ja4-platform

Author	SHA1	Message	Date
Jacquin Antoine	4a41e31822	feat(ebpf): Apache HTTP capture + nginx multi-kernel validation Apache HTTP capture via apr_socket_recv : - Uprobe sur libapr-1.so.0 (Apache Portable Runtime) - Compatible tous kernels 4.18+ (CentOS 8, Rocky 9/10) - Configuration unifiée : servers: ["nginx", "apache"] nginx HTTP capture validation multi-kernel : - Kretprobe __x64_sys_recvfrom validé sur CentOS 8 (4.18) - Rocky 9 (5.14) et Rocky 10 (6.12) confirmés - Contourne limitation tracepoint sys_exit_recvfrom Documentation : - docs/TEST_BUILD_STACK.md : stack complète test/build (VMs, Docker, RPMs) - services/ja4ebpf/docs/APACHE_HTTP_VALIDATION.md : validation Apache - services/ja4ebpf/docs/NGINX_MULTI_KERNEL_VALIDATION.md : validation nginx - docs/architecture.md + docs/services/ja4ebpf.md mis à jour Tests unitaires Apache : - internal/loader/apache_test.go : tests libapr, paths, structures BPF - internal/correlation/apache_test.go : tests corrélation HTTP Apache Packaging : - RPM spec mis à jour (version 0.3.0-1, changelog complet) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-20 19:49:40 +02:00
Jacquin Antoine	678aa48a12	fix(correlation): prevent race condition in session manager Fixed potential use-after-free in Update() when gcRound deletes a session between GetOrCreate() and acquiring the session lock. Changes: - Add 'deleted' flag to SessionState - Mark sessions as deleted before removing from map in gcRound - Check deleted flag in Update and recreate session if needed This ensures updates to deleted sessions create a new session instead of modifying a freed/dangling reference. Race detector verified: go test ./internal/correlation/... -race Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-19 14:34:30 +02:00
Jacquin Antoine	f0c8fe81c6	feat(ja4ebpf): add multi-interface TC, LPM_TRIE ignore_src, unit tests, and fix bugs - Add multi-interface TC attachment (default "any" = all UP interfaces) - Add BPF LPM_TRIE map ignored_src for kernel-side CIDR filtering - Add userspace ignore_src filtering for SSL/accept4 path via net.IPNet.Contains() - Add AcceptCache for fd→SessionKey correlation with TTL and Close() - Add 5 test files covering writer, procutil, dispatcher, accept_cache, and cmd - Fix formatTCPOptions infinite loop on EOL (case 0 break→return) - Fix pseudoOrderToShort panic on empty slice (negative cap) - Fix AcceptCache goroutine leak (add done channel + Close()) - Update config.yml.example with interfaces, listen_ports, ignore_src - Rewrite docs/services/ja4ebpf.md (was massively stale: XDP, RingBuffer, etc.) - Fix stale XDP/RingBuffer references in docs/architecture.md, thesis, tls.go Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 01:49:26 +02:00
Jacquin Antoine	24306ef390	feat(ja4ebpf): add SSL_write uprobe, HPACK decoder, and AcceptCache for session correlation Add uprobe_ssl_write_entry/uretprobe_ssl_write_exit to capture server HTTP responses via SSL_write with direction=1. Implement full HPACK decoder (RFC 7541 static table, multi-byte integers, literal representations) for HTTP/2 header extraction. Add AcceptCache mapping {tgid,fd}→SessionKey from accept4 events as authoritative source for SSL correlation when BPF ssl_conn_map has src_ip=0. Add ip_total_length to tcp_syn_event BPF struct. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-15 03:34:43 +02:00
Jacquin Antoine	a02423fd18	feat: maximize data completeness across L3/L4/TLS/HTTP layers and add E2E test infra Add SSL_write uprobe for HTTP response capture, HPACK decoder for HTTP/2 header extraction, and AcceptCache for reliable SSL/TC session correlation. Populate all ClickHouse fields including tcp_meta_options, ip_meta_total_length, syn_to_clienthello_ms, client_headers, TLS cipher suites/extensions, and h2_enable_connect_protocol. Increase BPF capture buffers (HTTP 512B, TLS 1024B). Add distributed E2E testing infrastructure with multi-VM Vagrant setup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-15 03:34:33 +02:00
