fix: normalize SSH bash CMD lines to service=ssh, event_type=command

The SSH honeypot logs commands via PROMPT_COMMAND logger as:
  <14>1 ... bash - - -  CMD uid=0 pwd=/root cmd=ls
These lines had service=bash and event_type=-, so the attacker worker
never recognized them as commands. Both the collector and correlation
parsers now detect the CMD pattern and normalize to service=ssh,
event_type=command, with uid/pwd/command in fields.

decnet/collector/worker.py

@@ -32,6 +32,10 @@ _SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
 _PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
 _IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip")
 
+# bash PROMPT_COMMAND logger output: "CMD uid=0 pwd=/root cmd=ls -lah"
+_BASH_CMD_RE = re.compile(r"CMD\s+uid=(\S+)\s+pwd=(\S+)\s+cmd=(.*)")
+
+
 
 def parse_rfc5424(line: str) -> Optional[dict[str, Any]]:
     """
@@ -70,6 +74,16 @@ def parse_rfc5424(line: str) -> Optional[dict[str, Any]]:
     except ValueError:
         ts_formatted = ts_raw
 
+    # Normalize bash CMD lines from SSH honeypot PROMPT_COMMAND logger
+    if service == "bash" and msg:
+        cmd_match = _BASH_CMD_RE.match(msg)
+        if cmd_match:
+            service = "ssh"
+            event_type = "command"
+            fields["uid"] = cmd_match.group(1)
+            fields["pwd"] = cmd_match.group(2)
+            fields["command"] = cmd_match.group(3)
+
     return {
         "timestamp": ts_formatted,
         "decky": decky,