anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(collector): strip port from remote_addr before attacker identity resolution

Browse Source 
host:port in remote_addr was creating a distinct Attacker row per TCP
connection instead of per IP. Split on the last ':' in parse_rfc5424;
preserve the port as fields['remote_port'] so repeated source ports are
retained as fingerprint signal in bounty payloads.
This commit is contained in:
anti
2026-05-10 04:06:42 -04:00
parent 6a6f5807aa
commit f11def0af1
3 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
decnet/collector/worker.py
View File

@@ -472,7 +472,14 @@ def parse_rfc5424(line: str) -> Optional[dict[str, Any]]:
attacker_ip = "Unknown"
for fname in _IP_FIELDS:
if fname in fields:
attacker_ip = fields[fname]
raw = fields[fname]
# remote_addr may be "host:port" — split so identity keys on IP only.
host, _, port = raw.rpartition(":")
if host and port.isdigit():
attacker_ip = host.strip("[]") # handle [::1]:port IPv6 form
fields.setdefault("remote_port", port)
else:
attacker_ip = raw
break
# Fallback for plain `logger` callers that don't use SD params (notably