- Generated on Wed Nov 20 2024 23:30:47 for suricata by
1.8.18
|
suricata
|
Create a general AFP setup function.
File stream-tcp.c - 4WHS: what if after the 2nd SYN we turn out to be normal 3WHS anyway?
Global StreamTcpInlineSegmentReplacePacket (const TcpStream *, Packet *, const TcpSegment *) What about reassembled fragments?
What about unwrapped tunnel packets?
" Create a general pcap setup function.
Unit tests are needed for this module.
For divert sockets, dropping means not writing the packet back to the socket. Need to see if there is some better way to free the packet from the queue
Unit tests are needed for this module.
Unit tests are needed for this module.
Unit tests are needed for this module.
Global TmModuleDecodeIPFWRegister (void) Unit tests are needed for this module.
Global TmModuleVerdictIPFWRegister (void) untested
Unit tests are needed for this module.
Global TmModuleReceiveIPFWRegister (void) untested
Unit tests are needed for this module.
" not very clean, as the memory is not freed here
Global TmModuleDecodeAFPRegister (void) Unit tests are needed for this module.
Global TmModuleReceiveAFPRegister (void) Unit tests are needed for this module.
File respond-reject-libnet11.c calculate TTL base on average from stream tracking
come up with a way for users to specify icmp unreachable type
Possibly default to port unreachable for UDP traffic this seems to be the default in flexresp and iptables
File pkt-var.c move away from a linked list implementation
use different datatypes, such as string, int, etc.
have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.
" clean up various end of tx/stream etc indicators
File ippair-bit.c move away from a linked list implementation
use different datatypes, such as string, int, etc.
File host-bit.c move away from a linked list implementation
use different datatypes, such as string, int, etc.
Global FlowDisableFlowRecyclerThread (void) Kinda hackish since it uses the tv name to identify flow recycler thread. We need an all weather identification scheme.
Global FlowDisableFlowManagerThread (void) Kinda hackish since it uses the tv name to identify flow manager thread. We need an all weather identification scheme.
File flow-bit.c move away from a linked list implementation
use different datatypes, such as string, int, etc.
have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.
" </dt><dd> \anchor _todo000055 apply to uricontent</dd> <dt> Global \_internalref detect-sameip_8h#a18f9ffbec4eb46874a27b595474ddc36 "DetectSameipRegister" (void) add support for no_stream and stream_only
Global Daemonize (void) We should check if we allow more than 1 instance to run simultaneously. Maybe change the behaviour through conf file
Global GenericVar see ticket #6855. The type field should be 16 bits.
Global StreamingBufferSlideToOffset (StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset) if sliding beyond window, we could perhaps reset?
Global StorageGetSize (const StorageEnum type) we could return -1 when registration isn't closed yet, however this will break lots of tests currently, so not doing it now
File util-rohash.c maybe add a user ctx to be returned instead, something like a 4/8 byte ptr or simply a flag
a bloomfilter in the ROHashTableOffsets could possibly prevent a lot of cache misses when validating a potential match
Global PmqReset (PrefilterRuleStore *) memset is expensive, but we need it as we merge pmq's. We might use a flag so we can clear pmq's the old way if we can.
File util-mpm-ac.c - Do a proper analysis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
File util-mpm-ac-ks.c - Do a proper analysis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
File util-mem.h Add wrappers for functions that allocate/free memory here. Currently we have malloc, calloc, realloc, strdup, strndup and free, but there are more.
File util-error.c Needs refining of the error codes. Renaming with a prefix of SC_ERR, removal of duplicates and entries have to be made in util-error.c
" syslog is thread-safe according to POSIX manual and glibc code, but we we will have to look into non POSIX compliant boxes like freeBSD
File detect-rawbytes.c Provide un-normalized telnet dce/rpc buffers to match on
Global UtilCpuGetTicks (void) We'll have to deal with removing ticks from the extra cpuids in between 2 calls.
Global CIDRGetIPv6 (int cidr, struct in6_addr *in6) I think for the final section: while (cidr > 0), we can simply replace it with a if (cidr > 0) { in6->s6_addr[i] = -1 << (8 - cidr);
" Probably a more efficient way to do this.
