feat: add ja4ebpf service — eBPF-based TLS/TCP fingerprinting daemon

- TC ingress hook captures TCP SYN (L3/L4) and TLS ClientHello - Uprobes on SSL_read/SSL_set_fd capture decrypted TLS data - Kprobes on accept4 correlate socket FDs to client IP:port - JA4 fingerprint computed from parsed TLS ClientHello - HTTP/2 SETTINGS and WINDOW_UPDATE extracted from decrypted streams - Session manager with sharded map (256 shards) and GC goroutine - Slowloris detection: sessions with no requests after 10s threshold - ClickHouse batch writer to ja4_logs.http_logs_raw (raw_json) - All tests pass: 17 parser + 10 correlation tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-11 22:43:26 +02:00
parent 7eb3ad21fd
commit a1e4c1dad5
24 changed files with 3984 additions and 0 deletions
--- a/services/ja4ebpf/Dockerfile.package
+++ b/services/ja4ebpf/Dockerfile.package
@ -0,0 +1,114 @@
+# =============================================================================
+# Dockerfile.package — Build multi-distro du RPM ja4ebpf
+#
+# Cible : RHEL/CentOS/Rocky/AlmaLinux 8, 9 et 10.
+# Le BTF natif (/sys/kernel/btf/vmlinux) est disponible sur tous ces kernels.
+#
+# Stages :
+#  go-builder  : compile le binaire Go statique (clang + bpf2go + go build)
+#  rpm-el8     : assemble le RPM pour el8 (AlmaLinux 8 / RHEL 8)
+#  rpm-el9     : assemble le RPM pour el9 (Rocky Linux 9 / RHEL 9)
+#  rpm-el10    : assemble le RPM pour el10 (AlmaLinux 10)
+#  output      : collecte tous les RPMs dans /output
+#
+# Usage :
+#   docker build -f services/ja4ebpf/Dockerfile.package \
+#     --build-arg BUILD_VERSION=1.2.3 \
+#     -t ja4ebpf:package \
+#     .
+#   docker run --rm -v $(pwd)/dist:/dist ja4ebpf:package
+# =============================================================================
+
+ARG BUILD_VERSION=dev
+ARG GO_VERSION=1.24
+
+# ── Stage 1 : compilation Go ──────────────────────────────────────────────
+FROM golang:${GO_VERSION}-bookworm AS go-builder
+
+ARG BUILD_VERSION
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      clang llvm libbpf-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+COPY go.work go.work.sum* ./
+COPY shared/go/ja4common/go.mod shared/go/ja4common/go.sum* ./shared/go/ja4common/
+COPY services/ja4ebpf/go.mod services/ja4ebpf/go.sum* ./services/ja4ebpf/
+
+RUN cd services/ja4ebpf && go mod download 2>/dev/null || go get ./...
+
+COPY shared/go/ja4common/ ./shared/go/ja4common/
+COPY services/ja4ebpf/ ./services/ja4ebpf/
+
+WORKDIR /build/services/ja4ebpf
+
+# Génération des bindings eBPF (C → bytecode embarqué en Go)
+RUN go generate ./internal/loader/
+
+# Compilation statique
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build \
+      -ldflags="-s -w -X main.version=${BUILD_VERSION} -extldflags=-static" \
+      -o /out/ja4ebpf \
+      ./cmd/ja4ebpf/
+
+# ── Stage 2 : RPM pour el8 ───────────────────────────────────────────────
+FROM almalinux:8 AS rpm-el8
+RUN dnf install -y rpm-build rpmdevtools && dnf clean all && rpmdev-setuptree
+
+COPY --from=go-builder /out/ja4ebpf                        /root/rpmbuild/SOURCES/ja4ebpf
+COPY services/ja4ebpf/packaging/systemd/ja4ebpf.service    /root/rpmbuild/SOURCES/ja4ebpf.service
+COPY services/ja4ebpf/config.yml.example                   /root/rpmbuild/SOURCES/config.yml.example
+COPY services/ja4ebpf/packaging/rpm/ja4ebpf.spec           /root/rpmbuild/SPECS/ja4ebpf.spec
+
+ARG BUILD_VERSION=dev
+RUN rpmbuild -bb \
+      --define "build_version ${BUILD_VERSION}" \
+      --define "dist .el8" \
+      /root/rpmbuild/SPECS/ja4ebpf.spec && \
+    mkdir -p /rpms && find /root/rpmbuild/RPMS -name '*.rpm' -exec cp {} /rpms/ \;
+
+# ── Stage 3 : RPM pour el9 ───────────────────────────────────────────────
+FROM rockylinux:9 AS rpm-el9
+RUN dnf install -y rpm-build rpmdevtools && dnf clean all && rpmdev-setuptree
+
+COPY --from=go-builder /out/ja4ebpf                        /root/rpmbuild/SOURCES/ja4ebpf
+COPY services/ja4ebpf/packaging/systemd/ja4ebpf.service    /root/rpmbuild/SOURCES/ja4ebpf.service
+COPY services/ja4ebpf/config.yml.example                   /root/rpmbuild/SOURCES/config.yml.example
+COPY services/ja4ebpf/packaging/rpm/ja4ebpf.spec           /root/rpmbuild/SPECS/ja4ebpf.spec
+
+ARG BUILD_VERSION=dev
+RUN rpmbuild -bb \
+      --define "build_version ${BUILD_VERSION}" \
+      --define "dist .el9" \
+      /root/rpmbuild/SPECS/ja4ebpf.spec && \
+    mkdir -p /rpms && find /root/rpmbuild/RPMS -name '*.rpm' -exec cp {} /rpms/ \;
+
+# ── Stage 4 : RPM pour el10 ──────────────────────────────────────────────
+FROM almalinux:10 AS rpm-el10
+RUN dnf install -y rpm-build rpmdevtools && dnf clean all && rpmdev-setuptree
+
+COPY --from=go-builder /out/ja4ebpf                        /root/rpmbuild/SOURCES/ja4ebpf
+COPY services/ja4ebpf/packaging/systemd/ja4ebpf.service    /root/rpmbuild/SOURCES/ja4ebpf.service
+COPY services/ja4ebpf/config.yml.example                   /root/rpmbuild/SOURCES/config.yml.example
+COPY services/ja4ebpf/packaging/rpm/ja4ebpf.spec           /root/rpmbuild/SPECS/ja4ebpf.spec
+
+ARG BUILD_VERSION=dev
+RUN rpmbuild -bb \
+      --define "build_version ${BUILD_VERSION}" \
+      --define "dist .el10" \
+      /root/rpmbuild/SPECS/ja4ebpf.spec && \
+    mkdir -p /rpms && find /root/rpmbuild/RPMS -name '*.rpm' -exec cp {} /rpms/ \;
+
+# ── Stage final : collecte de tous les RPMs ───────────────────────────────
+FROM alpine:3.19 AS output
+
+COPY --from=rpm-el8  /rpms/ /output/el8/
+COPY --from=rpm-el9  /rpms/ /output/el9/
+COPY --from=rpm-el10 /rpms/ /output/el10/
+
+RUN echo "=== RPMs produits ===" && find /output -name '*.rpm' | sort
+
+CMD ["/bin/sh", "-c", "cp -rv /output/. /dist/ && echo 'RPMs copiés dans /dist/'"]