Skip to content

Instantly share code, notes, and snippets.

@colematt

colematt/Snort-User-Defined-Language-in-Notepad.md

Created February 14, 2025 20:23
Show Gist options
  • Save colematt/2ed08cb1621eff73d852c284ecbb3202 to your computer and use it in GitHub Desktop.
Save colematt/2ed08cb1621eff73d852c284ecbb3202 to your computer and use it in GitHub Desktop.
Download ZIP
[Snort User Defined Language Schema] #snort #npp
Raw
Snort-User-Defined-Language-in-Notepad.md

Snort User Defined Language (UDL) in Notepad++ 1

I recently created a Snort “User Defined Language” in Notepad++ and wanted to share both the schema, what it looks like, and the steps necessary to create it.

To start, if not already done, you should download and install Notepad++ from here. It does not matter which package you choose so long as you remember where it is installed and/or where you placed the install folder.

Next, in order for the parser for Snort to work, we will need to install UDL2 from here. The download consists of two files (Notepad2++.exe and SciLexer2.dll) which need to be put in your Notepad++ install directory. UDL2 allows for the following nice (if not must have) features, amongst others:

  • Operators can now be longer than one character -a limitation in the standard version.
  • There can now be up to 8 delimiters compared to the 3 in the standard version.
  • The same characters can be used as both comments and operators.

Once the above is completed, we open Notepad2++.exe and find four tabs to fill out; “Folder & Default”, “Keyword Lists”, “Comment & Number”, and “Operators & Delimiters”. If you want to create a new UDL you’ll need to dig through the documentation for the applicable language to find the proper keywords. Not too hard, really. In my case I looked here for the Snort (2.9.2) documentation.

With Snort you don’t need to worry about setting an associated file extension, however, for other custom languages you will likely want to be sure that you set one; don’t worry about saving, either, as the application automatically writes changes to the userDefineLang.xml file and will auto-save once the application is closed.

If you want to install the Snort language parser as provided in this post, simply copy the XML and save it to a file called “userDefineLang.xml” and place it in your %APPDATA%\Notepad++ directory (or “npp” folder if you downloaded the .zip package). If there are other custom languages installed you’ll need to merge the XML files, however, if you have more than one installed, you probably like doing things like merging XML files anyway.

Footnotes

  1. This writeup by Caleb Jaren, originally posted at http://www.tropismgroup.org/2012/08/02/snort-user-defined-language-udl-in-notepad/ on 02 August 2012.

