From 4b7cb42ab11f19d6c29e28188b4a1bd1b9ca7ab0 Mon Sep 17 00:00:00 2001 From: anti Date: Thu, 30 Apr 2026 10:57:29 -0400 Subject: [PATCH] fix(profiler): extract commands when MSGID=command, not just MSGID=NIL The Dockerfile PROMPT_COMMAND logger uses --msgid command, so the MSGID field arrives as 'command' not '-'. The CMD rewrite block was guarded by event_type == '-' so it never fired, leaving fields['command'] unpopulated and cmd_text=None for every SSH session command. Broaden the guard to also match event_type == 'command' with no existing 'command' field, which covers both the intended (MSGID=NIL) and actual (MSGID=command) wire formats. --- decnet/correlation/parser.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/decnet/correlation/parser.py b/decnet/correlation/parser.py index de771a2f..65ace509 100644 --- a/decnet/correlation/parser.py +++ b/decnet/correlation/parser.py @@ -137,11 +137,12 @@ def parse_line(line: str) -> LogEvent | None: msg = tail.group(1).strip() if tail else "" attacker_ip = _extract_attacker_ip(fields, msg) - # Free-form bash PROMPT_COMMAND lines arrive with MSGID=NIL and a body - # like `CMD uid=0 user=root src=… pwd=… cmd=`. Without - # this rewrite they're invisible to the behavioral profiler, which - # filters on event_type ∈ {command, exec, query, …}. - if event_type == "-" and msg.startswith("CMD "): + # Free-form bash PROMPT_COMMAND lines arrive with MSGID=NIL or MSGID=command + # and a body like `CMD uid=0 user=root src=… pwd=… cmd=`. + # Without this rewrite they're invisible to the behavioral profiler, which + # filters on event_type ∈ {command, exec, query, …}. The Dockerfile logger + # invocation uses --msgid command, so we must also handle the non-nil case. + if event_type in ("-", "command") and msg.startswith("CMD ") and "command" not in fields: event_type = "command" head, sep, cmd_rest = msg[4:].partition("cmd=") for k, v in re.findall(r'(\w+)=(\S+)', head):