Global ByteExtractUint16 (uint16_t *res, int e, uint16_t len, const uint8_t *bytes) Need standard return values
Global ByteExtractUint32 (uint32_t *res, int e, uint16_t len, const uint8_t *bytes) Need standard return values
Global ByteExtractUint64 (uint64_t *res, int e, uint16_t len, const uint8_t *bytes) Need standard return values
" error in sig 'http_client_body:;'
Global ICMPV4_IS_ERROR_MSG (type) This check is used in the flow engine and needs to be as cheap as possible. Consider setting a bitflag at the decoder stage so we can to a bit check instead of the more expensive check below.
File decode-tcp.h RAW* macro's should be returning the raw value, not the host order
Global DecodeRawRegisterTests (void) More Raw tests
Global DecodePPPOERegisterTests (void) More PPPOE tests
" move into own function to loaded on demand
IPV4Opt_ Global IPV4Opt_::type We may want to break type up into its 3 fields as the reassembler may want to know which options must be copied to each fragment.
" Figure out which IP options are more common and list them first
Spec seems to indicate EOL required if there is padding
What if padding is non-zero (possible covert channel or data leakage)?
What if more data exist after EOL (possible covert channel or data leakage)?
May not want to return error here on unknown tag type (at least not for 3|4)
Wireshark marks this a padding, but spec says reserved.
Global DecodeICMPV6RegisterTests (void) More ICMPv6 tests
" Must GRE+VLAN and Multi-Vlan packets to create more tests
Global DecodeGRE (ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t) We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.
We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.
Global DecodeEthernetRegisterTests (void) More Ethernet tests
Global DecodeCHDLCRegisterTests (void) More Ethernet tests
File conf.c Get rid of allow override and go with a simpler first set, stays approach?
Consider having the in-memory configuration database a direct reflection of the configuration file and moving command line parameters to a primary lookup table?
Global FTP_COMMAND_MAX more if missing..
Global FrameGetLastOpenByType (Frames *frames, const uint8_t frame_type) perhaps we can search backwards
Global AppLayerProtoDetectDeSetup (void) incomplete. Need more work.
" improve the order selection policy
Global DetectAddressMatchIPv4 (const DetectMatchAddressIPv4 *, uint16_t, const Address *) array should be ordered, so we can break out of the loop
File detect-metadata.c Do we need to do anything more this is used in snort host attribute table It is also used for rule management.
Global DetectGeoipRegister (void) add support for src_only and dst_only
Global DetectFtpbounceRegister (void) add support for no_stream and stream_only
" when we start supporting more protocols, the logic in this function needs to be put behind a api.
Global DetectProtoParse (DetectProto *dp, const char *str) are numeric protocols even valid?
File detect-engine-proto.c move this out of the detection plugin structure
" XXX current sorting only works for overlapping ranges
We don't seem to be handling negated cases, like [port,![!port,port]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.
Global DetectPortInsert (DetectEngineCtx *, DetectPort **, DetectPort *) rewrite to avoid recursive calls
File detect-engine-port.c more unit testing
Global DetectAddressMatchIPv6 (const DetectMatchAddressIPv6 *, uint16_t, const Address *) array should be ordered, so we can break out of the loop
We don't seem to be handling negated cases, like [addr,![!addr,addr]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.
should not alert, bug #839 if (PacketAlertCheck(p3, 3)) { printf("(p3) sig 3 did alert, but it should not have: "); goto end; }
Global DetectBytetestRegister (void) add support for no_stream and stream_only
Global VALID_KW We probably just need a simple tokenizer here
Global DetectBytejumpRegister (void) add support for no_stream and stream_only
" This fails because we can only have 9 captures and there are 10.
Allocate packet buffers from a pool.
File defrag.c pool for frag packet storage
policy bsd-right
profile hash function
log anomalies
Global LINKTYPE_NULL we need more & maybe put them in a separate file?
Global AddressDebugPrint (Address *a) IPv6
1.8.18