Global AddressDebugPrint (Address *a)

IPv6

Global AppLayerProtoDetectDeSetup (void)

incomplete. Need more work.

Global ByteExtractUint16 (uint16_t *res, int e, uint16_t len, const uint8_t *bytes)

Need standard return values

Global ByteExtractUint32 (uint32_t *res, int e, uint16_t len, const uint8_t *bytes)

Need standard return values

Global ByteExtractUint64 (uint64_t *res, int e, uint16_t len, const uint8_t *bytes)

Need standard return values

Global CIDRGetIPv6 (int cidr, struct in6_addr *in6)

I think for the final section: while (cidr > 0), we can simply replace it with a if (cidr > 0) { in6->s6_addr[i] = -1 << (8 - cidr);

File conf.c

Get rid of allow override and go with a simpler first set, stays approach?

Consider having the in-memory configuration database a direct reflection of the configuration file and moving command line parameters to a primary lookup table?

Global Daemonize (void)

We should check if we allow more than 1 instance to run simultaneously. Maybe change the behaviour through conf file

File decode-tcp.h

RAW* macro's should be returning the raw value, not the host order

Global DecodeCHDLCRegisterTests (void)

More Ethernet tests

Global DecodeEthernetRegisterTests (void)

More Ethernet tests

Global DecodeGRE (ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t)

We need to make sure this does not allow bypassing inspection. A server may just ignore these and continue processing the packet, but we will not look further into it.

Global DecodeICMPV6RegisterTests (void)

More ICMPv6 tests

Global DecodePPPOERegisterTests (void)

More PPPOE tests

Global DecodeRawRegisterTests (void)

More Raw tests

File defrag.c

pool for frag packet storage

policy bsd-right

profile hash function

log anomalies

File detect-engine-port.c

more unit testing

File detect-engine-proto.c

move this out of the detection plugin structure

File detect-metadata.c

Do we need to do anything more this is used in snort host attribute table It is also used for rule management.

File detect-rawbytes.c

Provide un-normalized telnet dce/rpc buffers to match on

Global DetectAddressMatchIPv4 (const DetectMatchAddressIPv4 *, uint16_t, const Address *)

array should be ordered, so we can break out of the loop

Global DetectAddressMatchIPv6 (const DetectMatchAddressIPv6 *, uint16_t, const Address *)

array should be ordered, so we can break out of the loop

Global DetectBytejumpRegister (void)

add support for no_stream and stream_only

Global DetectBytetestRegister (void)

add support for no_stream and stream_only

Global DetectFtpbounceRegister (void)

add support for no_stream and stream_only

Global DetectGeoipRegister (void)

add support for src_only and dst_only

Global DetectPortInsert (DetectEngineCtx *, DetectPort **, DetectPort *)

rewrite to avoid recursive calls

Global DetectProtoParse (DetectProto *dp, const char *str)

are numeric protocols even valid?

Global DetectRegisterAppLayerHookLists (void)

move elsewhere? maybe a detect-engine-hook.c?

Global DetectSameipRegister (void)

add support for no_stream and stream_only

File flow-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

Global FlowDisableFlowManagerThread (void)

Kinda hackish since it uses the tv name to identify flow manager thread. We need an all weather identification scheme.

Global FlowDisableFlowRecyclerThread (void)

Kinda hackish since it uses the tv name to identify flow recycler thread. We need an all weather identification scheme.

Global FrameGetLastOpenByType (Frames *frames, const uint8_t frame_type)

perhaps we can search backwards

File host-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

Global ICMPV4_IS_ERROR_MSG (type)

This check is used in the flow engine and needs to be as cheap as possible. Consider setting a bitflag at the decoder stage so we can to a bit check instead of the more expensive check below.

File ippair-bit.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

Global IPV4Opt_::type

We may want to break type up into its 3 fields as the reassembler may want to know which options must be copied to each fragment.

Global LINKTYPE_NULL

we need more & maybe put them in a separate file?

File pkt-var.c

move away from a linked list implementation

use different datatypes, such as string, int, etc.

have more than one instance of the same var, and be able to match on a specific one, or one all at a time. So if a certain capture matches multiple times, we can operate on all of them.

Global PmqReset (PrefilterRuleStore *)

memset is expensive, but we need it as we merge pmq's. We might use a flag so we can clear pmq's the old way if we can.

File respond-reject-libnet11.c

calculate TTL base on average from stream tracking

come up with a way for users to specify icmp unreachable type

Possibly default to port unreachable for UDP traffic this seems to be the default in flexresp and iptables

Global StorageGetSize (const StorageEnum type)

we could return -1 when registration isn't closed yet, however this will break lots of tests currently, so not doing it now

File stream-tcp.c

- 4WHS: what if after the 2nd SYN we turn out to be normal 3WHS anyway?

Global StreamingBufferSlideToOffset (StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset)

if sliding beyond window, we could perhaps reset?

Global StreamTcpInlineSegmentReplacePacket (const TcpStream *stream, Packet *p, const TcpSegment *seg)

What about reassembled fragments?

What about unwrapped tunnel packets?

Global TmModuleDecodeAFPRegister (void)