suricata
Todo List
Global TmModuleDecodeIPFWRegister (void)
Unit tests are needed for this module.
File stream-tcp.c
- 4WHS: what if after the 2nd SYN we turn out to be normal 3WHS anyway?
Global StreamTcpInlineSegmentReplacePacket (const TcpStream *, Packet *, const TcpSegment *)

What about reassembled fragments?

What about unwrapped tunnel packets?

Global DecodePfring (ThreadVars *tv, Packet *p, void *data)
Verify that PF_RING only deals with ethernet traffic
Global ReceivePfringThreadInit (ThreadVars *tv, const void *initdata, void **data)

add a config option for setting cluster id

Create a general pfring setup function.

Global TmModuleDecodePfringRegister (void)
Unit tests are needed for this module.
Global TmModuleReceivePfringRegister (void)
Unit tests are needed for this module.
File source-pfring.c

remove requirement for setting cluster so old 3.x versions are supported

implement DNA support

Allow ring options such as snaplen etc, to be user configurable.

"

Create a general pcap setup function.

Unit tests are needed for this module.

For divert sockets, dropping means not writing the packet back to the socket. Need to see if there is some better way to free the packet from the queue

Unit tests are needed for this module.

Unit tests are needed for this module.

Unit tests are needed for this module.

not very clean, as the memory is not freed here

Global TmModuleVerdictIPFWRegister (void)

untested

Unit tests are needed for this module.

Global TmModuleReceiveIPFWRegister (void)

untested

Unit tests are needed for this module.

"
Create a general AFP setup function.
Global TmModuleDecodeAFPRegister (void)
Unit tests are needed for this module.
Global TmModuleReceiveAFPRegister (void)
Unit tests are needed for this module.
File respond-reject-libnet11.c

calculate TTL base on average from stream tracking

come up with a way for users to specify icmp unreachable type

Possibly default to port unreachable for UDP traffic this seems to be the default in flexresp and iptables

implement ipv6 resets

implement pre-alloc resets for speed

File pkt-var.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

File ippair-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

File host-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

Global FlowDisableFlowRecyclerThread (void)
Kinda hackish since it uses the tv name to identify flow recycler thread. We need an all weather identification scheme.
Global FlowDisableFlowManagerThread (void)
Kinda hackish since it uses the tv name to identify flow manager thread. We need an all weather identification scheme.
"

syslog is thread-safe according to POSIX manual and glibc code, but we we will have to look into non POSIX compliant boxes like freeBSD

no alloc on lookup

File util-threshold-config.c
Need to support suppress
Global StreamingBufferSlideToOffset (StreamingBuffer *sb, uint64_t offset)
if sliding beyond window, we could perhaps reset?
Global StorageGetSize (const StorageEnum type)
we could return -1 when registration isn't closed yet, however this will break lots of tests currently, so not doing it now
File util-rohash.c

maybe add a user ctx to be returned instead, something like a 4/8 byte ptr or simply a flag

a bloomfilter in the ROHashTableOffsets could possibly prevent a lot of cache misses when validating a potential match

Global PmqReset (PrefilterRuleStore *pmq)
memset is expensive, but we need it as we merge pmq's. We might use a flag so we can clear pmq's the old way if we can.
File util-mpm-ac.c
- Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
  • Tried out loop unrolling without any perf increase. Need to dig deeper.
  • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
  • Test case-senstive patterns if they have any ascii chars. If they don't treat them as nocase.
  • Carry out other optimizations we are working on. hashes, compression.
File util-mpm-ac-ks.c
- Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
File util-mpm-ac-bs.c
- Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
  • Tried out loop unrolling without any perf increase. Need to dig deeper.
  • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
  • Test case-senstive patterns if they have any ascii chars. If they don't treat them as nocase.
  • Carry out other optimizations we are working on. hashes, compression.
File util-mem.h
Add wrappers for functions that allocate/free memory here. Currently we have malloc, calloc, realloc, strdup, strndup and free, but there are more.
"
make this size configurable
File util-error.c
Needs refining of the error codes. Renaming with a prefix of SC_ERR, removal of duplicates and entries have to be made in util-error.c
File flow-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

Global DAEMON_WORKING_DIRECTORY
Adjust path
Global Daemonize (void)
We should check if wie allow more than 1 instance to run simultaneously. Maybe change the behaviour through conf file
Global UtilCpuGetTicks (void)
We'll have to deal with removig ticks from the extra cpuids inbetween 2 calls.
"

Probably a more efficient way to do this.

