fix(profiler): aggregate bash PROMPT_COMMAND lines into attacker profile

SSH/telnet decky containers emit shell commands via `logger -t bash "CMD …"` which produces RFC 5424 lines with MSGID=NIL. Both parsers were leaving event_type="-", so the behavioral profiler's `_COMMAND_EVENT_TYPES` filter silently dropped them — the IP profile existed but no command transcripts or artifacts. Confirmed in the wild: 44/48 events from one attacker were event_type="-". Rewrite event_type to "command" in both parsers when MSGID=NIL and the msg starts with "CMD ". Correlation parser also extracts the cmd= payload into fields["command"] so the profiler can build the transcript; collector parser leaves fields={} to avoid duplicate pills in the dashboard.
2026-04-28 19:09:41 -04:00
parent 862e4dbb31
commit d4591b38dc
4 changed files with 69 additions and 0 deletions
--- a/decnet/collector/worker.py
+++ b/decnet/collector/worker.py
@@ -220,6 +220,12 @@ def parse_rfc5424(line: str) -> Optional[dict[str, Any]]:
    except ValueError:
        ts_formatted = ts_raw

+    # Free-form bash PROMPT_COMMAND lines (MSGID=NIL, body starts with
+    # "CMD ") get event_type rewritten to "command". `fields` stays empty
+    # so the frontend's msg-based pill rendering doesn't double up.
+    if event_type == "-" and msg.startswith("CMD "):
+        event_type = "command"
+
    return {
        "timestamp": ts_formatted,
        "decky": decky,