Support Snort's Unified2 output - I don't see much point in supporting Unified (v1) output. Doing this will make Sagan compatible with Barnyard2 and the likes.

Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Added April 23rd, 2010]

Snortsam support - Support Snortsam. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information.

Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Added April 20th, 2010] (Has 'limit', but no 'threshold')

$EXTERNAL_NET/$HOME_NET support - Possibly other variables to further identify where the traffic is coming from and what to do with it.

Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink).

Need snmptrapd rules - "snmptrapd" write out to syslog. Need rules.

--config to use multiple configuration files - Brought up by Brad Doctor on #sagan. Or, make the engine spawn new processing theads per-event?

Thread search - thread the pcre/content stuff to better use multiple CPUs

Stats - Periodic stats dumped to the /var/log/sagan/sagan.log. Top IP's, SIDs, etc.

PIX/ASA parser - to extract PIX/ASA IP/Port information

Sguid agent ... Could be cool?

-- ChampClark - 2010-06-23