feat: parse NetSign protocol

Author: lzf575

agent/crates/enterprise-utils/src/lib.rs

@@ -357,6 +357,52 @@ pub mod l7 {
     }
 
     pub mod rpc {
+        pub mod net_sign {
+            use public::l7_protocol::LogMessageType;
+
+            pub const PROCESSOR_SIGN: &str = "RAWSignProcessor";
+            pub const PROCESSOR_VERIFY: &str = "PBCRAWVerifyProcessor";
+
+            #[derive(Default, Debug, Clone)]
+            pub struct NetSignFields {
+                pub processor_name: String,
+                pub operation: String,
+                pub result_code: String,
+                pub biz_data_parts: Vec<String>,
+                pub sig_present: bool,
+                pub sig_len: u32,
+                pub cert_id: String,
+                pub cert_serial: String,
+                pub cert_validity: String,
+                pub issuer_dn_ca: String,
+                pub app_ver: String,
+            }
+
+            impl NetSignFields {
+                pub fn trace_id(&self) -> &str {
+                    self.biz_data_parts.get(0).map(|s| s.as_str()).unwrap_or("")
+                }
+                pub fn biz_system(&self) -> &str {
+                    self.biz_data_parts.get(6).map(|s| s.as_str()).unwrap_or("")
+                }
+                pub fn signer_id(&self) -> String {
+                    String::new()
+                }
+            }
+
+            #[derive(Default)]
+            pub struct NetSignParser;
+
+            impl NetSignParser {
+                pub fn check_payload(&self, _: &[u8]) -> Option<LogMessageType> {
+                    unimplemented!()
+                }
+                pub fn parse_payload(&self, _: &[u8]) -> Option<NetSignFields> {
+                    unimplemented!()
+                }
+            }
+        }
+
         pub mod iso8583 {
             use public::bitmap::Bitmap;
 

agent/crates/public/src/l7_protocol.rs

@@ -63,6 +63,7 @@ pub enum L7Protocol {
     SomeIp = 47,
     Iso8583 = 48,
     Triple = 49,
+    NetSign = 50,
 
     // SQL
     MySQL = 60,
@@ -149,6 +150,7 @@ impl From<String> for L7Protocol {
             "tls" => Self::TLS,
             "ping" => Self::Ping,
             "some/ip" | "someip" => Self::SomeIp,
+            "netsign" | "net-sign" | "net_sign" => Self::NetSign,
             _ => Self::Unknown,
         }
     }

agent/src/common/l7_protocol_info.rs

@@ -131,6 +131,7 @@ cfg_if::cfg_if! {
             PingInfo(PingInfo),
             CustomInfo(CustomInfo),
             Iso8583Info(crate::flow_generator::protocol_logs::rpc::Iso8583Info),
+            NetSignInfo(crate::flow_generator::protocol_logs::rpc::NetSignInfo),
             // add new protocol info below
         );
     }

agent/src/common/l7_protocol_log.rs

@@ -103,6 +103,8 @@ macro_rules! impl_protocol_parser {
                     #[cfg(feature = "enterprise")]
                     "ISO-8583"=>Ok(Self::Iso8583(Default::default())),
                     #[cfg(feature = "enterprise")]
+                    "NetSign"|"netsign"|"net_sign"=>Ok(Self::NetSign(Default::default())),
+                    #[cfg(feature = "enterprise")]
                     "WebSphereMQ"=>Ok(Self::WebSphereMq(Default::default())),
                     $(
                         stringify!($proto) => Ok(Self::$proto(Default::default())),
@@ -202,6 +204,7 @@ cfg_if::cfg_if! {
                 Tars(TarsLog),
                 Oracle(crate::flow_generator::protocol_logs::OracleLog),
                 Iso8583(crate::flow_generator::protocol_logs::Iso8583Log),
+                NetSign(crate::flow_generator::protocol_logs::NetSignLog),
                 MQTT(MqttLog),
                 AMQP(AmqpLog),
                 NATS(NatsLog),

