netebpfext should hook listen() socket calls

[ExceptionalHandler]

Describe the feature you'd like supported

There should be way to write ebpf programs that could attach to the listen() socket call hook.

Proposed solution

Using netebpfext, one can write ebpf programs that attach to "bind" and "accept" but not to "listen" . Listen is an important observability or security event, specially for detecting remote code execution or remote access trojan (RAT) type of scenarios.
Bind is too noisy as it is also called by client applications, and does not correspond to an actual listen() socket call.

This should be achievable by registering callouts that target the FWPM_LAYER_ALE_AUTH_LISTEN_V4 / FWPM_LAYER_ALE_AUTH_LISTEN_V6 filtering identifier.

Additional context

No response

[saxena-anurag]

Is there an equivalent hook on Linux that can be ported to Windows? Also, to confirm, this hook is only for observability or the BPF program can fail a listen() call?

[shankarseal]

@ExceptionalHandler please add more functional requirements for the listen program, including any helper functions that it might need.