Raw
userDefineLang.xml
<NotepadPlus>
<UserLang name="Snort" ext="" udlVersion="2.0">
<Settings>
<Global caseIgnored="no" allowFoldOfComments="no" forceLineCommentsAtBOL="no" foldCompact="no" />
<Prefix Keywords1="no" Keywords2="no" Keywords3="no" Keywords4="no" Keywords5="no" Keywords6="no" Keywords7="no" Keywords8="no" />
</Settings>
<KeywordLists>
<Keywords name="Comments" id="0">03 04 00# 01 02</Keywords>
<Keywords name="Numbers, additional" id="1"></Keywords>
<Keywords name="Numbers, prefixes" id="2"></Keywords>
<Keywords name="Numbers, extras with prefixes" id="3"></Keywords>
<Keywords name="Numbers, suffixes" id="4"></Keywords>
<Keywords name="Operators1" id="5">- &quot; ( ) , : ; | &lt; &gt;</Keywords>
<Keywords name="Operators2" id="6"></Keywords>
<Keywords name="Folders in code1, open" id="7"></Keywords>
<Keywords name="Folders in code1, middle" id="8"></Keywords>
<Keywords name="Folders in code1, close" id="9"></Keywords>
<Keywords name="Folders in code2, open" id="10"></Keywords>
<Keywords name="Folders in code2, middle" id="11"></Keywords>
<Keywords name="Folders in code2, close" id="12"></Keywords>
<Keywords name="Folders in comment, open" id="13"></Keywords>
<Keywords name="Folders in comment, middle" id="14"></Keywords>
<Keywords name="Folders in comment, close" id="15"></Keywords>
<Keywords name="Keywords1" id="16">alert log pass activate dynamic drop reject sdrop tcp ip udp icmp</Keywords>
<Keywords name="Keywords2" id="17">$AIM_SERVERS $DNS_SERVERS $DNS_SERVERS_AD $EXTERNAL_NET $FILE_DATA_PORTS $GTP_PORTS $HOME_NET $HTTP_PORTS $HTTP_SERVERS $ORACLE_PORTS $SHELLCODE_PORTS $SIP_PORTS $SIP_SERVERS $SMTP_SERVERS $SNMP_SERVERS $SNORT_BPF $SQL_SERVERS $SSH_PORTS $SSH_SERVERS $TELNET_SERVERS</Keywords>
<Keywords name="Keywords3" id="18">msg reference gid sid rev classtype priority metadeta content uricontent nocase threshold type limit track limit by_src by_dst count seconds distance within depth offset rawbytes http_client_body http_cookie http_raw_cookie http_header http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg http_encode fast_pattern urilen isdataat pcre pkt_data file_data base64_decode base64_data byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce opnum dce_stub_data sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size logto session resp react tag activates activated_by replace detection_filter metadata</Keywords>
<Keywords name="Keywords4" id="19"></Keywords>
<Keywords name="Keywords5" id="20"></Keywords>
<Keywords name="Keywords6" id="21"></Keywords>
<Keywords name="Keywords7" id="22"></Keywords>
<Keywords name="Keywords8" id="23"></Keywords>
<Keywords name="Delimiters" id="24">00| 01 02| 03&quot; 04 05&quot; 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23</Keywords>
</KeywordLists>
<Styles>
<WordsStyle name="DEFAULT" styleID="0" fgColor="C0C0C0" bgColor="000000" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="COMMENTS" styleID="1" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="LINE COMMENTS" styleID="2" fgColor="000000" bgColor="80FF80" fontName="" fontStyle="2" nesting="0" />
<WordsStyle name="NUMBERS" styleID="3" fgColor="00FFFF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS1" styleID="4" fgColor="FF0000" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS2" styleID="5" fgColor="0080FF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS3" styleID="6" fgColor="FF8040" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS4" styleID="7" fgColor="00FF80" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS5" styleID="8" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS6" styleID="9" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS7" styleID="10" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS8" styleID="11" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="OPERATORS" styleID="12" fgColor="00FF00" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="FOLDER IN CODE1" styleID="13" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="FOLDER IN CODE2" styleID="14" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="FOLDER IN COMMENT" styleID="15" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS1" styleID="16" fgColor="8000FF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="DELIMITERS2" styleID="17" fgColor="00FF00" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="DELIMITERS3" styleID="18" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS4" styleID="19" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS5" styleID="20" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS6" styleID="21" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS7" styleID="22" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS8" styleID="23" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
</Styles>
</UserLang>
<UserLang name="Snort" ext="" udlVersion="2.0">
