==========
#TODO Passive Real-time Asset Detection System
==========

2. inform firewall / snort / nessus / satan etc

3. Stateful conntrack => trust rel

4. Fingerprinting techniques
   - SYN/SYNACK
   - FIN, RST, STRAY-ACK
   - DHCP
   - DNS
   - ICMP
   - SNMP
   - retransmission timings
   - statistical /chaotical methods of analysis (think vseq)
   - masq/natdetection

5. p0f - Passive OS fingerprinting...
   - Together with discovering hosts (and trying to get OS from banner strings etc.), PRADS should
     emulate p0f logic to detect OS based on tcp/icmp/udp... fingerprinting...

6. Goes without saying, but adding it as a point : client OS and Client programs fingerprinting:
   Like: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6 Ubiquity/0.1.5"
         "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
         "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
         "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; nb-no) AppleWebKit/525.28.3 (KHTML, like Gecko) Version/3.2.3 Safari/525.28.3"

7. Different output plugins...
   - PoC should send to stdout or/and logfile (text). # done, stdout/file
   - Sguil (Add a switch to make the output better for sguil?) # done, see fifo
   - output plugins compatible with:
    -> p0f # messy
    -> pads
    -> sancp # cxtracker
    -> prads.pl (sort of anyway)
    -> nagios
    -> snort (host-attribute-table.xml)
    -> dot / graphviz

8. GUI - by web or "desktop"
   - See your network, different OS and services.
   - See firewalls
   - summaries: severity/vuln/port/proto/ip/
   /net class abc/mail/os/service/ssh/web server/web client/
   /trends/.

9. Webapplication detection!
   - have a sett off known signatures for known webapps,
     say wordpress, drupal, phpmyadmin, and so on, so that
     we can know what Snort/ET/Suricata rules to enable :)
     automatic! 

 Kacper's TODO items & krazy ideas:
====================================

 > design doc! => good design == god API for free
 == easier to make good gui with good api
      /  main program (prads)  \
 packet analyzer -> fingerprint analyzer
   (pradsd)     \-> realtime asset memory
                |==> graphical C&C

 .in-memory asset store API
 .data exchange api? in-memory updates should be available
 for realtime display, db insertion or offline dumping
 .signature matching {SYN,UDP,ICMP,++} based on generated fp

match = signature[hash(fp)]. 
    > Take away multiple matches.
    > Normalize OS, provides "best guess"

 .service fingerprints == good regex module
  finding byte-sigs before regex.
 - NAT detection
 - PRADS console (woot. leet!)
 - trust relationships :-)
 - DDoS detection
 - Flood protection: malloc-free shmem ringbugger
 - phase plane analysis of initial SEQ = fingerprint signatures
 - active prads-informed firewall
 - UPnP. BGP IGMP, multicast, tcp6 etc etc
 - how to do vuln checks? / match to db
- switch/router topology by sniffing OSPF/BGP/RSTP
-.geoip maps ( passive lookup )
-.sniff DNS lookups
 
Optimizations: 
 - .optimize SERVICE matching - reduce universe of regexes to match by
 * optimize PCRE matcher ( try n implementations like snort)
 - use SIMD instructions for parsing & matching (vectorize data)
 ... and OpenCL / CUDA too!
 - profile using rdtsc
 - examine cache locality, TLB misses (cachegrind, perfctr), pipelines,
 instruction pairing

--- random ideas for implementation ---
 - MVCC lockless assets in shared memory ring-buffer (shmat())
    - keep last x updates + random discards / vacuum

 * asset struct / shared fields. keep in same hashfunc : hash lib!
 * sigs -> lookups
 * API for plugins = 
 - Lua plugins
 log / visualize / stats / db insert
 * get prads.c to prads.pl state. superdaemon + subfunction daemons
 -> duplicate the commandline of perl
 * async IO and other scaling factors
 * mobile (wifi,ether,ip,tcp)-frame scanning app for android/iPhone (+ autohack?)
 * autogen nagios host table
 * autogen snort host attributes
 * graphviz dot visualizations
 * realitme / SDL visio map

Edward's TODO items:
=====================
 - fix SERVICE, both TCP and UDP... together with Kacper?
   Need to make it faster, and maybe drop newlines etc.?
   Kacper mentioned precompiling regexp
 - IP statistics... Some way of collecting stats about sessions..
   $session_tracking->{$src_ip}->{$src_port}->{$dst_ip}->{$dst_port}->{ip_type}->{$src_byte}->{$dst_byte}->{$src_packets}->{$dst_packets}->{$start_timestamp}->{$end_timestamp}            ?
   #UDP example: 
   $session_tracking->{10.10.10.12}->{1234}->{10.10.10.14}->{53}->{17}->{102}->{433}->{5}->{21}->{1243504322}->{1243508001}
   #TCP example:
   $session_tracking->{10.10.10.12}->{1234}->{10.10.10.14}->{53}->{6}->{1002021}->{92311}->{39811}->{1021}->{1243504322}->{1243508001}
   #ICMP example:
   $session_tracking->{10.10.10.12}->{0}->{10.10.10.14}->{0}->{1}->{102}->{433}->{5}->{21}->{1243504322}->{1243508001}
   # for icmp $src_port could be $type and $dst_port could be $code ? Im smart... uhh


Minor issues to trac:
 - take a code walk and get rid of copying-around strings and lameness
 like "UNKNOWN"
 - make sanity checker macro's on all API funcs that handle packet fields
  (* packetinfo makes for caller opacity)

Passive DNS : Only on the answer from the DNS SERVER
TIMESTAMP,DNS-SERVER-IP,QUERY-TYPE,QUERY-CLASS,QUERY-DATA,RESURSE-TYPE,RESURSE-CLASS,RESURSE-DATA,MISC
 TIMESTAMP: unixtimestamp
 DNS-SERVER-IP: The ip of the dns server responding
 MISC: Other data in the answer
 foreach additional record $UDP-DNS-PAYLOAD {
  TIMESTAMP,DNS-SERVER-IP,QUERY-TYPE,QUERY-CLASS,QUERY-DATA,RESURSE-TYPE,RESURSE-CLASS,RESURSE-DATA,MISC
 }



DONE
- MAC asset detection # DONE
1. Squil! # DONE
1. Discover host on ICMP too # DONE
2. Discover Network Assets based on ARP. # DONE
3. Internal table of [hosts(IP),services(port-#),ID string(banner of service or string that match),timestamp] # DONE
- Start with SYN fingerprinting... # DONE
- I believe that we should have SYN+ACK also :/ # DONE
- fix up icmp OS fingerprinting # DONE
- fic up UDP  OS fingerprinting # DONE
- Next would be mysql # DONE
   .DBI optimizations> 
   ..async DBI commits
   ..in-mem db + persistance if $PERSIST
 - update UNKNOWN entries when they match.
 - option 76 crash
 - CREATE TABLE failed blah error message.


