code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ja4ebpf): add multi-interface TC, LPM_TRIE ignore_src, unit tests, and fix bugs

Browse Source 
- Add multi-interface TC attachment (default "any" = all UP interfaces)
- Add BPF LPM_TRIE map ignored_src for kernel-side CIDR filtering
- Add userspace ignore_src filtering for SSL/accept4 path via net.IPNet.Contains()
- Add AcceptCache for fd→SessionKey correlation with TTL and Close()
- Add 5 test files covering writer, procutil, dispatcher, accept_cache, and cmd
- Fix formatTCPOptions infinite loop on EOL (case 0 break→return)
- Fix pseudoOrderToShort panic on empty slice (negative cap)
- Fix AcceptCache goroutine leak (add done channel + Close())
- Update config.yml.example with interfaces, listen_ports, ignore_src
- Rewrite docs/services/ja4ebpf.md (was massively stale: XDP, RingBuffer, etc.)
- Fix stale XDP/RingBuffer references in docs/architecture.md, thesis, tls.go

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-16 01:49:26 +02:00
parent fd84aebc44
commit f0c8fe81c6
20 changed files with 3053 additions and 1261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
services/ja4ebpf/config.yml.example
View File

@ -1,19 +1,35 @@
# Configuration de l'agent ja4ebpf
# Copiez ce fichier en config.yml et adaptez les valeurs.
# Interface réseau à surveiller (XDP ingress)
interface: eth0
# Interfaces réseau à surveiller (TC ingress).
# "any" = toutes les interfaces UP (sauf loopback).
# Ou liste explicite : ["eth0", "eth1"]
interfaces:
- any
# Chemin vers libssl pour les uprobes SSL_read/SSL_write
# Chemin vers libssl pour les uprobes SSL_read/SSL_write/SSL_set_fd
ssl_lib_path: "/usr/lib64/libssl.so.3"
# Ports TCP à surveiller (filtrage BPF côté kernel)
listen_ports:
- 80
- 443
# CIDR/IP sources à ignorer (filtrage BPF LPM_TRIE + filtrage userspace SSL)
# Le trafic provenant de ces réseaux est ignoré à toutes les couches.
# ignore_src:
# - 10.0.0.0/8
# - 172.16.0.0/12
# - 192.168.0.0/16
# - 127.0.0.1
# Mode debug : dump compteurs BPF + événements consommés toutes les 5s
# ClickHouse optionnel en mode debug
debug: false
# Paramètres de connexion ClickHouse
clickhouse:
dsn: "clickhouse://default:@127.0.0.1:9000/ja4_logs"
dsn: "clickhouse://default:@127.0.0.1:9000/ja4_logs?async_insert=0"
batch_size: 500
flush_secs: 1
@ -25,4 +41,4 @@ correlation:
# Journalisation
log:
level: "info" # debug | info | warn | error
format: "json" # json | text
format: "json" # json | text