{"id":26159600,"url":"https://github.com/tux3/crowdstrike-cloudproto","last_synced_at":"2025-04-14T10:53:49.642Z","repository":{"id":58073692,"uuid":"529879665","full_name":"tux3/crowdstrike-cloudproto","owner":"tux3","description":"Async rust support for the reverse-engineered Crowdstrike Falcon protocol between the Sensor and cloud services","archived":false,"fork":false,"pushed_at":"2023-03-10T21:28:54.000Z","size":46,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-28T00:11:12.276Z","etag":null,"topics":["crowdstrike-falcon","networking","protocol","reverse-engineering","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tux3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-28T14:04:12.000Z","updated_at":"2024-07-31T00:40:05.000Z","dependencies_parsed_at":"2025-03-11T11:43:42.370Z","dependency_job_id":null,"html_url":"https://github.com/tux3/crowdstrike-cloudproto","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tux3%2Fcrowdstrike-cloudproto","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tux3%2Fcrowdstrike-cloudproto/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tux3%2Fcrowdstrike-cloudproto/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tux3%2Fcrowdstrike-cloudproto/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tux3","download_url":"https://codeload.github.com/tux3/crowdstrike-cloudproto/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248637352,"owners_count":21137531,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crowdstrike-falcon","networking","protocol","reverse-engineering","rust"],"created_at":"2025-03-11T11:33:03.384Z","updated_at":"2025-04-14T10:53:49.613Z","avatar_url":"https://github.com/tux3.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![crates.io](https://img.shields.io/crates/v/crowdstrike-cloudproto.svg)](https://crates.io/crates/crowdstrike-cloudproto)\n![Apache 2 licensed](https://img.shields.io/crates/l/crowdstrike-cloudproto)\n![MSRV](https://img.shields.io/badge/MSRV-1.64-informational)\n[![CI](https://github.com/tux3/crowdstrike-cloudproto/workflows/CI/badge.svg)](https://github.com/tux3/crowdstrike-cloudproto/actions?query=workflow%3ACI)\n\nProvides async sockets and high-level objects that implement the protocol\nused between Crowdstrike's Falcon Sensor and the two backend services:\n- The TS event server (event collection, device monitoring, admin remote shell, ...)\n- The LFO file server (downloading updates, uploading sample files for analysis, ...)\n\nIt is also possible to implement your own private TS or LFO server,\nfor instance if you want to receive live sensor events from the official client.\n\n## Features\n\nThe [`CloudProtoSocket`](framing::CloudProtoSocket) implements the common low-level packet structure\nused by the official client and both cloud services.    \nYou probably want to use the higher-level TS socket or LFO client directly;\nThey are both layerd over a [`CloudProtoSocket`](framing::CloudProtoSocket),\nbut they work with high level concepts instead of [`CloudProtoPacket`](framing::CloudProtoPacket)s.\n\n### TS Event socket\n\nThe [`TsEventSocket`](services::ts::TsEventSocket) allows connecting to the TS service\nand exchanging [`Event`](services::ts::Event)s,\nwhich is how the `falcon-sensor` agent streams back live information to the cloud.\n\nYou must provide a valid Customer ID (CID) to connect to the official TS servers.  \nSee the [`TsEventSocket`](services::ts::TsEventSocket) documentation for more information.\n\n### LFO client\n\nThe [`LfoClient`](services::lfo::LfoClient) allows you to download updates and other potentially large files used by the sensor.\n\nThe client supports LFO file GET requests with optional XZ compression.  \nThere is currently no immediate plan to support uploads.\n\nYou do not need to be a Crowdstrike customer to download files from LFO.  \n(LFO requests contain CID/AID fields, but any values are accepted).\n\n### Server functionality\n\nRunning a third party Crowdstrike server requires using a modified client configured\nto connect to a domain you own with a valid certificate,\nor disabling certificate validation in falcon-sensor.\n\nAs of version 13601, Falcon as a whole performs no integrity checks, so it happily runs with arbitrary patches applied.\n\n### Epistemic Notice\n\nPlease note that this crate is a clean-room implementation based on observing sensor version 13601\ntalk to a third-party server in an isolated VM,\nand on using this crate to replay a few sensor events and capturing the public TS service's replies.\n\nAs a result, you should expect that this library **may not be a 100% conforming implementation**.\nIt may be missing some optional parts of the protocol, some of the reverse-engineered fields that\ndon't affect the result may lack names, and some might be named wrong entirely.\n\n## What is the Crowdstrike CLOUDPROTO?\n\nThe name \"CLOUDPROTO\" comes from a debug log message inside the falcon-sensor binary.\n\nInternally, falcon-sensor is architectured around Actors (C++ objects) that exchange\nEvents (plain data) using an event bus.\nThe same events that falcon-sensor actors use internally are also used to communicate with the TS cloud server\nby carrying serialized [events](services::ts::Event) within CLOUDPROTO [frames](framing::CloudProtoPacket).\n\nEvents for the TS server are first serialized with Protobuf and complemented by\na short header that contains the event type and a transaction ID.\nThis serialized event payload is sent over a CLOUDPROTO socket, which is itself wrapped\nin a TLS session over TCP port 443.\n\nThe event protocol has a quirky ACK mechanism, which appears redundant with the TLS and TCP sockets\nit's layered over, and does not in fact seem to be actually used to provide any backpressure\nor retransmission guarantees in the official implementation.  \nThe `falcon-sensor` does send ACK packets, but seems to ignore incoming ACKs (or their lack of) entirely.  \n(This quirk is despite much of the functionality to track ACKs and in-flight packets\nbeing visibly present in the `falcon-sensor` binary).\n\nThe LFO server also uses CLOUDPROTO frames to carry its messages,\nbut instead of TS events it uses simple request/response packets,\nand has no ACK mechanism at all.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftux3%2Fcrowdstrike-cloudproto","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftux3%2Fcrowdstrike-cloudproto","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftux3%2Fcrowdstrike-cloudproto/lists"}