fix(collector): strip port from remote_addr before attacker identity resolution

host:port in remote_addr was creating a distinct Attacker row per TCP connection instead of per IP. Split on the last ':' in parse_rfc5424; preserve the port as fields['remote_port'] so repeated source ports are retained as fingerprint signal in bounty payloads.
2026-05-10 04:06:42 -04:00
parent 6a6f5807aa
commit f11def0af1
3 changed files with 25 additions and 1 deletions
--- a/decnet/web/ingester.py
+++ b/decnet/web/ingester.py
@@ -640,6 +640,7 @@ async def _extract_bounty(
                "protocol": _fields.get("proto") or _fields.get("protocol", "h1"),
                "method": _fields.get("method"),
                "path": _fields.get("path"),
+                "remote_port": _fields.get("remote_port"),
            },
        })

@@ -656,6 +657,7 @@ async def _extract_bounty(
                "settings": _fields.get("settings"),
                "frame_order": _fields.get("frame_order"),
                "protocol": "h2" if _evt_type == "http2_settings" else "h3",
+                "remote_port": _fields.get("remote_port"),
            },
        })