Data Flow
Network Traffic Flow
Agent Mode
In agent mode, Synapse operates as a kernel-level firewall with no HTTP proxying.
- XDP filtering — Packets are evaluated at the earliest possible point in the kernel (< 1us). Known-bad IPs from threat intelligence and access rules are dropped before reaching the network stack.
- Firewall backend — Synapse auto-selects the best available backend: XDP > nftables > iptables > userland. Rules from the Gen0Sec API (allow/block lists) are enforced here.
- TCP fingerprinting — JA4T and JA4L fingerprints are captured from SYN packets for OS identification and latency measurement.
- Clean traffic reaches the application directly — no proxying overhead.
Proxy Mode
In proxy mode, Synapse adds full reverse proxy capabilities on top of agent features.
- XDP filtering — Same kernel-level packet filtering as agent mode.
- TLS termination — Handles TLS with automatic ACME certificate management. JA4 (ClientHello) and JA4S (ServerHello) fingerprints are captured during the handshake.
- WAF engine — Wirefilter-compatible expression language evaluates requests against security rules. GeoIP and ASN data enrich rule evaluation.
- CAPTCHA — Suspicious requests can be challenged with hCaptcha, reCAPTCHA, or Turnstile.
- Content scanning — Request bodies are scanned for malware via ClamAV integration.
- Reverse proxy — Clean requests are forwarded to upstream servers with weighted load balancing.
- JA4H fingerprinting — HTTP request headers are fingerprinted at the application layer.
Threat Intelligence Flow
Synapse continuously syncs threat data from the Gen0Sec API.
| Data Source | Update Method | Used By |
|---|---|---|
| Gen0Sec Threat API | Periodic API polling | Access rules, IP reputation |
| Threat MMDB | File-based, hot-reloadable | GeoIP, ASN, threat scoring |
| GeoIP MMDB | File-based, hot-reloadable | Country/city/ASN lookups |
| Access Rules | API sync + SIGHUP reload | Firewall allow/block lists |
| Cerebellum Verdicts | Real-time push | Threat classification updates |
Fingerprinting Pipeline
JA4+ fingerprints are captured at different layers and included in every access log entry.
| Layer | Fingerprints | Capture Point |
|---|---|---|
| TCP | JA4T, JA4TS, JA4L, JA4LS | SYN/SYN-ACK packets |
| TLS | JA4, JA4S, JA4X | TLS handshake |
| HTTP | JA4H | Request headers |
| SSH | JA4SSH | SSH session traffic |
| DHCP | JA4D, JA4D6 | DHCP messages |
| Scan | JA4TScan | Active TCP probes |
Fingerprints flow into:
- Access logs — Every request includes all available fingerprints
- Event queue — Batched for downstream analysis
- Cerebellum — ML correlation across all sensors
Event & Log Processing
Synapse uses a unified event queue for all telemetry.
Event Types
| Event | Description | Interval |
|---|---|---|
| Access log | Per-request log with fingerprints, GeoIP, threat data | Real-time |
| TCP fingerprint stats | Aggregated SYN fingerprint statistics | Configurable (default 60s) |
| Fingerprint events | Individual fingerprint observations | Configurable (default 30s) |
| BPF stats | eBPF program statistics and dropped IPs | Configurable (default 60s) |
| Threat intel updates | Access rule and threat feed sync results | On sync |
Log Output
Access logs include full request context with all fingerprints:
{
"timestamp": "2025-10-29T12:34:56.789Z",
"client_ip": "192.168.1.100",
"geo": { "country": "US", "city": "San Francisco", "asn": 13335 },
"http": {
"method": "GET",
"path": "/api/data",
"status": 200,
"ja4h": "ge11cr15enus_a1b2c3d4e5f6_123456789abc_def012345678"
},
"tls": {
"ja4": "t13d1516h2_8daaf6152771_b186095e22b6",
"ja4s": "t1302h2_1301_a56c5b993250",
"ja4x": "aae71e8db6d7_b186095e22b6_c1a4f9e7d8b3"
},
"tcp": {
"ja4t": "65535_2-4-8-1-3_1460_7",
"ja4l": "12500_64"
}
}
Full Platform Data Flow
When deployed as a full stack (Cerebrum + Synapse + Jailer + Cerebellum), data flows across all components.
- Cerebrum captures wire-speed metadata (JA4+ fingerprints, IDS alerts) and sends it to Cerebellum
- Synapse sends access logs, fingerprint events, and threat data to Cerebellum
- Cerebellum runs ML inference across all sensor data, correlates cross-site patterns, and pushes updated threat verdicts back to Cerebrum and Synapse in milliseconds
- Jailer enforces per-process sandboxing (file, network, exec control) — operates independently with zero overhead
Service Discovery
Synapse discovers upstream servers through multiple providers with hot-reload support.
| Provider | Config | Hot-Reload |
|---|---|---|
| File | YAML/JSON upstream definitions | SIGHUP |
| Consul | Service catalog integration | Automatic |
| Kubernetes | Service/endpoint discovery | Automatic |
Upstream changes are applied without restart — active connections drain gracefully.