release: version 1.0.9 - Add SNI, ALPN, TLS version extraction and architecture.yml compliance
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
New features: - Extract SNI (Server Name Indication) from TLS ClientHello - Extract ALPN (Application-Layer Protocol Negotiation) protocols - Detect TLS version from ClientHello using tlsfingerprint library - Add ConnID field for TCP flow correlation - Add SensorID field for multi-sensor deployments - Add SynToCHMs timing field for behavioral detection - Add AsyncBuffer configuration for output queue sizing Architecture changes: - Remove JA4Hash from LogRecord (JA4 format includes its own hash portions) - Update api.TLSClientHello with new TLS metadata fields - Update api.LogRecord with correlation, TLS, and timing fields - Ensure 100% compliance with architecture.yml specification Tests: - Add unit tests for TLS extension extraction (SNI, ALPN, Version) - Update tests for new LogRecord schema without JA4Hash - Add tests for AsyncBuffer configuration Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
Jacquin Antoine
@ -258,6 +258,24 @@ func TestBuilder_NewFromConfig(t *testing.T) {
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "unix socket with custom AsyncBuffer",
|
||||
config: api.AppConfig{
|
||||
Core: api.Config{
|
||||
Interface: "eth0",
|
||||
ListenPorts: []uint16{443},
|
||||
},
|
||||
Outputs: []api.OutputConfig{
|
||||
{
|
||||
Type: "unix_socket",
|
||||
Enabled: true,
|
||||
AsyncBuffer: 5000,
|
||||
Params: map[string]string{"socket_path": "test.sock"},
|
||||
},
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
@ -409,11 +427,17 @@ func TestLogRecordJSONSerialization(t *testing.T) {
|
||||
IPDF: true,
|
||||
TCPWindow: 65535,
|
||||
TCPOptions: "MSS,WS,SACK,TS",
|
||||
JA4: "t13d1516h2_8daaf6152771_02cb136f2775",
|
||||
JA4Hash: "8daaf6152771_02cb136f2775",
|
||||
JA3: "771,4865-4866-4867,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0",
|
||||
JA3Hash: "a0e6f06c7a6d15e5e3f0f0e6f06c7a6d",
|
||||
Timestamp: time.Now().UnixNano(),
|
||||
// New fields per architecture.yml
|
||||
ConnID: "flow-abc123",
|
||||
SensorID: "sensor-01",
|
||||
TLSVersion: "1.3",
|
||||
SNI: "example.com",
|
||||
ALPN: "h2",
|
||||
// Fingerprints - note: JA4Hash is NOT in LogRecord per architecture
|
||||
JA4: "t13d1516h2_8daaf6152771_02cb136f2775",
|
||||
JA3: "771,4865-4866-4867,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0",
|
||||
JA3Hash: "a0e6f06c7a6d15e5e3f0f0e6f06c7a6d",
|
||||
Timestamp: time.Now().UnixNano(),
|
||||
}
|
||||
|
||||
data, err := json.Marshal(rec)
|
||||
@ -434,6 +458,15 @@ func TestLogRecordJSONSerialization(t *testing.T) {
|
||||
if got.JA4 != rec.JA4 {
|
||||
t.Errorf("JA4 = %v, want %v", got.JA4, rec.JA4)
|
||||
}
|
||||
// Verify JA4Hash is NOT present (architecture decision)
|
||||
// JA4Hash field doesn't exist in LogRecord anymore
|
||||
// Verify new fields
|
||||
if got.ConnID != rec.ConnID {
|
||||
t.Errorf("ConnID = %v, want %v", got.ConnID, rec.ConnID)
|
||||
}
|
||||
if got.SNI != rec.SNI {
|
||||
t.Errorf("SNI = %v, want %v", got.SNI, rec.SNI)
|
||||
}
|
||||
}
|
||||
|
||||
// Test to verify optional fields are omitted when empty
|
||||
|
||||
Reference in New Issue
Block a user