Need standard return values

Global ByteExtractUint16 (uint16_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
Global ByteExtractUint32 (uint32_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
Global ByteExtractUint64 (uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Need standard return values
"

check if it's correct or set event

improve resetting the session

Wireshark marks this a padding, but spec says reserved.

Global LINKTYPE_NULL
we need more & maybe put them in a separate file?
Global AddressDebugPrint (Address *a)
IPv6
"
Must GRE+VLAN and Multi-Vlan packets to create more tests
File decode-tcp.h
RAW* macro's should be returning the raw value, not the host order
Global DecodeRawRegisterTests (void)
More Raw tests
Global DecodePPPOERegisterTests (void)
More PPPOE tests
"
move into own function to loaded on demand
Global IPV4Opt_::type
We may want to break type up into its 3 fields as the reassembler may want to know which options must be copied to each fragment.
"

Figure out which IP options are more common and list them first

Spec seems to indicate EOL required if there is padding

What if padding is non-zero (possible covert channel or data leakage)?

What if more data exist after EOL (possible covert channel or data leakage)?

May not want to return error here on unknown tag type (at least not for 3|4)

File defrag.c

pool for frag packet storage

policy bsd-right

profile hash function

log anomalies

Global DecodeICMPV6RegisterTests (void)
More ICMPv6 tests
Global ICMPV4_IS_ERROR_MSG (p)
This check is used in the flow engine and needs to be as cheap as possible. Consider setting a bitflag at the decoder stage so we can to a bit check instead of the more expensive check below.
Global DecodeGRE (ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t)

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

Global DecodeEthernetRegisterTests (void)
More Ethernet tests
Global DecodeCHDLCRegisterTests (void)
More Ethernet tests
File conf.c

Get rid of allow override and go with a simpler first set, stays approach?

Consider having the in-memory configuration database a direct reflection of the configuration file and moving command line parameters to a primary lookup table?

"

data const

decoder event

Global FTP_COMMAND_MAX
more if missing..
Global AppLayerProtoDetectDeSetup (void)
incomplete. Need more work.
"
improve the order selection policy
File detect-engine-port.c
more unittesting
" </dt><dd> \anchor _todo000056 apply to uricontent</dd> <dt> Global \_internalref detect-sameip_8h#a18f9ffbec4eb46874a27b595474ddc36 "DetectSameipRegister" (void)
add support for no_stream and stream_only
File detect-rawbytes.c
Provide un-normalized telnet dce/rpc buffers to match on
File detect-metadata.c
Do we need to do anything more this is used in snort host attribute table It is also used for rule managment.
Global DetectGeoipRegister (void)
add support for src_only and dst_only
Global DetectFtpbounceRegister (void)
add support for no_stream and stream_only
"

when we start supporting more protocols, the logic in this function needs to be put behind a api.

get rid of this static

Global DetectProtoParse (DetectProto *dp, const char *str)
are numeric protocols even valid?
File detect-engine-proto.c
move this out of the detection plugin structure
"

XXX current sorting only works for overlapping ranges

We don't seem to be handling negated cases, like [port,![!port,port]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.

Global DetectPortInsert (DetectEngineCtx *, DetectPort **, DetectPort *)
rewrite to avoid recursive calls
"
doc assume we have aft lock
Global DetectAddressMatchIPv6 (const DetectMatchAddressIPv6 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
Global DetectAddressMatchIPv4 (const DetectMatchAddressIPv4 *, uint16_t, const Address *)
array should be ordered, so we can break out of the loop
"

We don't seem to be handling negated cases, like [addr,![!addr,addr]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.

should not alert, bug #839 if (PacketAlertCheck(p3, 3)) { printf("(p3) sig 3 did alert, but it should not have: "); goto end; }

Global DetectBytetestRegister (void)
add support for no_stream and stream_only
"
Error on dups?
Global VALID_KW
We probably just need a simple tokenizer here
Global DetectBytejumpDoMatch (DetectEngineThreadCtx *, const Signature *, const SigMatchCtx *, const uint8_t *, uint32_t, uint16_t, int32_t)
The return seems backwards. We should return a non-zero error code. One of the error codes is "no match". As-is if someone accidentally does: if (DetectBytejumpMatch(...)) { match }, then they catch an error as a match.
Global DetectBytejumpRegister (void)
add support for no_stream and stream_only
"

This fails because we can only have 9 captures and there are 10.

Error on dups?

Global DetectBsizeMatch (const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
check logic around < vs <=
"
Allocate packet buffers from a pool.