suricata
Todo List

Unit tests are needed for this module.

not very clean, as the memory is not freed here

File stream-tcp.c - 4WHS: what if after the 2nd SYN we turn out to be normal 3WHS anyway?

Global StreamTcpInlineSegmentReplacePacket (const TcpStream *, Packet *, const TcpSegment *) What about reassembled fragments?

What about unwrapped tunnel packets?

Global DecodePfring (ThreadVars *tv, Packet *p, void *data) Verify that PF_RING only deals with ethernet traffic

Global ReceivePfringThreadInit (ThreadVars *tv, const void *initdata, void **data) add a config option for setting cluster id

Create a general pfring setup function.

Global TmModuleDecodePfringRegister (void) Unit tests are needed for this module.

Global TmModuleReceivePfringRegister (void) Unit tests are needed for this module.

File source-pfring.c remove requirement for setting cluster so old 3.x versions are supported

implement DNA support

Allow ring options such as snaplen etc, to be user configurable.

" Create a general pcap setup function.

Unit tests are needed for this module.

For divert sockets, dropping means not writing the packet back to the socket. Need to see if there is some better way to free the packet from the queue

Unit tests are needed for this module.

Unit tests are needed for this module.

Global TmModuleDecodeIPFWRegister (void) Unit tests are needed for this module.

Global TmModuleVerdictIPFWRegister (void) untested

Unit tests are needed for this module.

Global TmModuleReceiveIPFWRegister (void) untested

Unit tests are needed for this module.

" Create a general AFP setup function.

Global TmModuleDecodeAFPRegister (void) Unit tests are needed for this module.

Global TmModuleReceiveAFPRegister (void) Unit tests are needed for this module.

File respond-reject-libnet11.c calculate TTL base on average from stream tracking

come up with a way for users to specify icmp unreachable type

Possibly default to port unreachable for UDP traffic this seems to be the default in flexresp and iptables

implement ipv6 resets

implement pre-alloc resets for speed

File pkt-var.c move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

File ippair-bit.c move away from a linked list implementation

use different datatypes, such as string, int, etc.

File host-bit.c move away from a linked list implementation

use different datatypes, such as string, int, etc.

Global FlowDisableFlowRecyclerThread (void) Kinda hackish since it uses the tv name to identify flow recycler thread. We need an all weather identification scheme.

" syslog is thread-safe according to POSIX manual and glibc code, but we we will have to look into non POSIX compliant boxes like freeBSD

no alloc on lookup

File util-threshold-config.c Need to support suppress

Global StreamingBufferSlideToOffset (StreamingBuffer *sb, uint64_t offset) if sliding beyond window, we could perhaps reset?

Global StorageGetSize (const StorageEnum type) we could return -1 when registration isn't closed yet, however this will break lots of tests currently, so not doing it now

File util-rohash.c maybe add a user ctx to be returned instead, something like a 4/8 byte ptr or simply a flag

a bloomfilter in the ROHashTableOffsets could possibly prevent a lot of cache misses when validating a potential match

Global PmqReset (PrefilterRuleStore *pmq) memset is expensive, but we need it as we merge pmq's. We might use a flag so we can clear pmq's the old way if we can.

File util-mpm-ac.c - Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).

  • Tried out loop unrolling without any perf increase. Need to dig deeper.
  • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
  • Test case-senstive patterns if they have any ascii chars. If they don't treat them as nocase.
  • Carry out other optimizations we are working on. hashes, compression.

File util-mpm-ac-ks.c - Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).

File util-mpm-ac-bs.c - Do a proper analyis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).

  • Tried out loop unrolling without any perf increase. Need to dig deeper.
  • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
  • Test case-senstive patterns if they have any ascii chars. If they don't treat them as nocase.
  • Carry out other optimizations we are working on. hashes, compression.

File util-mem.h Add wrappers for functions that allocate/free memory here. Currently we have malloc, calloc, realloc, strdup, strndup and free, but there are more.

" make this size configurable

File util-error.c Needs refining of the error codes. Renaming with a prefix of SC_ERR, removal of duplicates and entries have to be made in util-error.c

Global FlowDisableFlowManagerThread (void) Kinda hackish since it uses the tv name to identify flow manager thread. We need an all weather identification scheme.

Global DAEMON_WORKING_DIRECTORY Adjust path

Global Daemonize (void) We should check if wie allow more than 1 instance to run simultaneously. Maybe change the behaviour through conf file

Global UtilCpuGetTicks (void) We'll have to deal with removig ticks from the extra cpuids inbetween 2 calls.

Global CIDRGetIPv6 (int cidr, struct in6_addr *in6) I think for the final section: while (cidr > 0), we can simply replace it with a if (cidr > 0) { in6->s6_addr[i] = -1 << (8 - cidr);

" Probably a more efficient way to do this.