Jacquin Antoine	61addc8cfa	feat: JA3 fingerprinting, SSL correlation fix, ML pipeline overhaul, E2E test infra ja4ebpf: - Add JA3 raw + MD5 hash fingerprinting (ComputeJA3 in TLS parser) - Fix accept4 port double-swap bug (__builtin_bswap16 on already-host-order value) - Fix scheme override bug in ClickHouse writer (HTTP block clearing HTTPS) - Add HTTP/2 passive fingerprinting (Akamai H2 FP, SETTINGS, pseudo-header order) - Enrich ClickHouse schema with IP/TCP metadata, H2 settings, Sec-* headers - Ensure maximum data completeness: all available L3/L4, TLS, HTTP fields emitted bot-detector: - Replace logistic regression with MLP fusion classifier - Replace KS drift detection with ADWIN online learning - Replace NetworkX/Louvain with PyTorch Geometric GraphSAGE for fleet detection - Replace autoencoder with RealNVP normalizing flow + SessionTransformer embeddings infra: - Add distributed E2E test infrastructure (4 VMs: endpoints + analysis) - Add Vagrant provisioning for analysis VM, e2e Makefile targets, run scripts docs: - Restructure thesis into chapter files with corrected references - Add E2E testing documentation - Update architecture, schema, deployment, service docs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-15 02:57:07 +02:00
Jacquin Antoine	f88b739992	feat(e2e): add distributed E2E test framework with parametric traffic generation Add run-e2e-test.sh with CLI parameters (--hits, --http-ratio, --dns, --tls, --src-ips, --keep-analysis, --up) for configurable traffic generation. Traffic runs from VM endpoints with multiple source IPs (alias IPs on eth0) to produce distinct sessions for the ML pipeline. Fix curl TLS flags (--tlsv1.2 instead of --tls-v1-2), skip redundant local verification in distributed mode, and fix dashboard is_available() cache that never retried after ClickHouse recovery. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-15 00:09:32 +02:00
toto	957918c565	fix(ja4ebpf): Rocky Linux RPM builder, remove correlated field, fix thesis - Dockerfile.package: migre go-builder de golang:bookworm (Debian) vers rockylinux:9, installe Go depuis le tarball officiel, remplace apt par dnf (clang llvm libbpf-devel bpftool) - Suppression du champ 'correlated' de l'agent ja4ebpf : avec eBPF/XDP, la corrélation L3/L4↔L7 est toujours implicite par présence des champs. Supprimé de : session.go, manager.go, main.go (x5), clickhouse.go - Thèse (6 corrections listées + cohérence correlated) : 1. §3.5 + §3.9.1 : SSL_read retourne des octets bruts sans respecter les frontières H2 → buffer circulaire de réassemblage en Go userspace 2. §3.1 : supprimé libpcap + CAP_NET_RAW, remplacé par définition uprobe 3. §4 + §7 : compte exact 96 features en 8 familles (Famille 1–8), supprimé taxonomie F1–F11 obsolète, tous les totaux mis à jour 4. §2.4 + §8 : remplacé 7 fausses URLs arXiv par [Référence à vérifier] 5. §4 Famille 2 : ja4_drift_ratio → renvoi à Famille 8 (définition complète) 6. §6.4 : ajouté limite 'Overhead de l'uprobe SSL_read' + §3.6 : supprimé correlated=0/1 du texte architectural Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-12 04:48:40 +02:00
toto	a1e4c1dad5	feat: add ja4ebpf service — eBPF-based TLS/TCP fingerprinting daemon - TC ingress hook captures TCP SYN (L3/L4) and TLS ClientHello - Uprobes on SSL_read/SSL_set_fd capture decrypted TLS data - Kprobes on accept4 correlate socket FDs to client IP:port - JA4 fingerprint computed from parsed TLS ClientHello - HTTP/2 SETTINGS and WINDOW_UPDATE extracted from decrypted streams - Session manager with sharded map (256 shards) and GC goroutine - Slowloris detection: sessions with no requests after 10s threshold - ClickHouse batch writer to ja4_logs.http_logs_raw (raw_json) - All tests pass: 17 parser + 10 correlation tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-11 22:43:26 +02:00

9 Commits