feat: multi-distro VM tests, ja4ebpf eBPF improvements, bot-detector scoring

ja4ebpf: - Refactor BPF TC capture with improved SYN offset handling and TCP option parsing - Enhance TLS uprobe SSL hooking for better key extraction - Add ClickHouse writer improvements for HTTP log materialized views - Update RPM spec for Rocky Linux 8/9/10, fix systemd service - Simplify loader with cleaner bpf2go integration bot-detector: - Add H2 SETTINGS per-parameter comparison in browser_matcher - Enhance browser signatures and scoring pipeline - Improve preprocessing and cycle detection infra: - Multi-distro Vagrantfile (centos8, rocky9, rocky10) with per-distro provisioning - New Makefile targets: vm-up-all, test-vm-matrix, test-vm-centos8/rocky10 - Add debug helpers and run-test-from-host.sh for host-driven VM testing - Update run-tests-vm.sh for cross-distro compatibility - Remove accidental binary blob (\004) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 01:09:33 +02:00
parent d81463a589
commit d75825278e
32 changed files with 2148 additions and 890 deletions
--- a/tests/vm/debug-mode-host.sh
+++ b/tests/vm/debug-mode-host.sh
@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# debug-mode-host.sh — Test debug ja4ebpf avec trafic host→VM
+# Usage: ./debug-mode-host.sh rocky9
+set -euo pipefail
+
+VM="${1:-rocky9}"
+cd "$(dirname "$0")"
+
+echo "=== [1] Setup VM: nginx + ja4ebpf debug ==="
+vagrant ssh "$VM" -- "sudo bash -c '
+    PATH=/usr/local/bin:\$PATH
+    # Install debug binary
+    cp /tmp/ja4ebpf-debug /usr/local/bin/ja4ebpf
+    chmod +x /usr/local/bin/ja4ebpf
+
+    # Start nginx
+    nginx -s stop 2>/dev/null || true; sleep 1
+    mkdir -p /run/nginx /var/www/html
+    echo {\"ok\":true} > /var/www/html/health
+    cat > /etc/nginx/nginx.conf << \"NEOF\"
+worker_processes 1;
+events { worker_connections 64; }
+http {
+    server {
+        listen 80;
+        listen 443 ssl;
+        ssl_certificate /etc/pki/tls/certs/nginx.crt;
+        ssl_certificate_key /etc/pki/tls/private/nginx.key;
+        root /var/www/html;
+    }
+}
+NEOF
+    openssl req -x509 -nodes -days 365 -subj /CN=test -newkey rsa:2048 \
+      -keyout /etc/pki/tls/private/nginx.key -out /etc/pki/tls/certs/nginx.crt 2>/dev/null
+    nginx
+
+    # Start ja4ebpf debug
+    pkill ja4ebpf 2>/dev/null || true; sleep 1
+    cat > /tmp/ja4-debug.yml << \"YEOF\"
+interface: eth0
+ssl_lib_path: \"/usr/lib64/libssl.so.3\"
+debug: true
+clickhouse:
+  dsn: \"clickhouse://default:@127.0.0.1:9000/ja4_logs\"
+  batch_size: 50
+  flush_secs: 1
+correlation:
+  timeout_ms: 500
+  slowloris_ms: 10000
+log:
+  level: \"debug\"
+  format: \"text\"
+YEOF
+    JA4EBPF_CONFIG=/tmp/ja4-debug.yml ja4ebpf > /tmp/ja4-debug.log 2>&1 &
+    sleep 3
+    PID=\$(pgrep ja4ebpf || echo NONE)
+    echo \"  ja4ebpf PID=\$PID\"
+    if [ \"\$PID\" = \"NONE\" ]; then cat /tmp/ja4-debug.log; exit 1; fi
+
+    # Open firewall
+    firewall-cmd --add-service=http --add-service=https 2>/dev/null || true
+
+    # Show eth0 IP
+    ip -4 addr show eth0 | awk \"/inet /{sub(/\\/.*/,\"\",\\\$2); print \\\"  eth0 IP: \\\"\\\$2; exit}\"
+'" 2>&1
+
+echo ""
+echo "=== [2] Get VM IP ==="
+VM_IP=$(vagrant ssh "$VM" -- "ip -4 addr show eth0" 2>/dev/null | awk '/inet /{sub(/\/.*/,"",$2); print $2; exit}')
+echo "  VM IP: $VM_IP"
+
+if [ -z "$VM_IP" ]; then
+    echo "  ERROR: no eth0 IP found"
+    exit 1
+fi
+
+echo ""
+echo "=== [3] Generate traffic from HOST to VM ==="
+for i in $(seq 1 3); do
+    curl -sf "http://$VM_IP/health" -o /dev/null -w "  HTTP $i: %{http_code}\n" 2>&1 || echo "  HTTP $i: FAIL"
+    curl -skf "https://$VM_IP/health" -o /dev/null -w "  HTTPS $i: %{http_code}\n" 2>&1 || echo "  HTTPS $i: FAIL"
+done
+
+echo ""
+echo "=== [4] Wait for debug dump (8s) ==="
+sleep 8
+
+echo ""
+echo "=== [5] Collect results ==="
+vagrant ssh "$VM" -- "sudo bash -c '
+    echo \"  ja4ebpf: \$(pgrep ja4ebpf > /dev/null && echo alive || echo DEAD)\"
+    echo \"\"
+    echo \"  === BPF stats ===\"
+    STATS_MAP_ID=\$(bpftool map show name xdp_stats 2>/dev/null | grep -oP \"id \K\d+\" || echo NONE)
+    if [ \"\$STATS_MAP_ID\" != \"NONE\" ]; then
+        bpftool map dump id \$STATS_MAP_ID 2>/dev/null | sed \"s/^/  /\"
+    else
+        echo \"  xdp_stats map not found!\"
+    fi
+    echo \"\"
+    echo \"  === Log tail ===\"
+    tail -30 /tmp/ja4-debug.log | sed \"s/^/  /\"
+
+    # Cleanup
+    pkill ja4ebpf 2>/dev/null || true
+    nginx -s stop 2>/dev/null || true
+'" 2>&1