I *built Spliff, a high-performance L7 sniffing and correlation engine in pure C23. The goal is to build a fully working, Linux-native EDR that isn't a resource-hogging black box.
The core innovation – "Golden Thread" correlation:
Most eBPF sniffers capture SSL data OR packets. Spliff correlates both:
Linux-only – Requires kernel 5.x+ with BTF, XDP, libbpf.
---
The project is GPL-3.0 and we're inviting anyone interested to contribute—whether it's code, architecture feedback, security research, or ideas for EDR features that actually matter (not compliance theater).
4 comments
[ 3.1 ms ] story [ 22.2 ms ] threadI *built Spliff, a high-performance L7 sniffing and correlation engine in pure C23. The goal is to build a fully working, Linux-native EDR that isn't a resource-hogging black box.
The core innovation – "Golden Thread" correlation:
Most eBPF sniffers capture SSL data OR packets. Spliff correlates both:
This maps raw decrypted TLS data back to the exact TCP flow, PID, and process—something commercial EDRs struggle with.Technical highlights:
• XDP + sock_ops + Uprobes – Three BPF program types working together via shared maps
• Lock-free threading – Dispatcher/Worker model with Concurrency Kit SPSC queues
• Full HTTP/2 – HPACK decompression, stream multiplexing, request-response correlation
• No MITM – Hooks OpenSSL, GnuTLS, NSS, WolfSSL, BoringSSL directly via uprobes
• Static binary fingerprinting – Build ID matching for stripped binaries (Chrome)
• BPF-level filtering – AF_UNIX IPC filtered in kernel, not userspace
Current status: Working L7 visibility engine. Captures and correlates HTTPS traffic in real-time.
What's next: Process behavior tracking, file/network anomaly detection, event streaming (NATS/Kafka), threat intel integration.
Linux-only – Requires kernel 5.x+ with BTF, XDP, libbpf.
---
The project is GPL-3.0 and we're inviting anyone interested to contribute—whether it's code, architecture feedback, security research, or ideas for EDR features that actually matter (not compliance theater).
GitHub: https://github.com/NoFear0411/spliff
*Note: The codebase was written with Claude Opus. I provide the research, architecture decisions, and review every line.
> "eBPF/XDP hardware offload to SmartNICs",
After reading loophole labs post [0] a few months ago. I was hoping someone would cook on this for security research.
[0] https://loopholelabs.io/blog/xdp-for-egress-traffic