feat: parse NetSign protocol

Author: lzf575

agent/crates/enterprise-utils/src/lib.rs

@@ -357,6 +357,52 @@ pub mod l7 {
     }
 
     pub mod rpc {
+        pub mod net_sign {
+            use public::l7_protocol::LogMessageType;
+
+            pub const PROCESSOR_SIGN: &str = "RAWSignProcessor";
+            pub const PROCESSOR_VERIFY: &str = "PBCRAWVerifyProcessor";
+
+            #[derive(Default, Debug, Clone)]
+            pub struct NetSignFields {
+                pub processor_name: String,
+                pub operation: String,
+                pub result_code: String,
+                pub biz_data_parts: Vec<String>,
+                pub sig_present: bool,
+                pub sig_len: u32,
+                pub cert_id: String,
+                pub cert_serial: String,
+                pub cert_validity: String,
+                pub issuer_dn_ca: String,
+                pub app_ver: String,
+            }
+
+            impl NetSignFields {
+                pub fn trace_id(&self) -> &str {
+                    self.biz_data_parts.get(0).map(|s| s.as_str()).unwrap_or("")
+                }
+                pub fn biz_system(&self) -> &str {
+                    self.biz_data_parts.get(6).map(|s| s.as_str()).unwrap_or("")
+                }
+                pub fn signer_id(&self) -> String {
+                    String::new()
+                }
+            }
+
+            #[derive(Default)]
+            pub struct NetSignParser;
+
+            impl NetSignParser {
+                pub fn check_payload(&self, _: &[u8]) -> Option<LogMessageType> {
+                    unimplemented!()
+                }
+                pub fn parse_payload(&self, _: &[u8]) -> Option<NetSignFields> {
+                    unimplemented!()
+                }
+            }
+        }
+
         pub mod iso8583 {
             use public::bitmap::Bitmap;
 

agent/crates/public/src/l7_protocol.rs

@@ -63,6 +63,7 @@ pub enum L7Protocol {
     SomeIp = 47,
     Iso8583 = 48,
     Triple = 49,
+    NetSign = 50,
 
     // SQL
     MySQL = 60,
@@ -149,6 +150,7 @@ impl From<String> for L7Protocol {
             "tls" => Self::TLS,
             "ping" => Self::Ping,
             "some/ip" | "someip" => Self::SomeIp,
+            "netsign" | "net-sign" | "net_sign" => Self::NetSign,
             _ => Self::Unknown,
         }
     }

agent/src/common/l7_protocol_info.rs

@@ -131,6 +131,7 @@ cfg_if::cfg_if! {
             PingInfo(PingInfo),
             CustomInfo(CustomInfo),
             Iso8583Info(crate::flow_generator::protocol_logs::rpc::Iso8583Info),
+            NetSignInfo(crate::flow_generator::protocol_logs::rpc::NetSignInfo),
             // add new protocol info below
         );
     }

agent/src/common/l7_protocol_log.rs

@@ -103,6 +103,8 @@ macro_rules! impl_protocol_parser {
                     #[cfg(feature = "enterprise")]
                     "ISO-8583"=>Ok(Self::Iso8583(Default::default())),
                     #[cfg(feature = "enterprise")]
+                    "NetSign"|"netsign"|"net_sign"=>Ok(Self::NetSign(Default::default())),
+                    #[cfg(feature = "enterprise")]
                     "WebSphereMQ"=>Ok(Self::WebSphereMq(Default::default())),
                     $(
                         stringify!($proto) => Ok(Self::$proto(Default::default())),
@@ -202,6 +204,7 @@ cfg_if::cfg_if! {
                 Tars(TarsLog),
                 Oracle(crate::flow_generator::protocol_logs::OracleLog),
                 Iso8583(crate::flow_generator::protocol_logs::Iso8583Log),
+                NetSign(crate::flow_generator::protocol_logs::NetSignLog),
                 MQTT(MqttLog),
                 AMQP(AmqpLog),
                 NATS(NatsLog),

agent/src/config/config.rs

@@ -2044,6 +2044,7 @@ impl Default for Filters {
                 ("Tars".to_string(), "1-65535".to_string()),
                 ("SomeIP".to_string(), "1-65535".to_string()),
                 ("ISO8583".to_string(), "1-65535".to_string()),
+                ("NetSign".to_string(), "1-65535".to_string()),
                 ("Triple".to_string(), "1-65535".to_string()),
                 ("MySQL".to_string(), "1-65535".to_string()),
                 ("PostgreSQL".to_string(), "1-65535".to_string()),
@@ -2076,6 +2077,7 @@ impl Default for Filters {
                 ("Tars".to_string(), vec![]),
                 ("SomeIP".to_string(), vec![]),
                 ("ISO8583".to_string(), vec![]),
+                ("NetSign".to_string(), vec![]),
                 ("Triple".to_string(), vec![]),
                 ("MySQL".to_string(), vec![]),
                 ("PostgreSQL".to_string(), vec![]),

