code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: multi-distro VM tests, ja4ebpf eBPF improvements, bot-detector scoring

Browse Source 
ja4ebpf:
- Refactor BPF TC capture with improved SYN offset handling and TCP option parsing
- Enhance TLS uprobe SSL hooking for better key extraction
- Add ClickHouse writer improvements for HTTP log materialized views
- Update RPM spec for Rocky Linux 8/9/10, fix systemd service
- Simplify loader with cleaner bpf2go integration

bot-detector:
- Add H2 SETTINGS per-parameter comparison in browser_matcher
- Enhance browser signatures and scoring pipeline
- Improve preprocessing and cycle detection

infra:
- Multi-distro Vagrantfile (centos8, rocky9, rocky10) with per-distro provisioning
- New Makefile targets: vm-up-all, test-vm-matrix, test-vm-centos8/rocky10
- Add debug helpers and run-test-from-host.sh for host-driven VM testing
- Update run-tests-vm.sh for cross-distro compatibility
- Remove accidental binary blob (\004)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-13 01:09:33 +02:00
parent d81463a589
commit d75825278e
32 changed files with 2148 additions and 890 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
services/ja4ebpf/packaging/rpm/ja4ebpf.spec
View File

@ -82,5 +82,23 @@ chown -R ja4ebpf:ja4ebpf \
%dir %attr(0750, ja4ebpf, ja4ebpf) %{_localstatedir}/log/ja4ebpf
%changelog
* %(date "+%a %b %d %Y") Build System <build@antitbone.local> - %{build_version}-1
- Build automatique via Dockerfile.package
* Sat Apr 12 2025 Antoine Jacquin <antoine@antitbone.dev> - 0.2.0-1
- feat(writer): sérialisation complète des 12 champs HTTP/2 passifs vers ClickHouse
(SETTINGS individuels, WINDOW_UPDATE, pseudo-headers, fingerprints composites Akamai)
- fix(writer): le parser H2 fonctionnait mais le writer ignorait HTTP2Settings
- fix(sql): TTL http_logs corrigé de 30 jours à 2 heures (conforme thèse §3.7)
- feat(browser_matcher): redistribution des poids CDN (0.35 HTTP + 0.35 TLS)
- feat(browser_matcher): exposition des 5 features browser_match_* dans le vecteur ML
- feat(shap): TreeExplainer XGBoost en priorité, ExIFFI + SHAP coexistants
- feat(pipeline): root_to_first_asset_delay et asset_load_stddev intégrés au vecteur ML
- feat(signatures): table browser_h2_signatures + rechargement 24h depuis ClickHouse
- feat(cycle): queue unknown_h2_fingerprints pour signatures H2 inconnues
* Thu Mar 27 2025 Antoine Jacquin <antoine@antitbone.dev> - 0.1.0-1
- Initial RPM package
- eBPF CO-RE agent: TC ingress + uprobe SSL_read
- JA4/JA4T TLS/TCP fingerprinting
- HTTP/2 passive fingerprinting (SETTINGS, WINDOW_UPDATE, pseudo-headers)
- Go Magic Bytes dispatcher with circular reassembly buffer
- 256-shard correlation engine, 500ms orphan timeout
- Multi-distro support: RHEL/CentOS/Rocky/AlmaLinux 8, 9, 10

3
services/ja4ebpf/packaging/systemd/ja4ebpf.service
View File

@ -23,7 +23,8 @@ Type=simple
User=ja4ebpf
Group=ja4ebpf
ExecStart=/usr/sbin/ja4ebpf -config /etc/ja4ebpf/config.yml
ExecStart=/usr/sbin/ja4ebpf
Environment=JA4EBPF_CONFIG=/etc/ja4ebpf/config.yml
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5s