feat: add ja4ebpf service — eBPF-based TLS/TCP fingerprinting daemon

- TC ingress hook captures TCP SYN (L3/L4) and TLS ClientHello - Uprobes on SSL_read/SSL_set_fd capture decrypted TLS data - Kprobes on accept4 correlate socket FDs to client IP:port - JA4 fingerprint computed from parsed TLS ClientHello - HTTP/2 SETTINGS and WINDOW_UPDATE extracted from decrypted streams - Session manager with sharded map (256 shards) and GC goroutine - Slowloris detection: sessions with no requests after 10s threshold - ClickHouse batch writer to ja4_logs.http_logs_raw (raw_json) - All tests pass: 17 parser + 10 correlation tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-11 22:43:26 +02:00
parent 7eb3ad21fd
commit a1e4c1dad5
24 changed files with 3984 additions and 0 deletions
--- a/services/ja4ebpf/packaging/rpm/ja4ebpf.spec
+++ b/services/ja4ebpf/packaging/rpm/ja4ebpf.spec
@ -0,0 +1,86 @@
+Name:           ja4ebpf
+Version:        %{build_version}
+Release:        1%{?dist}
+Summary:        JA4 eBPF Network Fingerprint Agent
+
+License:        Proprietary
+URL:            https://github.com/antitbone/ja4-platform
+Source0:        ja4ebpf
+Source1:        ja4ebpf.service
+Source2:        config.yml.example
+
+# ── Compatibilité : RHEL/CentOS/Rocky/AlmaLinux 8 → 10 ───────────────────
+# Binaire statique (CGO_ENABLED=0) : aucune dépendance de bibliothèque partagée.
+# BTF natif disponible sur tous les kernels RHEL 8+ (backport dans 4.18).
+BuildArch:      x86_64
+
+Requires:       systemd
+
+%description
+ja4ebpf est un agent de collecte passif basé sur eBPF qui capture les
+métadonnées réseau (L3/L4/L5/L7) pour le pipeline de détection de bots JA4.
+
+Il utilise :
+  - Des hooks TC ingress pour les TCP SYN, TLS ClientHello, HTTP clair (80/8080)
+  - Des uprobes sur SSL_read/SSL_write pour le trafic HTTPS déchiffré
+
+Le binaire est compilé statique et supporte RHEL/CentOS/Rocky/AlmaLinux 8 à 10.
+
+%prep
+# Binaire pré-compilé fourni dans Source0 (compilé par Dockerfile.package).
+
+%build
+# Compilation déléguée au Dockerfile.package multi-stage.
+
+%install
+rm -rf %{buildroot}
+
+install -D -m 0755 %{SOURCE0} %{buildroot}%{_sbindir}/ja4ebpf
+install -D -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/ja4ebpf/config.yml.example
+install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ja4ebpf.service
+install -d -m 0750 %{buildroot}%{_localstatedir}/lib/ja4ebpf
+install -d -m 0750 %{buildroot}%{_localstatedir}/log/ja4ebpf
+
+%pre
+getent group  ja4ebpf >/dev/null 2>&1 || \
+    groupadd -r -g 490 ja4ebpf
+getent passwd ja4ebpf >/dev/null 2>&1 || \
+    useradd -r -u 490 -g ja4ebpf \
+        -d %{_localstatedir}/lib/ja4ebpf \
+        -s /sbin/nologin \
+        -c "JA4 eBPF agent" \
+        ja4ebpf
+exit 0
+
+%post
+%systemd_post ja4ebpf.service
+
+if [ ! -f %{_sysconfdir}/ja4ebpf/config.yml ]; then
+    cp -p %{_sysconfdir}/ja4ebpf/config.yml.example \
+           %{_sysconfdir}/ja4ebpf/config.yml
+    chown root:ja4ebpf %{_sysconfdir}/ja4ebpf/config.yml
+    chmod 640           %{_sysconfdir}/ja4ebpf/config.yml
+fi
+
+chown -R ja4ebpf:ja4ebpf \
+    %{_localstatedir}/lib/ja4ebpf \
+    %{_localstatedir}/log/ja4ebpf
+
+%preun
+%systemd_preun ja4ebpf.service
+
+%postun
+%systemd_postun_with_restart ja4ebpf.service
+
+%files
+%defattr(-,root,root,-)
+%attr(0755, root, root) %{_sbindir}/ja4ebpf
+%dir %attr(0750, root, ja4ebpf) %{_sysconfdir}/ja4ebpf
+%config(noreplace) %attr(0640, root, ja4ebpf) %{_sysconfdir}/ja4ebpf/config.yml.example
+%{_unitdir}/ja4ebpf.service
+%dir %attr(0750, ja4ebpf, ja4ebpf) %{_localstatedir}/lib/ja4ebpf
+%dir %attr(0750, ja4ebpf, ja4ebpf) %{_localstatedir}/log/ja4ebpf
+
+%changelog
+* %(date "+%a %b %d %Y") Build System <build@antitbone.local> - %{build_version}-1
+- Build automatique via Dockerfile.package