agent/src/ebpf/kernel/include/common.h

@@ -77,6 +77,8 @@ enum traffic_protocol {
 	PROTO_TARS = 46,
 	PROTO_SOME_IP = 47,
 	PROTO_ISO8583 = 48,
+	PROTO_TRIPLE = 49,
+	PROTO_NET_SIGN = 50,
 	PROTO_MYSQL = 60,
 	PROTO_POSTGRESQL = 61,
 	PROTO_ORACLE = 62,

agent/src/ebpf/kernel/include/protocol_inference.h

@@ -1269,6 +1269,119 @@ static __inline enum message_type infer_iso8583_message(const char *buf,
 	return MSG_REQUEST;
 }
 
+/*
+ * NetSign (签名验签) protocol identification.
+ *
+ * Wire format (all offsets absolute from TCP payload start):
+ *
+ *   [0]      outer_tag = 0x02
+ *   [1..12]  outer_len (12 ASCII decimal digits)
+ *   [13]     TAG_PROCESSOR_NAME = 0x01
+ *   [14]     type indicator = 0x01 (text)
+ *   [15..26] processorName length (12 ASCII decimal digits)
+ *   [25..26] last two digits of length:
+ *              '1','6' → RAWSignProcessor      (16 B): name at [27..42]
+ *              '2','1' → PBCRAWVerifyProcessor (21 B): name at [27..47]
+ *
+ * Protocol identification uses only the first 32 bytes (buf[0..31]).
+ * Request/response detection requires bytes beyond 32 and is read via
+ * bpf_probe_read_user from conn_info->syscall_infer_addr:
+ *
+ *   RAWSignProcessor:
+ *     op tag at [43] (extra[0]), op len last digit at [56] (extra[13])
+ *   PBCRAWVerifyProcessor:
+ *     op tag at [48] (extra[5]), op len last digit at [61] (extra[18])
+ *
+ * Operation length last digit: '7' → "request", '8' → "response"
+ */
+static __inline enum message_type infer_net_sign_message(const char *buf,
+							  size_t count,
+							  struct conn_info_s
+							  *conn_info)
+{
+	if (!protocol_port_check_2(PROTO_NET_SIGN, conn_info))
+		return MSG_UNKNOWN;
+	if (conn_info->tuple.l4_protocol != IPPROTO_TCP || count < 62)
+		return MSG_UNKNOWN;
+	if (is_infer_socket_valid(conn_info->socket_info_ptr)) {
+		if (conn_info->socket_info_ptr->l7_proto != PROTO_NET_SIGN)
+			return MSG_UNKNOWN;
+		/*
+		 * Socket already confirmed as NetSign. Continuation reads (mid-message
+		 * syscall splits) do not start at message offset 0, so the byte-pattern
+		 * checks below would fail. Return MSG_REQUEST unconditionally here; the
+		 * Rust-level parser derives the real message type from the TLV content.
+		 */
+		return MSG_REQUEST;
+	}
+
+	/*
+	 * Protocol identification within the first 32 bytes.
+	 */
+	// Byte 0: outer tag must be 0x02
+	if ((uint8_t)buf[0] != 0x02)
+		return MSG_UNKNOWN;
+	// Byte 1: first digit of outer_len must be ASCII decimal
+	if (buf[1] < '0' || buf[1] > '9')
+		return MSG_UNKNOWN;
+	// Byte 13: first inner TLV tag must be TAG_PROCESSOR_NAME (0x01)
+	if ((uint8_t)buf[13] != 0x01)
+		return MSG_UNKNOWN;
+	// Byte 14: inner TLV type indicator must be 0x01 (text)
+	if ((uint8_t)buf[14] != 0x01)
+		return MSG_UNKNOWN;
+	// processorName len field [15..26]: leading and near-last bytes must be '0'
+	if (buf[15] != '0' || buf[24] != '0')
+		return MSG_UNKNOWN;
+
+	// Bytes [25..26]: last two digits of processorName length.
+	// Also validate the processor name prefix (bytes [27..29]) within 32 bytes.
+	if (buf[25] == '1' && buf[26] == '6') {
+		// RAWSignProcessor (len=16): prefix "RAW" at [27..29]
+		if (buf[27] != 'R' || buf[28] != 'A' || buf[29] != 'W')
+			return MSG_UNKNOWN;
+	} else if (buf[25] == '2' && buf[26] == '1') {
+		// PBCRAWVerifyProcessor (len=21): prefix "PBC" at [27..29]
+		if (buf[27] != 'P' || buf[28] != 'B' || buf[29] != 'C')
+			return MSG_UNKNOWN;
+	} else {
+		return MSG_UNKNOWN;
+	}
+
+	/*
+	 * Request/response detection: read 19 bytes from offset 43 via
+	 * bpf_probe_read_user to cover the operation TLV for both processors.
+	 *
+	 *   extra[0]  = payload[43]: op tag for RAWSignProcessor
+	 *   extra[5]  = payload[48]: op tag for PBCRAWVerifyProcessor
+	 *   extra[13] = payload[56]: op len last digit for RAWSignProcessor
+	 *   extra[18] = payload[61]: op len last digit for PBCRAWVerifyProcessor
+	 */
+	char extra[19];
+	bpf_probe_read_user(extra, sizeof(extra),
+			    conn_info->syscall_infer_addr + 43);
+
+	if (buf[25] == '1' && buf[26] == '6') {
+		// RAWSignProcessor: op tag at extra[0], op len last digit at extra[13]
+		if ((uint8_t)extra[0] != 0x02)
+			return MSG_UNKNOWN;
+		if (extra[13] == '7')
+			return MSG_REQUEST;   // "request"  len=7
+		if (extra[13] == '8')
+			return MSG_RESPONSE;  // "response" len=8
+	} else {
+		// PBCRAWVerifyProcessor: op tag at extra[5], op len last digit at extra[18]
+		if ((uint8_t)extra[5] != 0x02)
+			return MSG_UNKNOWN;
+		if (extra[18] == '7')
+			return MSG_REQUEST;   // "request"  len=7
+		if (extra[18] == '8')
+			return MSG_RESPONSE;  // "response" len=8
+	}
+
+	return MSG_UNKNOWN;
+}
+
 #define CSTR_LEN(s) (sizeof(s) / sizeof(char) - 1)
 #define CSTR_MASK(s) ((~0ull) >> (64 - CSTR_LEN(s) * 8))
 // convert const string with length <= 8 for matching
@@ -4145,6 +4258,14 @@ infer_protocol_2(const char *infer_buf, size_t count,
 				       syscall_infer_len,
 				       conn_info)) != MSG_UNKNOWN) {
 		inferred_message.protocol = PROTO_ISO8583;
+#if defined(LINUX_VER_KFUNC) || defined(LINUX_VER_5_2_PLUS)
+	} else if (skip_proto != PROTO_NET_SIGN && (inferred_message.type =
+#else
+	} else if ((inferred_message.type =
+#endif
+		    infer_net_sign_message(infer_buf,
+					   count, conn_info)) != MSG_UNKNOWN) {
+		inferred_message.protocol = PROTO_NET_SIGN;
 #if defined(LINUX_VER_KFUNC) || defined(LINUX_VER_5_2_PLUS)
 	} else if (skip_proto != PROTO_MEMCACHED && (inferred_message.type =
 #else
@@ -4493,6 +4614,14 @@ infer_protocol_1(struct ctx_info_s *ctx,
 				return inferred_message;
 			}
 			break;
+		case PROTO_NET_SIGN:
+			if ((inferred_message.type =
+			    infer_net_sign_message(infer_buf, count,
+						   conn_info)) != MSG_UNKNOWN) {
+				inferred_message.protocol = PROTO_NET_SIGN;
+				return inferred_message;
+			}
+			break;
 		case PROTO_MEMCACHED:
 			if ((inferred_message.type =
 			     infer_memcached_message(infer_buf, count,