Need standard return values

Global ByteExtractUint16 (uint16_t *res, int e, uint16_t len, const uint8_t *bytes) Need standard return values

Global ByteExtractUint32 (uint32_t *res, int e, uint16_t len, const uint8_t *bytes) Need standard return values

Global ByteExtractUint64 (uint64_t *res, int e, uint16_t len, const uint8_t *bytes) Need standard return values

"

check if it's correct or set event

improve resetting the session

Wireshark marks this a padding, but spec says reserved.

Global LINKTYPE_NULL we need more & maybe put them in a separate file?

Global AddressDebugPrint (Address *a) IPv6

" Must GRE+VLAN and Multi-Vlan packets to create more tests

File decode-tcp.h RAW* macro's should be returning the raw value, not the host order

Global DecodeRawRegisterTests (void) More Raw tests

Global DecodePPPOERegisterTests (void) More PPPOE tests

" move into own function to loaded on demand

IPV4Opt_ Global IPV4Opt_::type We may want to break type up into its 3 fields as the reassembler may want to know which options must be copied to each fragment.

" Figure out which IP options are more common and list them first

Spec seems to indicate EOL required if there is padding

What if padding is non-zero (possible covert channel or data leakage)?

What if more data exist after EOL (possible covert channel or data leakage)?

May not want to return error here on unknown tag type (at least not for 3|4)

File defrag.c pool for frag packet storage

policy bsd-right

profile hash function

log anomalies

Global DecodeICMPV6RegisterTests (void) More ICMPv6 tests

Global ICMPV4_IS_ERROR_MSG (p) This check is used in the flow engine and needs to be as cheap as possible. Consider setting a bitflag at the decoder stage so we can to a bit check instead of the more expensive check below.

Global DecodeGRE (ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t) We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

Global DecodeEthernetRegisterTests (void) More Ethernet tests

Global DecodeCHDLCRegisterTests (void) More Ethernet tests

File conf.c Get rid of allow override and go with a simpler first set, stays approach?

Consider having the in-memory configuration database a direct reflection of the configuration file and moving command line parameters to a primary lookup table?

" data const

decoder event

Global FTP_COMMAND_MAX more if missing..

Global AppLayerProtoDetectDeSetup (void) incomplete. Need more work.

" improve the order selection policy

Global DetectPortInsert (DetectEngineCtx *, DetectPort **, DetectPort *) rewrite to avoid recursive calls

File flow-bit.c move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

" </dt><dd> \anchor _todo000055 apply to uricontent</dd> <dt> Global \_internalref detect-sameip_8h#a18f9ffbec4eb46874a27b595474ddc36 "DetectSameipRegister" (void) add support for no_stream and stream_only

File detect-rawbytes.c Provide un-normalized telnet dce/rpc buffers to match on

File detect-metadata.c Do we need to do anything more this is used in snort host attribute table It is also used for rule managment.

Global DetectGeoipRegister (void) add support for src_only and dst_only

Global DetectFtpbounceRegister (void) add support for no_stream and stream_only

" when we start supporting more protocols, the logic in this function needs to be put behind a api.

get rid of this static

Global DetectProtoParse (DetectProto *dp, const char *str) are numeric protocols even valid?

File detect-engine-proto.c move this out of the detection plugin structure

" XXX current sorting only works for overlapping ranges

We don't seem to be handling negated cases, like [port,![!port,port]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.

doc assume we have aft lock

File detect-engine-port.c more unittesting

Global DetectAddressMatchIPv6 (const DetectMatchAddressIPv6 *, uint16_t, const Address *) array should be ordered, so we can break out of the loop

Global DetectAddressMatchIPv4 (const DetectMatchAddressIPv4 *, uint16_t, const Address *) array should be ordered, so we can break out of the loop

" We don't seem to be handling negated cases, like [addr,![!addr,addr]], since we pass around negate without keeping a count of ! with depth. Can solve this by keeping a count of the negations with depth, so that an even no of negations would count as no negation and an odd no of negations would count as a negation.

should not alert, bug #839 if (PacketAlertCheck(p3, 3)) { printf("(p3) sig 3 did alert, but it should not have: "); goto end; }

Global DetectBytetestRegister (void) add support for no_stream and stream_only

" Error on dups?

Global VALID_KW We probably just need a simple tokenizer here

Global DetectBytejumpDoMatch (DetectEngineThreadCtx *, const Signature *, const SigMatchCtx *, const uint8_t *, uint32_t, uint16_t, int32_t) The return seems backwards. We should return a non-zero error code. One of the error codes is "no match". As-is if someone accidentally does: if (DetectBytejumpMatch(...)) { match }, then they catch an error as a match.

Global DetectBytejumpRegister (void) add support for no_stream and stream_only

" This fails because we can only have 9 captures and there are 10.

Error on dups?

Allocate packet buffers from a pool.