suricata
Todo List
Global TmModuleVerdictIPFWRegister (void)
Unit tests are needed for this module.
Global DecodePfring (ThreadVars *tv, Packet *p, void *data)
Verify that PF_RING only deals with ethernet traffic
Global ReceivePfringThreadInit (ThreadVars *tv, const void *initdata, void **data)

add a config option for setting cluster id

Create a general pfring setup function.

Global TmModuleDecodePfringRegister (void)
Unit tests are needed for this module.
Global TmModuleReceivePfringRegister (void)
Unit tests are needed for this module.
File source-pfring.c

remove requirement for setting cluster so old 3.x versions are supported

implement DNA support

Allow ring options such as snaplen etc, to be user configurable.

"

Create a general pcap setup function.

Unit tests are needed for this module.

For divert sockets, dropping means not writing the packet back to the socket. Need to see if there is some better way to free the packet from the queue

Unit tests are needed for this module.

Unit tests are needed for this module.

Unit tests are needed for this module.

Global TmModuleDecodeIPFWRegister (void)
Unit tests are needed for this module.
Global TmModuleVerdictIPFWRegister (void)
untested
Global StreamTcpInlineSegmentReplacePacket (const TcpStream *, Packet *, const TcpSegment *)

What about reassembled fragments?

What about unwrapped tunnel packets?

Global TmModuleReceiveIPFWRegister (void)

untested

Unit tests are needed for this module.

"
Create a general AFP setup function.
Global TmModuleDecodeAFPRegister (void)
Unit tests are needed for this module.
Global TmModuleReceiveAFPRegister (void)
Unit tests are needed for this module.
File respond-reject-libnet11.c

calculate TTL base on average from stream tracking

come up with a way for users to specify icmp unreachable type

Possibly default to port unreachable for UDP traffic this seems to be the default in flexresp and iptables

File pkt-var.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

"
clean up various end of tx/stream etc indicators
File ippair-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

File host-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

Global FlowDisableFlowRecyclerThread (void)
Kinda hackish since it uses the tv name to identify flow recycler thread. We need an all weather identification scheme.
Global FlowDisableFlowManagerThread (void)
Kinda hackish since it uses the tv name to identify flow manager thread. We need an all weather identification scheme.
Global CIDRGetIPv6 (int cidr, struct in6_addr *in6)
I think for the final section: while (cidr > 0), we can simply replace it with a if (cidr > 0) { in6->s6_addr[i] = -1 << (8 - cidr);
Global StreamingBufferSlideToOffset (StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset)
if sliding beyond window, we could perhaps reset?
Global StorageGetSize (const StorageEnum type)
we could return -1 when registration isn't closed yet, however this will break lots of tests currently, so not doing it now
File util-rohash.c

maybe add a user ctx to be returned instead, something like a 4/8 byte ptr or simply a flag

a bloomfilter in the ROHashTableOffsets could possibly prevent a lot of cache misses when validating a potential match

Global PmqReset (PrefilterRuleStore *)
memset is expensive, but we need it as we merge pmq's. We might use a flag so we can clear pmq's the old way if we can.
File util-mpm-ac.c
- Do a proper analysis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
  • Tried out loop unrolling without any perf increase. Need to dig deeper.
  • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
  • Test case-sensitive patterns if they have any ascii chars. If they don't treat them as nocase.
  • Carry out other optimizations we are working on. hashes, compression.
File util-mpm-ac-ks.c
- Do a proper analysis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
File util-mem.h
Add wrappers for functions that allocate/free memory here. Currently we have malloc, calloc, realloc, strdup, strndup and free, but there are more.
"
make this size configurable
File util-error.c
Needs refining of the error codes. Renaming with a prefix of SC_ERR, removal of duplicates and entries have to be made in util-error.c
"
syslog is thread-safe according to POSIX manual and glibc code, but we we will have to look into non POSIX compliant boxes like freeBSD
Global Daemonize (void)
We should check if we allow more than 1 instance to run simultaneously. Maybe change the behaviour through conf file
Global UtilCpuGetTicks (void)
We'll have to deal with removing ticks from the extra cpuids in between 2 calls.
File flow-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

"

Probably a more efficient way to do this.

