suricata
Todo List
Global AddressDebugPrint (Address *a)
IPv6
File alert-fastlog.c

Support classifications

Support more than just IPv4/IPv6 TCP/UDP.

Global AppLayerParserRegisterProtocolParsers (void)
bug 719
Global AppLayerProtoDetectDeSetup (void)
incomplete. Need more work.
Global ByteExtractUint16 (uint16_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
Global ByteExtractUint32 (uint32_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
Global ByteExtractUint64 (uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
File conf.c

Consider having the in-memory configuration database a direct reflection of the configuration file and moving command line parameters to a primary lookup table?

Get rid of allow override and go with a simpler first set, stays approach?

Global DAEMON_WORKING_DIRECTORY
Adjust path
Global Daemonize (void)
We should check if wie allow more than 1 instance to run simultaneously. Maybe change the behaviour through conf file
Global DCERPCParser (DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
- Currently the parser is very generic. Enable target based reassembly.
  • Disable reiniting tailq for mid and last bind/alter_context pdus.
  • Use a PM to search for subsequent 05 00 when we see an inconsistent pdu. This should be done for each platform based on how it handles a condition where it has receives a segment with 2 pdus, while the first pdu in the segment is corrupt.
Global DCERPCParser (DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
- Currently the parser is very generic. Enable target based reassembly.
  • Disable reiniting tailq for mid and last bind/alter_context pdus.
  • Use a PM to search for subsequent 05 00 when we see an inconsistent pdu. This should be done for each platform based on how it handles a condition where it has receives a segment with 2 pdus, while the first pdu in the segment is corrupt.
File decode-tcp.h
RAW* macro's should be returning the raw value, not the host order
Global DecodeEthernetRegisterTests (void)
More Ethernet tests
Global DecodeGRE (ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

Global DecodeGRE (ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

Global DecodeICMPV6RegisterTests (void)
More ICMPv6 tests
Global DecodeIPFW (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Unit tests are needed for this module.
Global DecodePfring (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Verify that PF_RING only deals with ethernet traffic
Global DecodePPPOERegisterTests (void)
More PPPOE tests
Global DecodeRawRegisterTests (void)
More Raw tests
File defrag.c

pool for frag packet storage

policy bsd-right

profile hash function

log anomalies

File detect-engine-address.c
Move this out of the detection plugin structure rename to detect-engine-address.c
File detect-engine-port.c

move this out of the detection plugin structure

more unittesting

File detect-engine-proto.c
move this out of the detection plugin structure
File detect-metadata.c
Do we need to do anything more this is used in snort host attribute table It is also used for rule managment.
File detect-rawbytes.c
Provide un-normalized telnet dce/rpc buffers to match on
Global DetectAddressMatchIPv4 (const DetectMatchAddressIPv4 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
Global DetectAddressMatchIPv4 (const DetectMatchAddressIPv4 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
Global DetectAddressMatchIPv6 (const DetectMatchAddressIPv6 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
Global DetectAddressMatchIPv6 (const DetectMatchAddressIPv6 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
Global DetectBsizeMatch (const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
check logic around < vs <=
Global DetectBytejumpDoMatch (DetectEngineThreadCtx *, const Signature *, const SigMatchCtx *, uint8_t *, uint32_t, uint8_t, int32_t)
The return seems backwards. We should return a non-zero error code. One of the error codes is "no match". As-is if someone accidentally does: if (DetectBytejumpMatch(...)) { match }, then they catch an error as a match.
Global DetectBytejumpDoMatch (DetectEngineThreadCtx *, const Signature *, const SigMatchCtx *, uint8_t *, uint32_t, uint8_t, int32_t)
The return seems backwards. We should return a non-zero error code. One of the error codes is "no match". As-is if someone accidentally does: if (DetectBytejumpMatch(...)) { match }, then they catch an error as a match.
Global DetectBytejumpRegister (void)
add support for no_stream and stream_only
Global DetectBytetestRegister (void)
add support for no_stream and stream_only
Global DetectEngineCtx_::app_mpms
we only need this at init, so perhaps this can move to a DetectEngineCtx 'init' struct
Global DetectFtpbounceRegister (void)
add support for no_stream and stream_only
Global DetectGeoipRegister (void)
add support for src_only and dst_only
Global DetectProtoParse (DetectProto *dp, const char *str)
are numeric protocols even valid?
Global DetectSameipRegister (void)
add support for no_stream and stream_only
File flow-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

Global FlowDisableFlowManagerThread (void)
Kinda hackish since it uses the tv name to identify flow manager thread. We need an all weather identification scheme.
Global FlowDisableFlowRecyclerThread (void)
Kinda hackish since it uses the tv name to identify flow recycler thread. We need an all weather identification scheme.
Global FTP_COMMAND_USER
more if missing..
File host-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

Global ICMPV4_IS_ERROR_MSG (p)
This check is used in the flow engine and needs to be as cheap as possible. Consider setting a bitflag at the decoder stage so we can to a bit check instead of the more expensive check below.
Global IPFWSetVerdict (ThreadVars *tv, IPFWThreadVars *ptv, Packet *p)
For divert sockets, dropping means not writing the packet back to the socket. Need to see if there is some better way to free the packet from the queue
File ippair-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

