feat: add ja4ebpf service — eBPF-based TLS/TCP fingerprinting daemon

- TC ingress hook captures TCP SYN (L3/L4) and TLS ClientHello
- Uprobes on SSL_read/SSL_set_fd capture decrypted TLS data
- Kprobes on accept4 correlate socket FDs to client IP:port
- JA4 fingerprint computed from parsed TLS ClientHello
- HTTP/2 SETTINGS and WINDOW_UPDATE extracted from decrypted streams
- Session manager with sharded map (256 shards) and GC goroutine
- Slowloris detection: sessions with no requests after 10s threshold
- ClickHouse batch writer to ja4_logs.http_logs_raw (raw_json)
- All tests pass: 17 parser + 10 correlation tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

services/ja4ebpf/config.yml.example

@@ -0,0 +1,35 @@
+# Configuration de l'agent ja4ebpf
+# Copiez ce fichier en config.yml et adaptez les valeurs.
+
+# Interface réseau à surveiller (hook TC ingress)
+interface: eth0
+
+# Processus à instrumenter via uprobes SSL
+ssl_probes:
+  - executable: /usr/sbin/httpd
+    symbol: SSL_read
+  - executable: /usr/lib64/libssl.so.3
+    symbol: SSL_read
+
+# Paramètres de connexion ClickHouse
+clickhouse:
+  addr: "127.0.0.1:9000"
+  database: "ja4_logs"
+  table: "http_logs_raw"
+  username: "default"
+  password: ""
+  tls: false
+  batch_size: 500
+  flush_every: "2s"
+
+# Délais de corrélation et de détection
+timeouts:
+  # Durée sans activité avant expiration d'une session TCP
+  session_expiry: "500ms"
+  # Délai maximum pour une requête L7 sans réponse (détection Slowloris)
+  slowloris: "10s"
+
+# Journalisation
+log:
+  level: "info"   # debug | info | warn | error
+  format: "json"  # json | text