fix: normalize SSH bash CMD lines to service=ssh, event_type=command

The SSH honeypot logs commands via PROMPT_COMMAND logger as: <14>1 ... bash - - - CMD uid=0 pwd=/root cmd=ls These lines had service=bash and event_type=-, so the attacker worker never recognized them as commands. Both the collector and correlation parsers now detect the CMD pattern and normalize to service=ssh, event_type=command, with uid/pwd/command in fields.
2026-04-14 01:54:36 -04:00
parent 7ecb126c8e
commit a6c7cfdf66
4 changed files with 89 additions and 0 deletions
--- a/decnet/correlation/parser.py
+++ b/decnet/correlation/parser.py
@@ -40,6 +40,9 @@ _PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
 # Field names to probe for attacker IP, in priority order
 _IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip")

+# bash PROMPT_COMMAND logger output: "CMD uid=0 pwd=/root cmd=ls -lah"
+_BASH_CMD_RE = re.compile(r"CMD\s+uid=(\S+)\s+pwd=(\S+)\s+cmd=(.*)")
+

@dataclass
 class LogEvent:
@@ -99,6 +102,19 @@ def parse_line(line: str) -> LogEvent | None:
        return None

    fields = _parse_sd_params(sd_rest)
+
+    # Normalize bash CMD lines from SSH honeypot PROMPT_COMMAND logger
+    if service == "bash":
+        # Free-text MSG follows the SD element (which is "-" for these lines)
+        msg = sd_rest.lstrip("- ").strip()
+        cmd_match = _BASH_CMD_RE.match(msg)
+        if cmd_match:
+            service = "ssh"
+            event_type = "command"
+            fields["uid"] = cmd_match.group(1)
+            fields["pwd"] = cmd_match.group(2)
+            fields["command"] = cmd_match.group(3)
+
    attacker_ip = _extract_attacker_ip(fields)

    return LogEvent(