code_public/ja4sentinel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
75 Commits 1 Branch 0 Tags
cc1fa5dc690989a8b741d9e620e41ea73ef1bc4c
Commit Graph

15 Commits

Author SHA1 Message Date
Jacquin Antoine
23f3012fb1 release: version 1.1.2 - Add error callback mechanism and comprehensive test suite
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Details 
Features:
- Add ErrorCallback type for UNIX socket connection error reporting
- Add WithErrorCallback option for UnixSocketWriter configuration
- Add BuilderImpl.WithErrorCallback() for propagating callbacks
- Add consecutive failure tracking in processQueue

Testing (50+ new tests):
- Add integration tests for full pipeline (capture → tlsparse → fingerprint → output)
- Add tests for FileWriter.rotate() and Reopen() log rotation
- Add tests for cleanupExpiredFlows() and cleanupLoop() in TLS parser
- Add tests for extractSNIFromPayload() and extractJA4Hash() helpers
- Add tests for config load error paths (invalid YAML, permission denied)
- Add tests for capture.Run() error conditions
- Add tests for signal handling documentation

Documentation:
- Update architecture.yml with new fields (LogLevel, TLSClientHello extensions)
- Update architecture.yml with Close() methods for Capture and Parser interfaces
- Update RPM spec changelog

Cleanup:
- Remove empty internal/api/ directory

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-02 23:24:56 +01:00
Jacquin Antoine
6e5addd6d4 Change default output to Unix socket
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Details 
- config.yml.example: Unix socket enabled by default, stdout commented out
- internal/output/writers.go: Remove all internal logging from UnixSocketWriter
  and FileWriter - only LogRecord JSON data is sent to outputs
- architecture.yml: Update description to mention 'socket UNIX par défaut'
- packaging/rpm/ja4sentinel.spec: Bump version to 1.1.1, update changelog

Diagnostic logs (error, debug, warning) now only go to stdout when enabled.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-02 21:19:57 +01:00
Jacquin Antoine
52c9f2f6f4 feat: add logrotate support with SIGHUP signal handling
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Details 
- Add Reopenable interface in api/types.go for log rotation support
- Add FileWriter.Reopen() method to reopen log files after rotation
- Add MultiWriter.Reopen() method to propagate rotation to all writers
- Update main.go to handle SIGHUP signal for systemctl reload
- Add logrotate configuration file (packaging/logrotate/ja4sentinel)
- Update systemd service with ExecReload for graceful rotation
- Update architecture.yml with logrotate documentation
- Update RPM spec and Dockerfile.package to include logrotate files
- Bump version to 1.1.0

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-02 20:50:47 +01:00
Jacquin Antoine
965720a183 release: version 1.0.9 - Add SNI, ALPN, TLS version extraction and architecture.yml compliance
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Details 
New features:
- Extract SNI (Server Name Indication) from TLS ClientHello
- Extract ALPN (Application-Layer Protocol Negotiation) protocols
- Detect TLS version from ClientHello using tlsfingerprint library
- Add ConnID field for TCP flow correlation
- Add SensorID field for multi-sensor deployments
- Add SynToCHMs timing field for behavioral detection
- Add AsyncBuffer configuration for output queue sizing

Architecture changes:
- Remove JA4Hash from LogRecord (JA4 format includes its own hash portions)
- Update api.TLSClientHello with new TLS metadata fields
- Update api.LogRecord with correlation, TLS, and timing fields
- Ensure 100% compliance with architecture.yml specification

Tests:
- Add unit tests for TLS extension extraction (SNI, ALPN, Version)
- Update tests for new LogRecord schema without JA4Hash
- Add tests for AsyncBuffer configuration

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-02 19:32:16 +01:00
Jacquin Antoine
e862139fca fix: socket path to network.socket 
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 02:14:32 +01:00
Jacquin Antoine
40c3fad90e fix: unix socket path to /var/run/logcorrelator/network.sock
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Details 
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 01:44:55 +01:00
Jacquin Antoine
2a7011162e docs(architecture.yml): document systemd sdnotify integration 
- Add systemd_notify section with type, access, protocol details
- Document READY, WATCHDOG, STOPPING signals
- List benefits of sdnotify integration
- Add watchdog_sec: 30 to runtime configuration
- Update integration_rules to mention sdnotify usage

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 01:07:37 +01:00
Jacquin Antoine
9ff0e7f9d2 chore: remove unused files and update CI 
- Delete residual editor files:
  - '2) Lancer les tests unitaires' (command already in Makefile)
  - '3) Lancer la vérification statique' (command already in Makefile)
- Delete CHANGELOG.md (changelog maintained in RPM spec)

ci: remove CentOS 7 (el7) from RPM workflow

- Remove el7 build artifacts from build-rpm.yml
- Update release assets to only include el8, el9, el10

docs(architecture.yml): fix test-integration command

- Add --exit-code-from ja4sentinel-test for proper exit code handling

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 00:35:36 +01:00
Jacquin Antoine
f80b7a1fa7 fix(api): restore DefaultConfig() and constants used by config loader
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Details 
- Restore api.DefaultConfig() - used by internal/config/loader.go
- Restore DefaultInterface, DefaultPort, DefaultBPFFilter constants
- Restore DefaultFlowTimeout, DefaultPacketBuffer constants
- Remove unused LogLevel* constants (never referenced in codebase)

docs(architecture.yml): update packaging and service sections

- Update packaging tool from fpm to rpmbuild
- Remove CentOS 7 / RHEL 7 from target distros (EOL)
- Update rpm_builder stage description for rpmbuild workflow
- Add spec_file section with version_macro documentation
- Update service to run as root (required for packet capture)
- Update security sandboxing to match current systemd unit
- Remove pid_file (not used)
- Update binary_path from /usr/local/bin to /usr/bin