agent/src/config/config.rs

@@ -2044,6 +2044,7 @@ impl Default for Filters {
                 ("Tars".to_string(), "1-65535".to_string()),
                 ("SomeIP".to_string(), "1-65535".to_string()),
                 ("ISO8583".to_string(), "1-65535".to_string()),
+                ("NetSign".to_string(), "1-65535".to_string()),
                 ("Triple".to_string(), "1-65535".to_string()),
                 ("MySQL".to_string(), "1-65535".to_string()),
                 ("PostgreSQL".to_string(), "1-65535".to_string()),
@@ -2076,6 +2077,7 @@ impl Default for Filters {
                 ("Tars".to_string(), vec![]),
                 ("SomeIP".to_string(), vec![]),
                 ("ISO8583".to_string(), vec![]),
+                ("NetSign".to_string(), vec![]),
                 ("Triple".to_string(), vec![]),
                 ("MySQL".to_string(), vec![]),
                 ("PostgreSQL".to_string(), vec![]),

agent/src/ebpf/kernel/include/common.h

@@ -77,6 +77,8 @@ enum traffic_protocol {
 	PROTO_TARS = 46,
 	PROTO_SOME_IP = 47,
 	PROTO_ISO8583 = 48,
+	PROTO_TRIPLE = 49,
+	PROTO_NET_SIGN = 50,
 	PROTO_MYSQL = 60,
 	PROTO_POSTGRESQL = 61,
 	PROTO_ORACLE = 62,

agent/src/ebpf/kernel/include/protocol_inference.h

@@ -1269,6 +1269,63 @@ static __inline enum message_type infer_iso8583_message(const char *buf,
 	return MSG_REQUEST;
 }
 
+// NetSign 签名验签协议推断
+// TCP payload: msgSeq(2B) + outer_type(1B) + outer_len(10 ASCII digits) + inner TLVs
+// Inner TLV:   tag(1B) + type(1B) + len(12 ASCII digits) + value
+//
+// Known processor names and their lengths:
+//   RAWSignProcessor        (len=16): operation tag at byte[43], len field ends at byte[56]
+//   PBCRAWVerifyProcessor   (len=21): operation tag at byte[48], len field ends at byte[61]
+// operation len last byte: '7' → "request", '8' → "response"
+static __inline enum message_type infer_net_sign_message(const char *buf,
+							  size_t count,
+							  struct conn_info_s
+							  *conn_info)
+{
+	if (!protocol_port_check_2(PROTO_NET_SIGN, conn_info))
+		return MSG_UNKNOWN;
+	if (conn_info->tuple.l4_protocol != IPPROTO_TCP || count < 62)
+		return MSG_UNKNOWN;
+	if (is_infer_socket_valid(conn_info->socket_info_ptr)) {
+		if (conn_info->socket_info_ptr->l7_proto != PROTO_NET_SIGN)
+			return MSG_UNKNOWN;
+		/*
+		 * Socket already confirmed as NetSign. Continuation reads (mid-message
+		 * syscall splits) do not start at message offset 0, so the byte-pattern
+		 * checks below would fail. Return MSG_REQUEST unconditionally here; the
+		 * Rust-level parser derives the real message type from the TLV content.
+		 */
+		return MSG_REQUEST;
+	}
+
+	// outer_len field [3..12] must be ASCII decimal digits
+	if (buf[3] < '0' || buf[3] > '9')
+		return MSG_UNKNOWN;
+	// First inner TLV tag must be TAG_PROCESSOR_NAME (0x01)
+	if ((uint8_t)buf[13] != 0x01)
+		return MSG_UNKNOWN;
+	// processorName len field [15..26]: leading bytes must be ASCII '0'
+	if (buf[15] != '0' || buf[24] != '0')
+		return MSG_UNKNOWN;
+
+	// RAWSignProcessor: processorName len = 16, operation tag at [43]
+	if (buf[25] == '1' && buf[26] == '6' && (uint8_t)buf[43] == 0x02) {
+		if (buf[56] == '7')
+			return MSG_REQUEST;   // operation = "request"
+		if (buf[56] == '8')
+			return MSG_RESPONSE;  // operation = "response"
+	}
+	// PBCRAWVerifyProcessor: processorName len = 21, operation tag at [48]
+	if (buf[25] == '2' && buf[26] == '1' && (uint8_t)buf[48] == 0x02) {
+		if (buf[61] == '7')
+			return MSG_REQUEST;   // operation = "request"
+		if (buf[61] == '8')
+			return MSG_RESPONSE;  // operation = "response"
+	}
+
+	return MSG_UNKNOWN;
+}
+
 #define CSTR_LEN(s) (sizeof(s) / sizeof(char) - 1)
 #define CSTR_MASK(s) ((~0ull) >> (64 - CSTR_LEN(s) * 8))
 // convert const string with length <= 8 for matching
@@ -4145,6 +4202,14 @@ infer_protocol_2(const char *infer_buf, size_t count,
 				       syscall_infer_len,
 				       conn_info)) != MSG_UNKNOWN) {
 		inferred_message.protocol = PROTO_ISO8583;
+#if defined(LINUX_VER_KFUNC) || defined(LINUX_VER_5_2_PLUS)
+	} else if (skip_proto != PROTO_NET_SIGN && (inferred_message.type =
+#else
+	} else if ((inferred_message.type =
+#endif
+		    infer_net_sign_message(infer_buf,
+					   count, conn_info)) != MSG_UNKNOWN) {
+		inferred_message.protocol = PROTO_NET_SIGN;
 #if defined(LINUX_VER_KFUNC) || defined(LINUX_VER_5_2_PLUS)
 	} else if (skip_proto != PROTO_MEMCACHED && (inferred_message.type =
 #else
@@ -4493,6 +4558,14 @@ infer_protocol_1(struct ctx_info_s *ctx,
 				return inferred_message;
 			}
 			break;
+		case PROTO_NET_SIGN:
+			if ((inferred_message.type =
+			    infer_net_sign_message(infer_buf, count,
+						   conn_info)) != MSG_UNKNOWN) {
+				inferred_message.protocol = PROTO_NET_SIGN;
+				return inferred_message;
+			}
+			break;
 		case PROTO_MEMCACHED:
 			if ((inferred_message.type =
 			     infer_memcached_message(infer_buf, count,

