HACKING ======= Welcome to the HACKING file. This is the place for long-standing TODO items. The short-term todo list is at http://www.scaramanga.co.uk/firestorm/TODO. KNOWN BUGS ========== o TCP stream reassembly is unfinished o http and smtp decoders are unfinished o Will only work on big-endian or little-endian machines, PDP endian is not suported. Shouldn't be much of a problem...even glib doesn't support PDP endian yet. API / CLEANUPS =============== o Move API headers in to include/firestorm o Generic API for using itimers/vtimers o Allow preprocessors on any notifier hook or on arbitrary timers o Token bucket filter any mesg() that may be caused by a packet o Use glib in firestorm core (this is a long term future thing) DOCUMENTATION ============= o Put descriptions in file header blocks o Descriptive comments on all important functions o Document failure modes for functions, bottom up o User documentation always needs work o Technical documentation can go in the docbook docs o Start work on a scalability document including algorithmic complexity, memory usage, and object size/number limits. PACKET AQUISITION ================= o NETLINK/ULOG capture modules o Detect MTUs in order to select buffer sizes... o Split capdev->init in to two parts to minimise what is done as root o Use large ringbuffers for captures, needs API changes to reap the full benefits, eg: zero-copy ipfrag/tcpstream. o Wiretap capture plugin o Allow non-complete capture sources ie: netflow, headers-only captures, firewall logs, etc. (this may require a bit of an overhaul in other areas) DECODE ENGINE ============= o 802.11b, IRDA, bluetooth, Token ring/FDDI, IPv6, ATM, PPP(oE|oA) o Track related streams in tcpstream o Alert on unicast IGMP membership reports ATTACK DETECTION ================ o Support new snort stuff (pcre, maybe byte jumpy things too) o Statistical anomaly detection o Statistical portscan detection o Passive OS fingerprint o Passive portscanning o Passive netBIOS,CDP,etc. information gathering o IrDA device logging o Bandwidth monitoring o Compile rulesets in to machine code (ala snortran) ALERTING ======== o Write raw socket exporter plugin for inline mode o Use adaptive alert throttling techniques o Black-box mode / Tagging o Give higher cost to lower priority alerts in the token bucket. CONSOLE ======= o See: doc/console-mkI o See: doc/console-mkII GENERAL AIMS BY MAJOR VERSION ============================= Firestorm 0.6.x series: o This series aims at getting the right primitives in place to go on with future developments. o Fully flexible pipeline construction, with various types of elements such as: o sources o sinks o classifiers / multi-way filters (allow packets to pass or not) o multi-way splitters and mergers o hooks o new elements defined by plugins o Type-based field API, so matchers really are defunct. o Merge of detect() api with index query API, this allows for: o higher level firestorm rulesets with boolean operators etc.. o not having to index all fields that you want to do offline queries on o Native firestorm rule+query language o Coupled with the fact that sources and sinks may be network based this allows arbitrary packet processing pipelines with super fast filtering etc.. which can be split over clusters of machines. Stormwall will be simply source/sink plugins. Other protocols may be implemented (prelude). o Sink/Source for buffering between threads allows for using threading arbitrarily in pipelines. Useful for decoupling I/O from the capture thread. o Packet output sinks allow for an inline mode Firestorm 0.7.x series: o This will almost entirely consist of work on the GUI, optimising networking code, optimising file formats, and adding new plugins and generally increasing attack detection capability o Correlation of alerts on console o danger theory stuff o honeypot integration o win32 port o scalability work o raise maximum sizes of databases etc.. o compression o archival o we already have nanosecond timestamps etc.. :) o SMP scalability o Fast caching allocator, allowing for more control over packet lifetime and various API improvements. Needs support for: o Generic allocations o Custom caches o Allocate with arbitrary alignment o Real-time, guaranteed available caches o Colouring o Avoid internal and external fragmentation over long runtimes firestorm-1.0.0.tar.gz :)