained display "\<\d\+\>"
+syn match       HogNumber     contained display "\<\d\+\>"
+syn match       HogNumber     contained display "0x\x\+\>"
+syn keyword     HogSpecial    contained true false yes no default all any
+syn keyword     HogSpecialAny contained any
+syn match       HogOpNot      "!" contained
+syn match       HogOpRange    ":" contained
 
-" Output xml arguments and parameters
-" xml args
-syn keyword hogXMLArg  contained log alert
-syn keyword hogXMLParam contained file protocol host port cert key ca server sanitize encoding detail
-"
-" hog rule handler '(.*)'
-syn region  hogAOpt contained oneline start="rpc" end=":"me=e-1 nextgroup=hogARPCOptGrp skipwhite
-syn region  hogARPCOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogARPCOpt skipwhite
-
-syn region  hogAOpt contained oneline start="tag" end=":"me=e-1 nextgroup=hogATAGOptGrp skipwhite
-syn region  hogATAGOptGrp contained oneline start="."hs=s+1 skip="," end=";"me=e-1 contains=hogATAGOpt,hogNumber skipwhite
-"
-syn region  hogAOpt contained oneline start="nocase\|sameip" end=";"me=e-1 skipwhite oneline keepend
-"
-syn region  hogAOpt contained start="resp" end=":"me=e-1 nextgroup=hogARespOpts skipwhite
-syn region  hogARespOpts contained oneline start="." end="[,;]" contains=hogARespOpt skipwhite nextgroup=hogARespOpts
-"
-syn region  hogAOpt contained start="react" end=":"me=e-1 nextgroup=hogAReactOpts skipwhite
-syn region  hogAReactOpts contained oneline start="." end="[,;]" contains=hogAReactOpt skipwhite nextgroup=hogAReactOpts
-
-syn region  hogAOpt contained oneline start="depth\|seq\|ttl\|ack\|icmp_seq\|activates\|activated_by\|dsize\|icode\|icmp_id\|count\|itype\|tos\|id\|offset" end=":"me=e-1 nextgroup=hogANOptGrp skipwhite
-syn region  hogANOptGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogNumber skipwhite oneline keepend
-
-syn region  hogAOpt contained oneline start="classtype" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite
-
-syn region  hogAOpt contained oneline start="regex\|msg\|content" end=":"me=e-1 nextgroup=hogAStrGrp skipwhite
-"syn region  hogAStrGrp contained oneline start=+:\s*"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend
-syn region  hogAStrGrp contained oneline start=+:\s*"\|:"+hs=s+1 skip="\\;" end=+"\s*;+he=s-1 contains=hogString skipwhite oneline keepend
+" Rules
+syn keyword     HogRuleAction     activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock
+syn keyword     HogRuleProto      ip tcp udp icmp skipwhite contained nextgroup=HogRuleSrcIP
+syn match       HogRuleSrcIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort
+syn match       HogRuleSrcPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir
+syn match       HogRuleDir        "->\|<>" skipwhite contained nextgroup=HogRuleDstIP
+syn match       HogRuleDstIP      "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort
+syn match       HogRuleDstPort    "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock
+syn region      HogRuleBlock      start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold
+",HogString,HogComment,HogVar,HogOptNot
+"syn region      HogRuleOption     start="\<gid\|sid\|rev\|depth\|offset\|distance\|within\>" end="\ze;" skipwhite contained contains=HogNumber
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata content nocase rawbytes
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pcre pkt_data file_data base64_decode base64_data
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter
+syn keyword     HogRuleOption   skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group
 
-syn region  hogAOpt contained oneline start="logto\|content-list" end=":"me=e-1 nextgroup=hogAFileGrp skipwhite
-syn region  hogAFileGrp contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogFileName skipwhite
-
-syn region  hogAOpt contained oneline start="reference" end=":"me=e-1 nextgroup=hogARefGrp skipwhite
-syn region  hogARefGrp contained oneline start="."hs=s+1 end=","me=e-1 contains=hogARefGrps nextgroup=hogARefName skipwhite
-syn region  hogARefName contained oneline start="."hs=s+1 end=";"me=e-1 contains=hogString,hogFileName,hogNumber skipwhite
-
-syn region  hogAOpt contained oneline start="flags" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend
-
-syn region  hogAOpt contained oneline start="fragbits" end=":"he=s-1 nextgroup=hogAFlagOpt skipwhite oneline keepend
-
-syn region  hogAOpt contained oneline start="ipopts" end=":"he=s-1 nextgroup=hogAIPOptVal skipwhite oneline keepend
-
-"syn region  hogAOpt contained oneline start="." end=":"he=s-1 contains=hogAFOpt nextgroup=hogFileName skipwhite
+syn region      HogRuleSROP     start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber
+syn match       HogRuleChars    "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained
+syn match       HogURLChars     "\%(\.\|?\|=\)\+" contained
 
