HACKING
=======
 Below is a TODO list for hackers. The simplest easiest stuff is at the top,
 the harder, longer term stuff is nearer the bottom.

 Documentation hackers are ALWAYS needed. The stuff in ./doc is in severe need
 it REALLY REALLY needs work. See firestorm.sgml.

 Man pages would be really cool, one for firestorm(8) and one for firestorm.conf(5)

 Serious issues with packet lengths, need to put in checks eveywhere to make sure
 that when for example the IP headers says the packet is 1kb long, that the whole
 packet is actually there. Firestorm can truncate packets on capture, and most
 capture devices like to truncate packets. This is so we dont ever read bogus
 data (blank padding at the end of the packet, because we never got the whole
 packet) and also reading in to un-allocated (random) memory beyond our packet.

 We quite seriously need a better matching method than snort rules, our decode
 engine has totally outgrown it. Maybe something XML based would be really cool,
 either way, it has to understand the decode engine better...


OUTSTANDING BUGS
================
 Some kind of heap corruption in snort parser when long msg: strings are unterminated! (??)


SNORT COMPATIBILITY
===================
 (1.7) No support for things like dsize: > 512. This could be fixed in the range template

 (1.7) No support for flags: 0, what is snorts behaivour here? I assume its a straight match.


PERFORMANCE
===========
 Implement boyer moore in string match, and heuristic to decide when to use it

 Shift the computation (ie: packet matching) to its own subsystem that runs
 seperately to the capture, packet capture should not have to wait for control
 to return to it. If the computation subsystem is busy it should keep the packet
 in memory. Im not sure how well this will work though.


SHORT TERM
==========
 String matcher needs to be able to return errors on binary data reconstruction

 Report plugin needs to be more reliable, support encryption and cryptographic
  hashing. Needs a maintenance thread. Needs packet TX rings rather than a single
  buffer. Etc....

 Get rid of stormwall just make an FSTP capture device plugin for firestorm

 Config file parser needs to support quotes etc... see snort_parse_body()

 Give plugins access to cleanup functions, then port plugins to use them

 Do a TOS_MASK match which allows nicer matching on TOS.
  (tos_mask: NODELAY|THROUGHPUT;) etc..


SIMPLE MATCHERS
===============
 IP_OPTION


COMPLEX MATCHERS
================
 SESSION
 RPC
 OS detection using Ofir Arkins xprobe stuff


LONG TERM TODO
==============
 Allow string to do nocase
 Regexp string match
 Write native XML ruleset plugin (pygtk gui to config it)
 Enhance plugin system
 Identical matches validated just once, use same priv data
 Optimise packet matcher (rule chains perhaps)
 Flags for matches to say whether cachable or sharable
 IP defragmentation
 TCP stream reassembly
 Application layer decode plugins
 Generic support for compressed protocols/data
 Connection tracking to allow related data streams to be analyzed
 Target that pushes intrusion data to central server
 Test suite/regression testing


FUTURE THOUGHTS
===============
 Maybe do generic plugin import/export, subsystems register
 exporters, plugins request in->import("capdev_add") for
 example. Plugins are loaded last, so this should be feasable

 Allow plugins to be unloaded and their resources cleaned
 up properly. A usage count would be helpful. All modules
 are unloaded when usage hits zero. When they are removed
 unlink them from the list, and link them on to an unloader
 list. The actual unloading is defered to the maintenance
 thread.

 Modules should be allowed to load and unload objects on
 their own.

 *ALL* lists that plugins can affect MUST be locked during
 traversal AND during linking/unlinking new items. This
 prevents plugin load/unload races.

 Really need something similar to linuxes read/write
 spinlocks to reduce lock contention while traversing
 our many linked lists.
