Synapse is an active NDR platform that detects and blocks threats at the network layer using eBPF, JA4+ fingerprinting, a multi-backend firewall, and a full reverse proxy. It protects traffic east-west (internal, between services) and north-south (perimeter, internet ↔ services) in real time — from a single binary.
What makes it active:
- eBPF/XDP blocks at kernel speed — enforcement happens before packets reach userspace; no overhead on passing traffic
- JA4+ fingerprint blocking — identify and block clients, bots, and attack tools by TLS/TCP/HTTP behaviour, independent of IP address
- Unified enforcement — firewall, WAF, rate limiting, CAPTCHA, and IDS in the same data path; no separate tools to chain
- Multi-backend firewall — XDP → nftables → iptables automatic fallback ensures coverage on any Linux kernel; Windows via eBPF for Windows
Linux kernel 4.18+ · Windows Server 2022+ / Windows 11+
# Install
curl -fSL https://raw.githubusercontent.com/gen0sec/synapse/refs/heads/main/install.sh | sh
# Run with config
synapse -c /etc/synapse/config.yaml
# Run with terminal TUI
synapse -c /etc/synapse/config.yaml --terminal# One-liner install (run as Administrator)
iwr -useb https://raw.githubusercontent.com/gen0sec/synapse/main/install.ps1 | iex
# Or: double-click install.bat (auto-elevates)
# Manage the service
sc start Synapse
sc stop Synapse
sc control Synapse paramchange # reload configSynapse runs in two modes that share the same eBPF/XDP kernel layer. Choose based on whether you need L7 inspection.
Agent mode deploys transparently — traffic passes to its destination unchanged while Synapse enforces blocking at the kernel. Protects east-west and north-south without being in the data path.
Proxy mode is inline — Synapse terminates TLS, inspects at L7, then forwards to the upstream. Adds WAF, CAPTCHA, rate limiting, and content scanning.
| Feature | Proxy | Agent |
|---|---|---|
| eBPF/XDP Packet Filtering | ✅ | ✅ |
| Access Rules (4M IPv4 / 1M IPv6 CIDRs) | ✅ | ✅ |
| CIDR Coalescing | ✅ | ✅ |
| JA4T · JA4TS · JA4L · JA4LS (TCP/IP fingerprints) | ✅ | ✅ |
| IDS / Intrusion Detection | ✅ | ✅ |
| Threat Intelligence & GeoIP | ✅ | ✅ |
| BPF Stats & TCP Fingerprinting | ✅ | ✅ |
| Event Sending (Fingerprint + IDS) | ✅ | ✅ |
| Terminal TUI (ratatui) | ✅ | ✅ |
| File / Syslog / ETW Logging | ✅ | ✅ |
| Windows Service (SCM) | ✅ | ✅ |
| HTTP/HTTPS Reverse Proxy | ✅ | ❌ |
| TLS & ACME Certificates | ✅ | ❌ |
| JA4 · JA4H · JA4S · JA4X (application fingerprints) | ✅ | ❌ |
| WAF (Wirefilter expressions) | ✅ | ❌ |
| Rate Limiting | ✅ | ❌ |
| CAPTCHA Protection | ✅ | ❌ |
| Content Scanning (ClamAV) | ✅ | ❌ |
| Windows Support | ✅ |
→ Full comparison and choosing a mode
flowchart TD
A1([Internet / North-South]) --> K
A2([Internal Services / East-West]) --> K
subgraph K[eBPF / XDP - Kernel Layer]
K1[Access Rules / JA4+ Fingerprinting / Threat Intel / IDS]
K2[XDP DROP - Blocked]
K3[XDP PASS]
K1 --> K2
K1 --> K3
end
K3 --> Agent
K3 --> Proxy
subgraph Agent[Agent Mode - Transparent]
AG1[Transparent pass-through]
AG2[EventBridge / SIEM]
end
subgraph Proxy[Proxy Mode - Inline]
PR1[TLS Termination]
PR2[WAF / CAPTCHA / Rate Limit]
PR3[ClamAV Content Scanning]
PR4[Forward to Upstream]
PR1 --> PR2 --> PR3 --> PR4
end
Agent --> Up[Backend / Upstream]
Proxy --> Up
→ Full architecture diagram and component map
| Installation | Linux, Windows, Ansible, Kubernetes, Docker, build from source |
| Deployment Modes | Agent vs Proxy: full comparison, use cases, decision guide |
| Configuration | CLI flags, YAML examples, feature toggles, hot-reload |
| Features | eBPF firewall, JA4+ blocking, WAF, TLS, IDS, CAPTCHA, TUI |
| Firewall Backends | XDP → nftables → iptables fallback chain, diagnostics |
| EventBridge API | Stream fingerprint events to your SIEM or 3rd-party tools |
| Requirements | Kernel, OS, dependencies, tested platforms |
| Architecture | Data-flow diagram, component map, performance |
| Environment Variables | Complete AX_* environment variable reference |
Cloudflare for Pingora and Wirefilter Aralaz for Aralez