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-03-01 00:29:15 +01:00
Jacquin Antoine
0be3ea9220 refactor: packaging RPM uniquement avec builder Rocky Linux 9
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Details 
- Suppression complète du support DEB (Debian/Ubuntu)
- Builder Rocky Linux 9 pour compatibilité binaire maximale
- Compilation dynamique avec libpcap comme dépendance runtime
- Activation du dépôt CRB pour libpcap-devel
- RPM générés pour el7, el8, el9, el10
- Mise à jour documentation et workflows GitHub Actions

Fix: erreur 'libpcap.so.0.8: cannot open shared object file' sur Rocky Linux 9

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-28 18:15:46 +01:00
Jacquin Antoine
5b91f0cfb3 docs: update architecture.yml with unified packaging section
Some checks failed
Build DEB Package / Build DEB Package (Debian/Ubuntu) (push) Has been cancelled
Details
Build RPM Package / Build RPM Package (Rocky Linux) (push) Has been cancelled
Details 
- Add packaging section describing DEB and RPM builds with fpm
- Document Dockerfile.package multi-stage build pipeline
- List files, directories, maintainer scripts, and dependencies
- Add verification commands for both package types

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-27 15:41:29 +01:00
Jacquin Antoine
952c929f55 docs(architecture): update api types for new fields 
- Add Timestamp field to api.LogRecord (nanoseconds since Unix epoch)
- Add PacketBufferSize field to api.Config (default: 1000)

Reflects changes from commits:
- f362e32 feat(api): add timestamp field to LogRecord
- dfd5e49 feat(config): add configurable packet channel buffer size

Implements evolution.api_stability.rules.document_changes from architecture.yml

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-27 00:23:18 +01:00
Jacquin Antoine
9280cb545c feat: version 1.0.0 avec corrections critiques et nommage de packages 
Ajout du point d'entrée principal :
- cmd/ja4sentinel/main.go : pipeline complet avec gestion des signaux
- Intégration des modules (capture, tlsparse, fingerprint, output)
- Shutdown propre avec context.Context

Corrections du parsing TLS :
- Flow key unidirectionnel (client → serveur uniquement)
- Timeout de flux configurable via FlowTimeoutSec
- Structure ConnectionFlow simplifiée

Améliorations de l'API :
- Champs TCPMSS et TCPWScale en pointeurs (omitempty correct)
- NewLogRecord mis à jour pour les champs optionnels

Mise à jour de l'architecture :
- architecture.yml : documentation des champs optionnels
- Règles de flux unidirectionnel documentées

Système de packages :
- Version par défaut : 1.0.0
- Nommage cohérent : ja4sentinel_1.0.0_amd64.deb
- Scripts build-deb.sh et build-rpm.sh simplifiés
- Extraction correcte des checksums

Tests :
- TestFlowKey mis à jour pour le format unidirectionnel
- Tous les tests passent (go test ./...)
- go vet clean

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-26 23:24:42 +01:00
Jacquin Antoine
efd4481729 feat: implémentation complète du pipeline JA4 + Docker + tests 
Nouveaux modules:
- cmd/ja4sentinel/main.go : point d'entrée avec pipeline capture→parse→fingerprint→output
- internal/config/loader.go : chargement YAML + env (JA4SENTINEL_*) + validation
- internal/tlsparse/parser.go : extraction ClientHello avec suivi d'état de flux (NEW/WAIT_CLIENT_HELLO/JA4_DONE)
- internal/fingerprint/engine.go : génération JA4/JA3 via psanford/tlsfingerprint
- internal/output/writers.go : StdoutWriter, FileWriter, UnixSocketWriter, MultiWriter

Infrastructure:
- Dockerfile (multi-stage), Dockerfile.dev, Dockerfile.test-server
- Makefile (build, test, lint, docker-build-*)
- docker-compose.test.yml pour tests d'intégration
- README.md (276 lignes) avec architecture, config, exemples

API (api/types.go):
- Ajout Close() aux interfaces Capture et Parser
- Ajout FlowTimeoutSec dans Config (défaut: 30s, env: JA4SENTINEL_FLOW_TIMEOUT)
- ServiceLog: +Timestamp, +TraceID, +ConnID
- LogRecord: champs flatten (ip_meta_*, tcp_meta_*, ja4*)
- Helper NewLogRecord() pour conversion TLSClientHello+Fingerprints→LogRecord

Architecture (architecture.yml):
- Documentation module logging + interfaces LoggerFactory/Logger
- Section service.systemd complète (unit, security, capabilities)
- Section logging.strategy (JSON lines, champs, règles)
- api.Config: +FlowTimeoutSec documenté

Fixes/cleanup:
- Suppression internal/api/types.go (consolidé dans api/types.go)
- Correction imports logging (ja4sentinel/api)
- .dockerignore / .gitignore
- config.yml.example

Tests:
- Tous les modules ont leurs tests (*_test.go)
- Tests unitaires : capture, config, fingerprint, output, tlsparse
- Tests d'intégration via docker-compose.test.yml

Build:
- Binaires dans dist/ (make build → dist/ja4sentinel)
- Docker runtime avec COPY --from=builder /app/dist/

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2026-02-25 20:02:52 +01:00
Jacquin Antoine
5fa3c3c293 init 2026-02-25 03:15:53 +01:00