code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d75825278ef77d59c87caee29b683df37be569d8
ja4-platform/services/ja4ebpf/packaging/rpm/ja4ebpf.spec
Jacquin Antoine d75825278e feat: multi-distro VM tests, ja4ebpf eBPF improvements, bot-detector scoring 
ja4ebpf:
- Refactor BPF TC capture with improved SYN offset handling and TCP option parsing
- Enhance TLS uprobe SSL hooking for better key extraction
- Add ClickHouse writer improvements for HTTP log materialized views
- Update RPM spec for Rocky Linux 8/9/10, fix systemd service
- Simplify loader with cleaner bpf2go integration

bot-detector:
- Add H2 SETTINGS per-parameter comparison in browser_matcher
- Enhance browser signatures and scoring pipeline
- Improve preprocessing and cycle detection

infra:
- Multi-distro Vagrantfile (centos8, rocky9, rocky10) with per-distro provisioning
- New Makefile targets: vm-up-all, test-vm-matrix, test-vm-centos8/rocky10
- Add debug helpers and run-test-from-host.sh for host-driven VM testing
- Update run-tests-vm.sh for cross-distro compatibility
- Remove accidental binary blob (\004)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 01:09:33 +02:00

105 lines
4.0 KiB
RPMSpec
Raw Blame History

Name: ja4ebpf
Version: %{build_version}
Release: 1%{?dist}
Summary: JA4 eBPF Network Fingerprint Agent
License: Proprietary
URL: https://github.com/antitbone/ja4-platform
Source0: ja4ebpf
Source1: ja4ebpf.service
Source2: config.yml.example
# ── Compatibilité : RHEL/CentOS/Rocky/AlmaLinux 8 → 10 ───────────────────
# Binaire statique (CGO_ENABLED=0) : aucune dépendance de bibliothèque partagée.
# BTF natif disponible sur tous les kernels RHEL 8+ (backport dans 4.18).
BuildArch: x86_64
Requires: systemd
%description
ja4ebpf est un agent de collecte passif basé sur eBPF qui capture les
métadonnées réseau (L3/L4/L5/L7) pour le pipeline de détection de bots JA4.
Il utilise :
- Des hooks TC ingress pour les TCP SYN, TLS ClientHello, HTTP clair (80/8080)
- Des uprobes sur SSL_read/SSL_write pour le trafic HTTPS déchiffré
Le binaire est compilé statique et supporte RHEL/CentOS/Rocky/AlmaLinux 8 à 10.
%prep
# Binaire pré-compilé fourni dans Source0 (compilé par Dockerfile.package).
%build
# Compilation déléguée au Dockerfile.package multi-stage.
%install
rm -rf %{buildroot}
install -D -m 0755 %{SOURCE0} %{buildroot}%{_sbindir}/ja4ebpf
install -D -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/ja4ebpf/config.yml.example
install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ja4ebpf.service
install -d -m 0750 %{buildroot}%{_localstatedir}/lib/ja4ebpf
install -d -m 0750 %{buildroot}%{_localstatedir}/log/ja4ebpf
%pre
getent group ja4ebpf >/dev/null 2>&1 || \
groupadd -r -g 490 ja4ebpf
getent passwd ja4ebpf >/dev/null 2>&1 || \
useradd -r -u 490 -g ja4ebpf \
-d %{_localstatedir}/lib/ja4ebpf \
-s /sbin/nologin \
-c "JA4 eBPF agent" \
ja4ebpf
exit 0
%post
%systemd_post ja4ebpf.service
if [ ! -f %{_sysconfdir}/ja4ebpf/config.yml ]; then
cp -p %{_sysconfdir}/ja4ebpf/config.yml.example \
%{_sysconfdir}/ja4ebpf/config.yml
chown root:ja4ebpf %{_sysconfdir}/ja4ebpf/config.yml
chmod 640 %{_sysconfdir}/ja4ebpf/config.yml
fi
chown -R ja4ebpf:ja4ebpf \
%{_localstatedir}/lib/ja4ebpf \
%{_localstatedir}/log/ja4ebpf
%preun
%systemd_preun ja4ebpf.service
%postun
%systemd_postun_with_restart ja4ebpf.service
%files
%defattr(-,root,root,-)
%attr(0755, root, root) %{_sbindir}/ja4ebpf
%dir %attr(0750, root, ja4ebpf) %{_sysconfdir}/ja4ebpf
%config(noreplace) %attr(0640, root, ja4ebpf) %{_sysconfdir}/ja4ebpf/config.yml.example
%{_unitdir}/ja4ebpf.service
%dir %attr(0750, ja4ebpf, ja4ebpf) %{_localstatedir}/lib/ja4ebpf
%dir %attr(0750, ja4ebpf, ja4ebpf) %{_localstatedir}/log/ja4ebpf
%changelog
* Sat Apr 12 2025 Antoine Jacquin <antoine@antitbone.dev> - 0.2.0-1
- feat(writer): sérialisation complète des 12 champs HTTP/2 passifs vers ClickHouse
(SETTINGS individuels, WINDOW_UPDATE, pseudo-headers, fingerprints composites Akamai)
- fix(writer): le parser H2 fonctionnait mais le writer ignorait HTTP2Settings
- fix(sql): TTL http_logs corrigé de 30 jours à 2 heures (conforme thèse §3.7)
- feat(browser_matcher): redistribution des poids CDN (0.35 HTTP + 0.35 TLS)
- feat(browser_matcher): exposition des 5 features browser_match_* dans le vecteur ML
- feat(shap): TreeExplainer XGBoost en priorité, ExIFFI + SHAP coexistants
- feat(pipeline): root_to_first_asset_delay et asset_load_stddev intégrés au vecteur ML
- feat(signatures): table browser_h2_signatures + rechargement 24h depuis ClickHouse
- feat(cycle): queue unknown_h2_fingerprints pour signatures H2 inconnues
* Thu Mar 27 2025 Antoine Jacquin <antoine@antitbone.dev> - 0.1.0-1
- Initial RPM package
- eBPF CO-RE agent: TC ingress + uprobe SSL_read
- JA4/JA4T TLS/TCP fingerprinting
- HTTP/2 passive fingerprinting (SETTINGS, WINDOW_UPDATE, pseudo-headers)
- Go Magic Bytes dispatcher with circular reassembly buffer
- 256-shard correlation engine, 500ms orphan timeout
- Multi-distro support: RHEL/CentOS/Rocky/AlmaLinux 8, 9, 10
Reference in New Issue View Git Blame Copy Permalink