Global IPV4Opt_::type
We may want to break type up into its 3 fields as the reassembler may want to know which options must be copied to each fragment.
Global LINKTYPE_NULL
we need more & maybe put them in a separate file?
Global NFQSetVerdict (Packet *p)
add a test on validity of the entry NFQQueueVars could have been wipeout
Global PARSE_REGEX
We probably just need a simple tokenizer here
File pkt-var.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

Global PmqReset (PrefilterRuleStore *pmq)
memset is expensive, but we need it as we merge pmq's. We might use a flag so we can clear pmq's the old way if we can.
Global PmqReset (PrefilterRuleStore *pmq)
memset is expensive, but we need it as we merge pmq's. We might use a flag so we can clear pmq's the old way if we can.
Global ReceiveAFPThreadInit (ThreadVars *tv, const void *initdata, void **data)
Create a general AFP setup function.
Global ReceiveIPFWThreadDeinit (ThreadVars *tv, void *data)
Unit tests are needed for this module.
Global ReceiveIPFWThreadExitStats (ThreadVars *tv, void *data)
Unit tests are needed for this module.
Global ReceivePcapThreadInit (ThreadVars *tv, const void *initdata, void **data)
Create a general pcap setup function.
Global ReceivePfringThreadInit (ThreadVars *tv, const void *initdata, void **data)

add a config option for setting cluster id

Create a general pfring setup function.

File respond-reject-libnet11.c

calculate TTL base on average from stream tracking

come up with a way for users to specify icmp unreachable type

Possibly default to port unreachable for UDP traffic this seems to be the default in flexresp and iptables

implement ipv6 resets

implement pre-alloc resets for speed

File respond-reject.c
RespondRejectFunc returns 1 on error, 0 on ok... why? For now it should just return 0 always, error handling is a TODO in the threading model (VJ)
File source-nfq.c
test if Receive and Verdict if both are present
File source-pfring.c

remove requirement for setting cluster so old 3.x versions are supported

implement DNA support

Allow ring options such as snaplen etc, to be user configurable.

Global StorageGetSize (const StorageEnum type)
we could return -1 when registration isn't closed yet, however this will break lots of tests currently, so not doing it now
Global StorageGetSize (const StorageEnum type)
we could return -1 when registration isn't closed yet, however this will break lots of tests currently, so not doing it now
File stream-tcp.c
- 4WHS: what if after the 2nd SYN we turn out to be normal 3WHS anyway?
Global StreamingBufferSlideToOffset (StreamingBuffer *sb, uint64_t offset)
if sliding beyond window, we could perhaps reset?
Global StreamTcpInlineSegmentReplacePacket (const TcpStream *, Packet *, const TcpSegment *)

What about reassembled fragments?

What about unwrapped tunnel packets?

Global StreamTcpInlineSegmentReplacePacket (const TcpStream *, Packet *, const TcpSegment *)

What about reassembled fragments?

What about unwrapped tunnel packets?

Global TmModuleDecodeAFPRegister (void)
Unit tests are needed for this module.
Global TmModuleDecodeIPFWRegister (void)
Unit tests are needed for this module.
Global TmModuleDecodeNetmapRegister (void)
Unit tests are needed for this module.
Global TmModuleDecodePcapRegister (void)
Unit tests are needed for this module.
Global TmModuleDecodePfringRegister (void)
Unit tests are needed for this module.
Global TmModuleReceiveAFPRegister (void)
Unit tests are needed for this module.
Global TmModuleReceiveIPFWRegister (void)

Unit tests are needed for this module.

untested

Global TmModuleReceivePcapRegister (void)
Unit tests are needed for this module.
Global TmModuleReceivePfringRegister (void)
Unit tests are needed for this module.
Global TmModuleVerdictIPFWRegister (void)

Unit tests are needed for this module.

untested

Global TmThreadsSlotVarRun (ThreadVars *tv, Packet *p, TmSlot *slot)
Deal with post_pq for slots beyond the first.
File util-error.c
Needs refining of the error codes. Renaming with a prefix of SC_ERR, removal of duplicates and entries have to be made in util-error.c
File util-mem.h
Add wrappers for functions that allocate/free memory here. Currently we have malloc, calloc, realloc, strdup and free, but there are more.
File util-mpm-ac-bs.c
- Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
  • Tried out loop unrolling without any perf increase. Need to dig deeper.
  • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
  • Test case-senstive patterns if they have any ascii chars. If they don't treat them as nocase.
  • Carry out other optimizations we are working on. hashes, compression.
File util-mpm-ac-tile.c
- Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
File util-mpm-ac.c
- Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
  • Tried out loop unrolling without any perf increase. Need to dig deeper.
  • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
  • Test case-senstive patterns if they have any ascii chars. If they don't treat them as nocase.
  • Carry out other optimizations we are working on. hashes, compression.
File util-rohash.c

a bloomfilter in the ROHashTableOffsets could possibly prevent a lot of cache misses when validating a potential match

maybe add a user ctx to be returned instead, something like a 4/8 byte ptr or simply a flag

File util-threshold-config.c
Need to support suppress
Global UtilCpuGetTicks (void)
We'll have to deal with removig ticks from the extra cpuids inbetween 2 calls.
Global VerdictIPFW (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Unit tests are needed for this module.