ExfilGuardian
References

Standards & RFCs

Protocol specifications implemented in the ExfilGuardian parsers

DNS

RFCTitleRelevance
RFC 1034Domain Names: Concepts and FacilitiesCore DNS model, resolution algorithm
RFC 1035Domain Names: Implementation and SpecificationWire format parsed in DNS DPI module
RFC 4648Base16, Base32, Base64 EncodingEncoding schemes used in DNS tunnel payloads
RFC 5155NSEC3 for DNS SecurityNSEC3 queries are a common DNS tunnel evasion vector
RFC 7816DNS Query Name MinimisationAffects how resolvers generate subdomains

Key fields parsed in DPI

  • Query name (QNAME): entropy analysis
  • Query type (QTYPE): TXT, CNAME, MX record abuse detection
  • Answer section: payload size and encoding patterns
  • TTL: abnormally low TTL is a DGA indicator

HTTP / HTTPS

RFCTitleRelevance
RFC 7230HTTP/1.1 Message Syntax and RoutingRequest/response structure parsed in DPI
RFC 7231HTTP/1.1 Semantics and ContentMethod, headers, and body analysis
RFC 7540HTTP/2Binary framing (future parser extension)
RFC 9113HTTP/2 (updated)Current HTTP/2 specification

Key fields parsed in DPI

  • Method: abnormal PUT/POST to unknown endpoints
  • Content-Length / Transfer-Encoding: large or chunked uploads
  • User-Agent: known malicious UA strings via signatures
  • Authorization / custom headers: encoded exfiltration vectors
  • Body entropy: Base64 or compressed data in unexpected fields

TLS

RFCTitleRelevance
RFC 8446TLS 1.3Current TLS standard; ClientHello parsed for JA3
RFC 5246TLS 1.2Still widely deployed; both versions handled
RFC 6066TLS ExtensionsSNI (Server Name Indication), visible pre-encryption
RFC 5280X.509 PKI Certificate ProfileCertificate field inspection (CN, SANs, validity)

What the TLS DPI module can extract without decryption

TLS fieldVisibleUsed for
SNIClientHelloDomain reputation, DGA detection
Cipher suitesClientHelloJA3 fingerprint
TLS versionClientHelloJA3 fingerprint, outdated version detection
Certificate CN / SANsServer certificateSuspicious issuers, wildcard abuse
Certificate validityServer certificateRecently issued certs (< 30 days) are suspicious
Session resumptionHandshakeHigh frequency = possible covert channel
Payload contentEncryptedOut of scope (requires MitM)

Windows Filtering Platform (WFP)

ReferenceTitleRelevance
WFP DocumentationWindows Filtering PlatformDriver uses WFP callouts for packet interception at Ring 0
WDKWindows Driver KitBuild toolchain for the kernel driver
KMDFKernel-Mode Driver FrameworkDriver framework used for WFP callout registration

gRPC / Protobuf

ReferenceTitleRelevance
gRPCgRPC DocumentationAgent-to-server communication protocol
Protocol BuffersProtobuf v3Wire format for PacketMetadata, FlowRecord, Alert messages
mTLSMutual TLSAgent-server mutual authentication

Rust Crates

Key external crates used across the workspace.

CrateVersionPurpose
tonic0.xgRPC server and client implementation
prost0.xProtobuf code generation and serialization
axum0.xHTTP server for dashboard API and health endpoints
tower-http0.xHTTP middleware (CORS, tracing, compression)
rusqlite0.xSQLite for local alert storage and configuration
windows-sys0.xWindows API bindings for agent and installer
wdk0.xWindows Driver Kit Rust bindings for kernel driver
wdk-sys0.xRaw FFI bindings for WDK
rcgen0.xX.509 certificate generation for mTLS
rustls0.23TLS implementation for mTLS and ClientHello inspection
dns-parser0.xDNS wire format parsing
httparse1.xZero-copy HTTP/1.x parser
regex1.xSignature condition matching
serde_yaml0.9YAML rule deserialization
notify6.xFile system watching for hot-reload
thiserror2.xLibrary error types
anyhow1.xApplication error handling
tokio1.xAsync runtime

On this page