Add reverse domain name lookup for dontblock/override lists (i.e. dontblockdomain *.mydom.com)
enable logging on a per snort rule basis. The log type field is already deliverd to SnortSam with the Checkpoint LONG/SHORT options. Perhaps that can also be used for other plugins. The snort-plugin need to allow for per rule logging though...
enable netmask expansion on a per rule basis.
launch network wait/receive routine in a seperate thread
Allow max resyncs before ignoring snort box for x seconds???
rewrite email plugin so it reports the results of each output plugin (major stuff...)
add GROUP feature to group ACCEPT sensors into group names
apply ACCEPTSIDLIST and DENYSIDLIST rules to groups
apply time overrides/limits to groups
AUTHKEY to authenticate forwarders/senders of requests and build allow/deny list based on authenticated entities.