anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: SSH log relay emits proper DECNET syslog for sshd events

Browse Source 
New log_relay.py replaces raw 'cat' on the rsyslog pipe. Intercepts
sshd and bash lines and re-emits them as structured RFC 5424 events:
login_success, session_opened, disconnect, connection_closed, command.
Parsers updated to accept non-nil PROCID (sshd uses PID).
This commit is contained in:
anti
2026-04-14 02:07:35 -04:00
parent a6c7cfdf66
commit 7ff5703250
8 changed files with 240 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
tests/test_correlation.py
View File

@@ -155,37 +155,17 @@ class TestParserAttackerIP:
assert parse_line(line) is None
class TestParserBashNormalization:
def test_bash_cmd_normalized_to_ssh_command(self):
line = '<14>1 2026-04-14T05:48:12.628417+00:00 SRV-BRAVO-13 bash - - - CMD uid=0 pwd=/root cmd=ls /var/www/html'
class TestParserProcidFlexibility:
def test_non_nil_procid_accepted(self):
line = '<38>1 2026-04-14T05:48:12.611006+00:00 SRV-BRAVO-13 sshd 282 - - Accepted password for root'
event = parse_line(line)
assert event is not None
assert event.service == "ssh"
assert event.event_type == "command"
assert event.fields["command"] == "ls /var/www/html"
assert event.fields["uid"] == "0"
assert event.fields["pwd"] == "/root"
assert event.service == "sshd"
assert event.decky == "SRV-BRAVO-13"
def test_bash_cmd_simple(self):
line = '<14>1 2026-04-14T05:48:13.332072+00:00 SRV-BRAVO-13 bash - - - CMD uid=0 pwd=/root cmd=ls'
event = parse_line(line)
def test_nil_procid_still_works(self):
event = parse_line(_make_line())
assert event is not None
assert event.service == "ssh"
assert event.fields["command"] == "ls"
def test_bash_non_cmd_stays_as_bash(self):
line = '<14>1 2026-04-14T05:48:12.628417+00:00 SRV-BRAVO-13 bash - - - some other bash message'
event = parse_line(line)
assert event is not None
assert event.service == "bash"
assert event.event_type == "-"
def test_bash_cmd_with_complex_command(self):
line = '<14>1 2026-04-14T05:48:32.006502+00:00 SRV-BRAVO-13 bash - - - CMD uid=0 pwd=/root cmd=cat /etc/passwd | grep root'
event = parse_line(line)
assert event is not None
assert event.service == "ssh"
assert event.fields["command"] == "cat /etc/passwd | grep root"
# ---------------------------------------------------------------------------