hacking

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

HACKING
=======
 Welcome to the HACKING file. This file is a scratch area for my notes. It
 contains various goals I have for firestorm. If you want to contribute to
 firestorm but aren't sure how, this is the place to start.


API CLEANUPS
============
 Matchers should be registered on to protocols.
 Most APIs could be more efficient and more object oriented.


BUILD SYSTEM
============
 Find someone who can build and test debian packages.
 test suite: write one


DOCUMENTATION
=============
 User documentation always needs work.
 Hacker manual / API docs


OUTSTANDING BUGS
================
 TCP stream reassembly (MAJOR PRIORITY!)


CORE / SUPPORT
==============
 Put usage strings in to capdevs and preprocs
 Use syslog instead of custom logfile?


PACKET AQUISITION
=================
 NETLINK/ULOG capture modules
 More OS specific capture modules
 Detect MTUs in order to select buffer sizes...
 Allow setting of promiscuous mode
 Split capdev->init in to two parts to minimise what is done as root
 Use ringbuffers for captures


DECODE ENGINE
=============
 Alert on unicast IGMP membership reports
 Token ring/FDDI
 IPv6
 ATM
 PPP(oE|oA) ?
 Track related streams in tcpstream


ATTACK DETECTION
================
 Statistical anomaly detection
 Portscan detection
 Passive OS fingerprint
 Passive portscanning
 Passive netBIOS,CDP,etc. information gathering
 IrDA device logging
 Bandwidth monitoring
 Signature parsing could be more efficient



ALERTING
========
 Support multiple alert spools
 Black-box mode / Tagging
 Give higher cost to lower priority alerts


CONSOLE
=======
 See: doc/console-mkI