-syn region  hogAOpt contained oneline start="session" end=":"he=s-1 nextgroup=hogSessionVal skipwhite
-
-syn match   nothing  "$"
-syn region  hogRules oneline  contains=nothing start='$' end="$"
-syn region  hogRules oneline  contains=hogRule start='('ms=s+1 end=")\s*$" skipwhite
-syn region  hogRule  contained oneline start="." skip="\\;" end=";"he=s-1 contains=hogAOpts, skipwhite keepend
-"syn region  hogAOpts contained oneline start="." end="[;]"he=s-1 contains=hogAOpt skipwhite
-syn region  hogAOpts contained oneline start="." end="[;]"me=e-1 contains=hogAOpt skipwhite
-
-
-" ruletype command
-syn keyword hogRTypeStart skipwhite ruletype nextgroup=hogRuleName skipwhite
-syn region  hogRuleName  contained  start="." end="\s" contains=hogFileName  nextgroup=hogRTypeRegion
-" type ruletype sub type
-syn region hogRtypeRegion contained start="{" end="}" nextgroup=hogRTypeStart
-syn keyword hogRTypeStart skipwhite type nextgroup=hogRuleTypes skipwhite
-syn region  hogRuleTypes  contained  start="." end="\s" contains=hogRuleType nextgroup=hogOutStart
+" Hog File Type Rules
+syn match       HogFileType   /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP
+syn keyword     HogFileTypeOpt  skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group 
+syn region      HogFileFROP  start=':' end=";" transparent keepend contained contains=NotASemicoln
+syn match       NotASemiColn   ".*$" contained
 
 
-" var command
-syn keyword hogVarStart skipwhite var nextgroup=hogVarIdent skipwhite
-syn region  hogVarIdent contained  start="."hs=e+1 end="\s\+"he=s-1 contains=hogEnvvar nextgroup=hogVarRegion skipwhite
-syn region  hogVarRegion  contained  oneline  start="." contains=hogIPaddr,hogEnvvar,hogNumber,hogString,hogFileName end="$"he=s-1 keepend skipwhite
+" Comments
+syn keyword HogTodo   XXX TODO NOTE contained
+syn match   HogTodo   "Step\s\+#\=\d\+" contained
+syn region HogComment start="#" end="$" contains=HogTodo,@Spell
 
-" config command
-syn keyword hogConfigStart config skipwhite nextgroup=hogConfigType
-syn match hogConfigType contained "\<classification\>" nextgroup=hogConfigTypeRegion skipwhite
-syn region  hogConfigTypeRegion contained oneline	start=":"ms=s+1 end="$" contains=hogNumber,hogText keepend skipwhite
-
-
-" include command
-syn keyword hogIncStart	include  skipwhite nextgroup=hogIncRegion
-syn region  hogIncRegion  contained  oneline  start="\>" contains=hogFileName,hogEnvvar end="$" keepend
+syn case match
 
-" preprocessor command
-" http_decode, minfrag, portscan[-ignorehosts]
-syn keyword hogPPrStart	preprocessor  skipwhite nextgroup=hogPPr
-syn match hogPPr   contained  "\<spade\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<spade-homenet\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<spade-threshlearn\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<spade-adapt\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<spade-adapt2\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<spade-adapt3\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<spade-survey\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<defrag\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<telnet_decode\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<rpc_decode\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<bo\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<stream\>" nextgroup=hogStreamRegion skipwhite
-syn match hogPPr   contained  "\<stream2\>" nextgroup=hogStreamRegion skipwhite
-syn match hogPPr   contained  "\<stream3\>" nextgroup=hogStreamRegion skipwhite
-syn match hogPPr   contained  "\<http_decode\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr   contained  "\<minfrag\>" nextgroup=hogPPrRegion skipwhite
-syn match hogPPr     contained "\<portscan[-ignorehosts]*\>" nextgroup=hogPPrRegion skipwhite
-syn region  hogPPrRegion contained oneline	start="$" end="$" keepend
-syn region  hogPPrRegion contained oneline	start=":" end="$" contains=hogNumber,hogIPaddr,hogEnvvar,hogFileName keepend
-syn keyword hogStreamArgs contained timeout ports maxbytes
-syn region hogStreamRegion contained oneline start=":" end="$" contains=hogStreamArgs,hogNumber
+if !exists("hog_minlines")
+    let hog_minlines = 100
+endif
+exec "syn sync minlines=" . hog_minlines
+
+hi link HogRuleType           Statement
+hi link HogRuleTypeName       Type
+hi link HogRuleTypeType       Keyword
 
-" output command
-syn keyword hogOutStart	output  nextgroup=hogOut skipwhite
-"
-" alert_syslog
-syn match hogOut   contained  "\<alert_syslog\>" nextgroup=hogSyslogRegion skipwhite
-syn region hogSyslogRegion  contained start=":" end="$" contains=hogSysFac,hogSysPri,hogSysOpt,hogEnvvar oneline skipwhite keepend
-"
-" alert_fast (full,smb,unixsock, and tcpdump)
-syn match hogOut   contained  "\<alert_fast\|alert_full\|alert_smb\|alert_unixsock\|log_tcpdump\>" nextgroup=hogLogFileRegion skipwhite
-syn region hogLogFileRegion  contained start=":" end="$" contains=hogFileName,hogEnvvar oneline skipwhite keepend
-"
-" database
-syn match hogOut  contained "\<database\>" nextgroup=hogDBTypes skipwhite
-syn region hogDBTypes contained start=":" end="," contains=hogDBType,hogEnvvar nextgroup=hogDBSRVs skipwhite
-syn region hogDBSRVs contained start="\s\+" end="," contains=hogDBSRV nextgroup=hogDBParams skipwhite
-syn region hogDBParams contained start="." end="="me=e-1 contains=hogDBParam  nextgroup=hogDBValues
-syn region hogDBValues contained start="." end="\>" contains=hogNumber,hogEnvvar,hogAscii nextgroup=hogDBParams oneline skipwhite
-syn match hogAscii contained "\<\a\+"
-"
-" log_tcpdump
-syn match hogOut   contained  "\<log_tcpdump\>" nextgroup=hogLogRegion skipwhite
-syn region  hogLogRegion  oneline	start=":" skipwhite end="$" contains=hogEnvvar,hogFileName keepend
-"
-" xml
-syn keyword hogXMLTrans contained http https tcp iap
-syn match hogOut     contained "\<xml\>" nextgroup=hogXMLRegion skipwhite
-syn region hogXMLRegion contained start=":" end="," contains=hogXMLArg,hogEnvvar nextgroup=hogXMLParams skipwhite
-"syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLProto nextgroup=hogXMLProtos
-"syn region hogXMLProtos contained start="." end="\>" contains=hogXMLTrans nextgroup=hogXMLParams
-syn region hogXMLParams contained start="." end="="me=e-1 contains=hogXMLParam  nextgroup=hogXMLValue
-syn region hogXMLValue contained start="." end="\>" contains=hogNumber,hogIPaddr,hogEnvvar,hogAscii,hogFileName nextgroup=hogXMLParams oneline skipwhite keepend
-"
-" Filename
-syn match   hogFileName  contained "[-./[:alnum:]_~]\+"
-syn match   hogFileName  contained "[-./[:alnum:]_~]\+"
-" IP address
-syn match   hogIPaddr   "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>"
-syn match   hogIPaddr   "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>"
+hi link HogPreproc            Statement
+hi link HogConfig             Statement
+hi link HogOutput             Statement
+hi link HogConfigName         Type
 
-syn keyword hogProto	tcp TCP ICMP icmp udp UDP
+"hi link HogEvFilter
+hi link HogEvFilterKeyword    Statement
+hi link HogSuppressKeyword    Statement
+hi link HogEvFilterTypes      Constant
+hi link HogEvFilterTrack      Constant
+
+hi link HogAttribute          Statement
+hi link HogAttributeFile      String
+hi link HogAttributeType      Statement
+
+hi link HogInclude            Statement
+hi link HogIncludeFile        String
 
-" hog alert address port pairs
-" hog IPaddresses
-syn match   hogIPaddrAndPort contained	"\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" skipwhite			nextgroup=hogPort
-syn match   hogIPaddrAndPort contained	"\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/\d\{1,2}\>" skipwhite		nextgroup=hogPort
-syn match   hogIPaddrAndPort contained "\<any\>" skipwhite nextgroup=hogPort
-syn match hogIPaddrAndPort contained	 "\$\I\i*" nextgroup=hogPort skipwhite
-syn match hogIPaddrAndPort contained     "\${\I\i*}" nextgroup=hogPort skipwhite
-"syn match   hogPort contained "[\!]\=[\:]\=\d\+L\=\>" skipwhite
-syn match   hogPort contained "[\:]\=\d\+\>"
-syn match   hogPort contained "[\!]\=\<any\>" skipwhite
-syn match   hogPort contained "[\!]\=\d\+L\=:\d\+L\=\>" skipwhite
+hi link HogDylib              Statement
+hi link HogDylibType          Statement
+hi link HogDylibFile          String
 
