| Hi HN, I *built Spliff, a high-performance L7 sniffing and correlation engine in pure C23. The goal is to build a fully working, Linux-native EDR that isn't a resource-hogging black box. The core innovation – "Golden Thread" correlation: Most eBPF sniffers capture SSL data OR packets. Spliff correlates both: XDP (NIC) → sock_ops (socket cookies) → Uprobes (SSL buffers)
↓ ↓ ↓
packets TCP 5-tuple decrypted data
↘ ↓ ↙
unified per-flow view
This maps raw decrypted TLS data back to the exact TCP flow, PID, and process—something commercial EDRs struggle with.Technical highlights: • XDP + sock_ops + Uprobes – Three BPF program types working together via shared maps • Lock-free threading – Dispatcher/Worker model with Concurrency Kit SPSC queues • Full HTTP/2 – HPACK decompression, stream multiplexing, request-response correlation • No MITM – Hooks OpenSSL, GnuTLS, NSS, WolfSSL, BoringSSL directly via uprobes • Static binary fingerprinting – Build ID matching for stripped binaries (Chrome) • BPF-level filtering – AF_UNIX IPC filtered in kernel, not userspace Current status: Working L7 visibility engine. Captures and correlates HTTPS traffic in real-time. What's next: Process behavior tracking, file/network anomaly detection, event streaming (NATS/Kafka), threat intel integration. Linux-only – Requires kernel 5.x+ with BTF, XDP, libbpf. --- The project is GPL-3.0 and we're inviting anyone interested to contribute—whether it's code, architecture feedback, security research, or ideas for EDR features that actually matter (not compliance theater). GitHub: https://github.com/NoFear0411/spliff *Note: The codebase was written with Claude Opus. I provide the research, architecture decisions, and review every line. |