<Settings>
<Global caseIgnored="no" allowFoldOfComments="no" forceLineCommentsAtBOL="no" foldCompact="no" />
<Prefix Keywords1="no" Keywords2="no" Keywords3="no" Keywords4="no" Keywords5="no" Keywords6="no" Keywords7="no" Keywords8="no" />
</Settings>
<KeywordLists>
<Keywords name="Comments" id="0">03 04 00# 01 02</Keywords>
<Keywords name="Numbers, additional" id="1"></Keywords>
<Keywords name="Numbers, prefixes" id="2"></Keywords>
<Keywords name="Numbers, extras with prefixes" id="3"></Keywords>
<Keywords name="Numbers, suffixes" id="4"></Keywords>
<Keywords name="Operators1" id="5">- &quot; ( ) , : ; | &lt; &gt;</Keywords>
<Keywords name="Operators2" id="6"></Keywords>
<Keywords name="Folders in code1, open" id="7"></Keywords>
<Keywords name="Folders in code1, middle" id="8"></Keywords>
<Keywords name="Folders in code1, close" id="9"></Keywords>
<Keywords name="Folders in code2, open" id="10"></Keywords>
<Keywords name="Folders in code2, middle" id="11"></Keywords>
<Keywords name="Folders in code2, close" id="12"></Keywords>
<Keywords name="Folders in comment, open" id="13"></Keywords>
<Keywords name="Folders in comment, middle" id="14"></Keywords>
<Keywords name="Folders in comment, close" id="15"></Keywords>
<Keywords name="Keywords1" id="16">alert log pass activate dynamic drop reject sdrop tcp ip udp icmp</Keywords>
<Keywords name="Keywords2" id="17">$AIM_SERVERS $DNS_SERVERS $DNS_SERVERS_AD $EXTERNAL_NET $FILE_DATA_PORTS $GTP_PORTS $HOME_NET $HTTP_PORTS $HTTP_SERVERS $ORACLE_PORTS $SHELLCODE_PORTS $SIP_PORTS $SIP_SERVERS $SMTP_SERVERS $SNMP_SERVERS $SNORT_BPF $SQL_SERVERS $SSH_PORTS $SSH_SERVERS $TELNET_SERVERS</Keywords>
<Keywords name="Keywords3" id="18">msg reference gid sid rev classtype priority metadeta content uricontent nocase threshold type limit track limit by_src by_dst count seconds distance within depth offset rawbytes http_client_body http_cookie http_raw_cookie http_header http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg http_encode fast_pattern urilen isdataat pcre pkt_data file_data base64_decode base64_data byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce opnum dce_stub_data sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size logto session resp react tag activates activated_by replace detection_filter</Keywords>
<Keywords name="Keywords4" id="19"></Keywords>
<Keywords name="Keywords5" id="20"></Keywords>
<Keywords name="Keywords6" id="21"></Keywords>
<Keywords name="Keywords7" id="22"></Keywords>
<Keywords name="Keywords8" id="23"></Keywords>
<Keywords name="Delimiters" id="24">00| 01 02| 03&quot; 04 05&quot; 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23</Keywords>
</KeywordLists>
<Styles>
<WordsStyle name="DEFAULT" styleID="0" fgColor="C0C0C0" bgColor="000000" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="COMMENTS" styleID="1" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="LINE COMMENTS" styleID="2" fgColor="000000" bgColor="80FF80" fontName="" fontStyle="2" nesting="0" />
<WordsStyle name="NUMBERS" styleID="3" fgColor="00FFFF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS1" styleID="4" fgColor="FF0000" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS2" styleID="5" fgColor="0080FF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS3" styleID="6" fgColor="FF8040" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS4" styleID="7" fgColor="00FF80" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS5" styleID="8" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS6" styleID="9" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS7" styleID="10" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS8" styleID="11" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="OPERATORS" styleID="12" fgColor="00FF00" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="FOLDER IN CODE1" styleID="13" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="FOLDER IN CODE2" styleID="14" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="FOLDER IN COMMENT" styleID="15" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS1" styleID="16" fgColor="8000FF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="DELIMITERS2" styleID="17" fgColor="00FF00" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="DELIMITERS3" styleID="18" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS4" styleID="19" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS5" styleID="20" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS6" styleID="21" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS7" styleID="22" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS8" styleID="23" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
</Styles>
</UserLang>
<UserLang name="Snort2" ext="" udlVersion="2.0">
<Settings>