agent/src/ebpf/mod.rs

@@ -69,6 +69,10 @@ pub const SOCK_DATA_SOME_IP: u16 = 47;
 #[allow(dead_code)]
 pub const SOCK_DATA_ISO8583: u16 = 48;
 #[allow(dead_code)]
+pub const SOCK_DATA_TRIPLE: u16 = 49;
+#[allow(dead_code)]
+pub const SOCK_DATA_NET_SIGN: u16 = 50;
+#[allow(dead_code)]
 pub const SOCK_DATA_MYSQL: u16 = 60;
 #[allow(dead_code)]
 pub const SOCK_DATA_POSTGRESQL: u16 = 61;

agent/src/ebpf/user/ctrl_tracer.c

@@ -147,6 +147,8 @@ static void datadump_help(void)
 	fprintf(stderr, "    46:  PROTO_TARS\n");
 	fprintf(stderr, "    47:  PROTO_SOME_IP\n");
 	fprintf(stderr, "    48:  PROTO_ISO8583\n");
+	fprintf(stderr, "    49:  PROTO_TRIPLE\n");
+	fprintf(stderr, "    50:  PROTO_NET_SIGN\n");
 	fprintf(stderr, "    60:  PROTO_MYSQL\n");
 	fprintf(stderr, "    61:  PROTO_POSTGRESQL\n");
 	fprintf(stderr, "    62:  PROTO_ORACLE\n");

agent/src/ebpf/user/socket.h

@@ -297,6 +297,8 @@ static inline char *get_proto_name(uint16_t proto_id)
 		return "Some/IP";
 	case PROTO_ISO8583:
 		return "ISO-8583";
+	case PROTO_NET_SIGN:
+		return "NetSign";
 	case PROTO_POSTGRESQL:
 		return "PgSQL";
 	case PROTO_ORACLE: