References
Standards & RFCs
Protocol specifications implemented in the ExfilGuardian parsers
| RFC | Title | Relevance |
|---|
| RFC 1034 | Domain Names: Concepts and Facilities | Core DNS model, resolution algorithm |
| RFC 1035 | Domain Names: Implementation and Specification | Wire format parsed in DNS DPI module |
| RFC 4648 | Base16, Base32, Base64 Encoding | Encoding schemes used in DNS tunnel payloads |
| RFC 5155 | NSEC3 for DNS Security | NSEC3 queries are a common DNS tunnel evasion vector |
| RFC 7816 | DNS Query Name Minimisation | Affects how resolvers generate subdomains |
Key fields parsed in DPI
- Query name (QNAME): entropy analysis
- Query type (QTYPE): TXT, CNAME, MX record abuse detection
- Answer section: payload size and encoding patterns
- TTL: abnormally low TTL is a DGA indicator
| RFC | Title | Relevance |
|---|
| RFC 7230 | HTTP/1.1 Message Syntax and Routing | Request/response structure parsed in DPI |
| RFC 7231 | HTTP/1.1 Semantics and Content | Method, headers, and body analysis |
| RFC 7540 | HTTP/2 | Binary framing (future parser extension) |
| RFC 9113 | HTTP/2 (updated) | Current HTTP/2 specification |
Key fields parsed in DPI
- Method: abnormal PUT/POST to unknown endpoints
Content-Length / Transfer-Encoding: large or chunked uploads
User-Agent: known malicious UA strings via signatures
Authorization / custom headers: encoded exfiltration vectors
- Body entropy: Base64 or compressed data in unexpected fields
| RFC | Title | Relevance |
|---|
| RFC 8446 | TLS 1.3 | Current TLS standard; ClientHello parsed for JA3 |
| RFC 5246 | TLS 1.2 | Still widely deployed; both versions handled |
| RFC 6066 | TLS Extensions | SNI (Server Name Indication), visible pre-encryption |
| RFC 5280 | X.509 PKI Certificate Profile | Certificate field inspection (CN, SANs, validity) |
What the TLS DPI module can extract without decryption
| TLS field | Visible | Used for |
|---|
| SNI | ClientHello | Domain reputation, DGA detection |
| Cipher suites | ClientHello | JA3 fingerprint |
| TLS version | ClientHello | JA3 fingerprint, outdated version detection |
| Certificate CN / SANs | Server certificate | Suspicious issuers, wildcard abuse |
| Certificate validity | Server certificate | Recently issued certs (< 30 days) are suspicious |
| Session resumption | Handshake | High frequency = possible covert channel |
| Payload content | Encrypted | Out of scope (requires MitM) |
| Reference | Title | Relevance |
|---|
| WFP Documentation | Windows Filtering Platform | Driver uses WFP callouts for packet interception at Ring 0 |
| WDK | Windows Driver Kit | Build toolchain for the kernel driver |
| KMDF | Kernel-Mode Driver Framework | Driver framework used for WFP callout registration |
| Reference | Title | Relevance |
|---|
| gRPC | gRPC Documentation | Agent-to-server communication protocol |
| Protocol Buffers | Protobuf v3 | Wire format for PacketMetadata, FlowRecord, Alert messages |
| mTLS | Mutual TLS | Agent-server mutual authentication |
Key external crates used across the workspace.
| Crate | Version | Purpose |
|---|
tonic | 0.x | gRPC server and client implementation |
prost | 0.x | Protobuf code generation and serialization |
axum | 0.x | HTTP server for dashboard API and health endpoints |
tower-http | 0.x | HTTP middleware (CORS, tracing, compression) |
rusqlite | 0.x | SQLite for local alert storage and configuration |
windows-sys | 0.x | Windows API bindings for agent and installer |
wdk | 0.x | Windows Driver Kit Rust bindings for kernel driver |
wdk-sys | 0.x | Raw FFI bindings for WDK |
rcgen | 0.x | X.509 certificate generation for mTLS |
rustls | 0.23 | TLS implementation for mTLS and ClientHello inspection |
dns-parser | 0.x | DNS wire format parsing |
httparse | 1.x | Zero-copy HTTP/1.x parser |
regex | 1.x | Signature condition matching |
serde_yaml | 0.9 | YAML rule deserialization |
notify | 6.x | File system watching for hot-reload |
thiserror | 2.x | Library error types |
anyhow | 1.x | Application error handling |
tokio | 1.x | Async runtime |