<Global caseIgnored="no" allowFoldOfComments="no" forceLineCommentsAtBOL="no" foldCompact="no" />
<Prefix Keywords1="no" Keywords2="no" Keywords3="no" Keywords4="no" Keywords5="no" Keywords6="no" Keywords7="no" Keywords8="no" />
</Settings>
<KeywordLists>
<Keywords name="Comments" id="0">03 04 00# 01 02</Keywords>
<Keywords name="Numbers, additional" id="1"></Keywords>
<Keywords name="Numbers, prefixes" id="2"></Keywords>
<Keywords name="Numbers, extras with prefixes" id="3"></Keywords>
<Keywords name="Numbers, suffixes" id="4"></Keywords>
<Keywords name="Operators1" id="5">- &quot; ( ) , : ; | &lt; &gt;</Keywords>
<Keywords name="Operators2" id="6"></Keywords>
<Keywords name="Folders in code1, open" id="7"></Keywords>
<Keywords name="Folders in code1, middle" id="8"></Keywords>
<Keywords name="Folders in code1, close" id="9"></Keywords>
<Keywords name="Folders in code2, open" id="10"></Keywords>
<Keywords name="Folders in code2, middle" id="11"></Keywords>
<Keywords name="Folders in code2, close" id="12"></Keywords>
<Keywords name="Folders in comment, open" id="13"></Keywords>
<Keywords name="Folders in comment, middle" id="14"></Keywords>
<Keywords name="Folders in comment, close" id="15"></Keywords>
<Keywords name="Keywords1" id="16">alert log pass activate dynamic drop reject sdrop tcp ip udp icmp</Keywords>
<Keywords name="Keywords2" id="17">$AIM_SERVERS $DNS_SERVERS $DNS_SERVERS_AD $EXTERNAL_NET $FILE_DATA_PORTS $GTP_PORTS $HOME_NET $HTTP_PORTS $HTTP_SERVERS $ORACLE_PORTS $SHELLCODE_PORTS $SIP_PORTS $SIP_SERVERS $SMTP_SERVERS $SNMP_SERVERS $SNORT_BPF $SQL_SERVERS $SSH_PORTS $SSH_SERVERS $TELNET_SERVERS</Keywords>
<Keywords name="Keywords3" id="18">msg reference gid sid rev classtype priority metadeta content uricontent nocase threshold type limit track limit by_src by_dst count seconds distance within depth offset rawbytes http_client_body http_cookie http_raw_cookie http_header http_raw_header http_method http_uri http_raw_uri http_stat_code http_stat_msg http_encode fast_pattern urilen isdataat pcre pkt_data file_data base64_decode base64_data byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce opnum dce_stub_data sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size logto session resp react tag activates activated_by replace detection_filter</Keywords>
<Keywords name="Keywords4" id="19"></Keywords>
<Keywords name="Keywords5" id="20"></Keywords>
<Keywords name="Keywords6" id="21"></Keywords>
<Keywords name="Keywords7" id="22"></Keywords>
<Keywords name="Keywords8" id="23"></Keywords>
<Keywords name="Delimiters" id="24">00| 01 02| 03&quot; 04 05&quot; 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23</Keywords>
</KeywordLists>
<Styles>
<WordsStyle name="DEFAULT" styleID="0" fgColor="C0C0C0" bgColor="000000" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="COMMENTS" styleID="1" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="LINE COMMENTS" styleID="2" fgColor="000000" bgColor="80FF80" fontName="" fontStyle="2" nesting="0" />
<WordsStyle name="NUMBERS" styleID="3" fgColor="00FFFF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS1" styleID="4" fgColor="FF0000" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS2" styleID="5" fgColor="0080FF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS3" styleID="6" fgColor="FF8040" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS4" styleID="7" fgColor="00FF80" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="KEYWORDS5" styleID="8" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS6" styleID="9" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS7" styleID="10" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="KEYWORDS8" styleID="11" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="OPERATORS" styleID="12" fgColor="00FF00" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="FOLDER IN CODE1" styleID="13" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="FOLDER IN CODE2" styleID="14" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="FOLDER IN COMMENT" styleID="15" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS1" styleID="16" fgColor="8000FF" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="DELIMITERS2" styleID="17" fgColor="00FF00" bgColor="000000" fontName="" fontStyle="1" nesting="0" />
<WordsStyle name="DELIMITERS3" styleID="18" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS4" styleID="19" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS5" styleID="20" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS6" styleID="21" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS7" styleID="22" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
<WordsStyle name="DELIMITERS8" styleID="23" fgColor="000000" bgColor="FFFFFF" fontName="" fontStyle="0" nesting="0" />
</Styles>
</UserLang>
</NotepadPlus>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment