(no title)

I *built Spliff, a high-performance L7 sniffing and correlation engine in pure C23. The goal is to build a fully working, Linux-native EDR that isn't a resource-hogging black box.

The core innovation – "Golden Thread" correlation:

Most eBPF sniffers capture SSL data OR packets. Spliff correlates both:

  XDP (NIC) → sock_ops (socket cookies) → Uprobes (SSL buffers)
      ↓              ↓                         ↓
   packets      TCP 5-tuple              decrypted data
                     ↘         ↓         ↙
                      unified per-flow view

Technical highlights:

• XDP + sock_ops + Uprobes – Three BPF program types working together via shared maps

• Lock-free threading – Dispatcher/Worker model with Concurrency Kit SPSC queues

• Full HTTP/2 – HPACK decompression, stream multiplexing, request-response correlation

• No MITM – Hooks OpenSSL, GnuTLS, NSS, WolfSSL, BoringSSL directly via uprobes

• Static binary fingerprinting – Build ID matching for stripped binaries (Chrome)

• BPF-level filtering – AF_UNIX IPC filtered in kernel, not userspace

Current status: Working L7 visibility engine. Captures and correlates HTTPS traffic in real-time.

What's next: Process behavior tracking, file/network anomaly detection, event streaming (NATS/Kafka), threat intel integration.

Linux-only – Requires kernel 5.x+ with BTF, XDP, libbpf.

---

The project is GPL-3.0 and we're inviting anyone interested to contribute—whether it's code, architecture feedback, security research, or ideas for EDR features that actually matter (not compliance theater).

GitHub: https://github.com/NoFear0411/spliff

*Note: The codebase was written with Claude Opus. I provide the research, architecture decisions, and review every line.