Need standard return values

Global ByteExtractUint16 (uint16_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
Global ByteExtractUint32 (uint32_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
Global ByteExtractUint64 (uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
"

error in sig 'http_client_body:;'

improve resetting the session

not very clean, as the memory is not freed here

File stream-tcp.c
- 4WHS: what if after the 2nd SYN we turn out to be normal 3WHS anyway?
Global DecodeICMPV6RegisterTests (void)
More ICMPv6 tests
Global AddressDebugPrint (Address *a)
IPv6
"
Must GRE+VLAN and Multi-Vlan packets to create more tests
File decode-tcp.h
RAW* macro's should be returning the raw value, not the host order
Global DecodeRawRegisterTests (void)
More Raw tests
Global DecodePPPOERegisterTests (void)
More PPPOE tests
"
move into own function to loaded on demand
Global IPV4Opt_::type
We may want to break type up into its 3 fields as the reassembler may want to know which options must be copied to each fragment.
"

Figure out which IP options are more common and list them first

Spec seems to indicate EOL required if there is padding

What if padding is non-zero (possible covert channel or data leakage)?

What if more data exist after EOL (possible covert channel or data leakage)?

May not want to return error here on unknown tag type (at least not for 3|4)

Wireshark marks this a padding, but spec says reserved.

Global LINKTYPE_NULL
we need more & maybe put them in a separate file?
Global ICMPV4_IS_ERROR_MSG (p)
This check is used in the flow engine and needs to be as cheap as possible. Consider setting a bitflag at the decoder stage so we can to a bit check instead of the more expensive check below.
Global DecodeGRE (ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t)

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

Global DecodeEthernetRegisterTests (void)
More Ethernet tests
Global DecodeCHDLCRegisterTests (void)
More Ethernet tests
File conf.c

Get rid of allow override and go with a simpler first set, stays approach?

Consider having the in-memory configuration database a direct reflection of the configuration file and moving command line parameters to a primary lookup table?

"

data const

decoder event

Global FTP_COMMAND_MAX
more if missing..
Global AppLayerProtoDetectDeSetup (void)
incomplete. Need more work.
"
improve the order selection policy
File detect-engine-port.c
more unit testing
" </dt><dd> \anchor _todo000054 apply to uricontent</dd> <dt> Global \_internalref detect-sameip_8h#a18f9ffbec4eb46874a27b595474ddc36 "DetectSameipRegister" (void)
add support for no_stream and stream_only
File detect-rawbytes.c
Provide un-normalized telnet dce/rpc buffers to match on
File detect-metadata.c
Do we need to do anything more this is used in snort host attribute table It is also used for rule management.
Global DetectGeoipRegister (void)
add support for src_only and dst_only
Global DetectFtpbounceRegister (void)
add support for no_stream and stream_only
"

when we start supporting more protocols, the logic in this function needs to be put behind a api.

get rid of this static

Global DetectProtoParse (DetectProto *dp, const char *str)
are numeric protocols even valid?
File detect-engine-proto.c
move this out of the detection plugin structure
"

XXX current sorting only works for overlapping ranges

We don't seem to be handling negated cases, like [port,![!port,port]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.

Global DetectPortInsert (DetectEngineCtx *, DetectPort **, DetectPort *)
rewrite to avoid recursive calls
"
doc assume we have aft lock
Global DetectAddressMatchIPv6 (const DetectMatchAddressIPv6 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
Global DetectAddressMatchIPv4 (const DetectMatchAddressIPv4 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
"

We don't seem to be handling negated cases, like [addr,![!addr,addr]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.

should not alert, bug #839 if (PacketAlertCheck(p3, 3)) { printf("(p3) sig 3 did alert, but it should not have: "); goto end; }

Global DetectBytetestRegister (void)
add support for no_stream and stream_only
"
Error on dups?
Global VALID_KW
We probably just need a simple tokenizer here
Global DetectBytejumpRegister (void)
add support for no_stream and stream_only
"

This fails because we can only have 9 captures and there are 10.

Error on dups?

Allocate packet buffers from a pool.

File defrag.c

pool for frag packet storage

policy bsd-right

profile hash function

log anomalies