agent/src/ebpf/mod.rs

@@ -69,6 +69,10 @@ pub const SOCK_DATA_SOME_IP: u16 = 47;
 #[allow(dead_code)]
 pub const SOCK_DATA_ISO8583: u16 = 48;
 #[allow(dead_code)]
+pub const SOCK_DATA_TRIPLE: u16 = 49;
+#[allow(dead_code)]
+pub const SOCK_DATA_NET_SIGN: u16 = 50;
+#[allow(dead_code)]
 pub const SOCK_DATA_MYSQL: u16 = 60;
 #[allow(dead_code)]
 pub const SOCK_DATA_POSTGRESQL: u16 = 61;

agent/src/ebpf/user/ctrl_tracer.c

@@ -147,6 +147,8 @@ static void datadump_help(void)
 	fprintf(stderr, "    46:  PROTO_TARS\n");
 	fprintf(stderr, "    47:  PROTO_SOME_IP\n");
 	fprintf(stderr, "    48:  PROTO_ISO8583\n");
+	fprintf(stderr, "    49:  PROTO_TRIPLE\n");
+	fprintf(stderr, "    50:  PROTO_NET_SIGN\n");
 	fprintf(stderr, "    60:  PROTO_MYSQL\n");
 	fprintf(stderr, "    61:  PROTO_POSTGRESQL\n");
 	fprintf(stderr, "    62:  PROTO_ORACLE\n");

agent/src/ebpf/user/socket.h

@@ -297,6 +297,8 @@ static inline char *get_proto_name(uint16_t proto_id)
 		return "Some/IP";
 	case PROTO_ISO8583:
 		return "ISO-8583";
+	case PROTO_NET_SIGN:
+		return "NetSign";
 	case PROTO_POSTGRESQL:
 		return "PgSQL";
 	case PROTO_ORACLE: