feat: add ja4ebpf service — eBPF-based TLS/TCP fingerprinting daemon

- TC ingress hook captures TCP SYN (L3/L4) and TLS ClientHello - Uprobes on SSL_read/SSL_set_fd capture decrypted TLS data - Kprobes on accept4 correlate socket FDs to client IP:port - JA4 fingerprint computed from parsed TLS ClientHello - HTTP/2 SETTINGS and WINDOW_UPDATE extracted from decrypted streams - Session manager with sharded map (256 shards) and GC goroutine - Slowloris detection: sessions with no requests after 10s threshold - ClickHouse batch writer to ja4_logs.http_logs_raw (raw_json) - All tests pass: 17 parser + 10 correlation tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-11 22:43:26 +02:00
parent 7eb3ad21fd
commit a1e4c1dad5
24 changed files with 3984 additions and 0 deletions
--- a/services/ja4ebpf/Dockerfile.tests
+++ b/services/ja4ebpf/Dockerfile.tests
@ -0,0 +1,24 @@
+# =============================================================================
+# Dockerfile.tests — Tests unitaires Go pour ja4ebpf
+# (parser TLS, HTTP/2, corrélation — sans dépendance eBPF)
+# =============================================================================
+
+FROM rockylinux:9 AS test-builder
+
+RUN dnf install -y epel-release && \
+    dnf install -y golang make && \
+    dnf clean all
+
+WORKDIR /build
+
+# Copier le workspace Go
+COPY go.work go.work.sum ./
+COPY shared/go/ja4common/ ./shared/go/ja4common/
+COPY services/ja4ebpf/ ./services/ja4ebpf/
+
+WORKDIR /build/services/ja4ebpf
+
+# Exécuter les tests unitaires (sans tag eBPF = skip loader)
+# GOWORK=off désactive le workspace pour éviter les dépendances sur sentinel/correlator
+RUN GOWORK=off go test -v -count=1 ./internal/parser/... ./internal/correlation/... ./internal/writer/...
+