-" action commands
-syn keyword hog7Functions activate skipwhite nextgroup=hogActRegion
-syn keyword hog7Functions dynamic skipwhite nextgroup=hogActRegion
-syn keyword hogActStart alert skipwhite nextgroup=hogActRegion
-syn keyword hogActStart log skipwhite nextgroup=hogActRegion
-syn keyword hogActStart pass skipwhite nextgroup=hogActRegion
-
-syn region hogActRegion contained oneline start="tcp\|TCP\|udp\|UDP\|icmp\|ICMP" end="\s\+"me=s-1 nextgroup=hogActSource oneline keepend skipwhite
-syn region hogActSource contained oneline contains=hogIPaddrAndPort start="\s\+"ms=e+1 end="->\|<>"me=e-2  oneline keepend skipwhite nextgroup=hogActDest
-syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="$"  oneline keepend
-syn region hogActDest contained oneline contains=hogIPaddrAndPort start="->\|<>" end="("me=e-1  oneline keepend skipwhite nextgroup=hogRules
-
+" Variables
+" var
+hi link HogVar                Identifier
+hi link HogVarType            Keyword
+hi link HogVarSet             Identifier
+hi link HogVarValue           String
+" ipvar
+hi link HogIPVarType          Keyword
+hi link HogIPVarSet           Identifier
+" portvar
+hi link HogPortVarType         Keyword
+hi link HogPortVarSet          Identifier
+hi link HogPort                Constant
 
-" ====================
-if version >= 508 || !exists("did_hog_syn_inits")
-  if version < 508
-    let did_hog_syn_inits = 1
-    command -nargs=+ HiLink hi link <args>
-  else
-    command -nargs=+ HiLink hi def link <args>
-  endif
-" The default methods for highlighting.  Can be overridden later
-  HiLink hogComment		Comment
-  HiLink hogLineComment		Comment
-  HiLink hogAscii		Constant
-  HiLink hogCommentString	Constant
-  HiLink hogFileName		Constant
-  HiLink hogIPaddr		Constant
-  HiLink hogNotPatSep		Constant
-  HiLink hogNumber		Constant
-  HiLink hogText		Constant
-  HiLink hogString		Constant
-  HiLink hogSysFac		Constant
-  HiLink hogSysOpt		Constant
-  HiLink hogSysPri		Constant
-"  HiLink hogAStrGrp		Error
-  HiLink hogJunk		Error
-  HiLink hogEnvvar		Identifier
-  HiLink hogIPaddrAndPort	Identifier
-  HiLink hogVarIdent		Identifier
-  HiLink hogATAGOpt		PreProc
-  HiLink hogAIPOptVal		PreProc
-  HiLink hogARespOpt		PreProc
-  HiLink hogAReactOpt		PreProc
-  HiLink hogAFlagOpt		PreProc
-  HiLink hogAFragOpt		PreProc
-  HiLink hogCommentTitle	PreProc
-  HiLink hogDBType		PreProc
-  HiLink hogDBSRV		PreProc
-  HiLink hogPort		PreProc
-  HiLink hogARefGrps		PreProc
-  HiLink hogSessionVal		PreProc
-  HiLink hogXMLArg		PreProc
-  HiLink hogARPCOpt		PreProc
-  HiLink hogPatSep		Special
-  HiLink hog7Functions		Statement
-  HiLink hogActStart		Statement
-  HiLink hogIncStart		Statement
-  HiLink hogConfigStart		Statement
-  HiLink hogOutStart		Statement
-  HiLink hogPPrStart		Statement
-  HiLink hogVarStart		Statement
-  HiLink hogRTypeStart		Statement
-  HiLink hogTodo		Todo
-  HiLink hogRuleType		Type
-  HiLink hogAFOpt		Type
-  HiLink hogANoVal		Type
-  HiLink hogAStrOpt		Type
-  HiLink hogANOpt		Type
-  HiLink hogAOpt		Type
-  HiLink hogDBParam		Type
-  HiLink hogStreamArgs		Type
-  HiLink hogOut			Type
-  HiLink hogPPr			Type
-  HiLink  hogConfigType		Type
-  HiLink hogActRegion		Type
-  HiLink hogProto		Type
-  HiLink hogXMLParam		Type
-  HiLink resp			Todo
-  HiLink cLabel			Label
-  delcommand HiLink
-endif
+hi link HogTodo               Todo
+hi link HogComment            Comment
+hi link HogString             String
+hi link HogHexEsc             PreProc
+hi link HogNumber             Number
+hi link HogSpecial            Constant
+hi link HogSpecialAny         Constant
+hi link HogIPAddr             Constant
+hi link HogIPCidr             Constant
+hi link HogOpNot              Operator
+hi link HogOpRange            Operator
+
+hi link HogRuleAction         Statement
+hi link HogRuleProto          Identifier
+hi link HogRuleDir            Operator
+hi link HogRuleOption         Keyword
+hi link HogRuleChars           String 
+
+hi link HogFileType    HogRuleAction
+hi link HogFileTypeOpt HogRuleOption
+hi link NotASemiColn     HogRuleChars
 
 let b:current_syntax = "hog"
-
-" hog: cpw=59