From a4798946c10d7ae6c7f7bc0c993ac00c7a43c7c9 Mon Sep 17 00:00:00 2001 From: anti Date: Wed, 15 Apr 2026 17:23:33 -0400 Subject: [PATCH] fix: add remote_addr to IP field lookup so http/https/k8s events are attributed correctly Templates for http, https, k8s, and docker_api log the client IP as remote_addr (Flask's request.remote_addr) instead of src_ip. The collector and correlation parser only checked src_ip/src/client_ip/remote_ip/ip, so every request event from those services was stored with attacker_ip="Unknown" and never associated with any attacker profile. Adding remote_addr to _IP_FIELDS in both collector/worker.py and correlation/parser.py fixes attribution. The profiler cursor was also reset to 0 so the worker performs a cold rebuild and re-ingests existing events with the corrected field mapping. --- decnet/collector/worker.py | 2 +- decnet/correlation/parser.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/decnet/collector/worker.py b/decnet/collector/worker.py index 1e97db7..63c6018 100644 --- a/decnet/collector/worker.py +++ b/decnet/collector/worker.py @@ -114,7 +114,7 @@ _RFC5424_RE = re.compile( ) _SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL) _PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"') -_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip") +_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "remote_addr", "ip") def parse_rfc5424(line: str) -> Optional[dict[str, Any]]: diff --git a/decnet/correlation/parser.py b/decnet/correlation/parser.py index e457254..b6b95ac 100644 --- a/decnet/correlation/parser.py +++ b/decnet/correlation/parser.py @@ -38,7 +38,7 @@ _SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL) _PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"') # Field names to probe for attacker IP, in priority order -_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip") +_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "remote_addr", "ip") @dataclass