d469e39da7
Services: - ja4sentinel: TLS/JA4 fingerprint capture daemon (Go, libpcap) - logcorrelator: JA4 log correlation engine (Go, ClickHouse) - mod_reqin_log: Apache module (C, JSON request logging) - bot_detector: ML bot detection pipeline (Python) - dashboard: FastAPI/Streamlit analytics UI (Python) Shared libraries: - shared/go/ja4common: logger, config, shutdown, ipfilter (Go module) - shared/python/ja4_common: ClickHouseClient, ClickHouseSettings (Python package) - shared/clickhouse/: canonical SQL migrations (10 files) Build & packaging: - Unified 3-stage Dockerfile.package for Go RPMs (el8/el9/el10) - go.work workspace linking sentinel, correlator, ja4common - Makefile with test-all, build-all, rpm-* targets Fixes applied: - go.work: 1.21 → 1.24.6 (required by sentinel) - correlator Dockerfiles: golang:1.21 → golang:1.24 - replace directives in go.mod for ja4common local path - pyproject.toml: setuptools.backends → setuptools.build_meta - Removed static libpcap linking (unavailable on Rocky 9) - Fixed data races in output/writers_test.go (sync.Mutex + atomic.Int32) - Rewrote corrupted test files (logger_test.go × 2) Test coverage: - correlator: 67.1% total (unixsocket 80.5%, config 91.7%, app 83.3%, multi 87.7%, stdout 100%) - sentinel: all 10 packages pass (api, capture, config, fingerprint, ipfilter, logging, output, tlsparse) Documentation: - README.md + docs/ (architecture, development, 5 services, shared libs, DB schema & migrations) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
58 lines
1.8 KiB
Plaintext
58 lines
1.8 KiB
Plaintext
# Sample configuration file for ja4sentinel
|
|
# Copy to config.yml and adjust as needed
|
|
|
|
core:
|
|
# Network interface to capture traffic from
|
|
# "any" captures on all interfaces (default, recommended)
|
|
# Or specify a specific interface (e.g., eth0, ens192, etc.)
|
|
interface: any
|
|
|
|
# TCP ports to monitor for TLS handshakes
|
|
listen_ports:
|
|
- 443
|
|
- 8443
|
|
|
|
# Optional BPF filter (leave empty for auto-generated filter based on listen_ports and local_ips)
|
|
bpf_filter: ""
|
|
|
|
# Local IP addresses to monitor (traffic destined to these IPs will be captured)
|
|
# Leave empty for auto-detection (recommended) - excludes loopback addresses
|
|
# Or specify manually: ["192.168.1.10", "10.0.0.5", "2001:db8::1"]
|
|
local_ips: []
|
|
|
|
# Source IP addresses or CIDR ranges to exclude from capture
|
|
# Useful for filtering out internal traffic, health checks, or monitoring systems
|
|
# Examples: ["10.0.0.0/8", "192.168.1.1", "172.16.0.0/12"]
|
|
exclude_source_ips: []
|
|
|
|
# Timeout in seconds for TLS handshake extraction (default: 30)
|
|
flow_timeout_sec: 30
|
|
|
|
# Buffer size for packet channel (default: 1000, increase for high-traffic environments)
|
|
packet_buffer_size: 1000
|
|
|
|
# Log level: debug, info, warn, error (default: info)
|
|
# Can be overridden by JA4SENTINEL_LOG_LEVEL environment variable
|
|
log_level: info
|
|
|
|
outputs:
|
|
# Output to UNIX socket (for systemd/journald or other consumers)
|
|
# Only JSON LogRecord data is sent - no diagnostic logs
|
|
- type: unix_socket
|
|
enabled: true
|
|
params:
|
|
socket_path: /var/run/logcorrelator/network.socket
|
|
|
|
# Output to stdout (JSON lines)
|
|
# Diagnostic logs (error, debug, warning) should go here
|
|
# - type: stdout
|
|
# enabled: false
|
|
# params: {}
|
|
|
|
# Output to file
|
|
# Only JSON LogRecord data is sent - no diagnostic logs
|
|
# - type: file
|
|
# enabled: false
|
|
# params:
|
|
# path: /var/log/ja4sentinel/ja4.log
|