DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	d4591b38dc	fix(profiler): aggregate bash PROMPT_COMMAND lines into attacker profile SSH/telnet decky containers emit shell commands via `logger -t bash "CMD …"` which produces RFC 5424 lines with MSGID=NIL. Both parsers were leaving event_type="-", so the behavioral profiler's `_COMMAND_EVENT_TYPES` filter silently dropped them — the IP profile existed but no command transcripts or artifacts. Confirmed in the wild: 44/48 events from one attacker were event_type="-". Rewrite event_type to "command" in both parsers when MSGID=NIL and the msg starts with "CMD ". Correlation parser also extracts the cmd= payload into fields["command"] so the profiler can build the transcript; collector parser leaves fields={} to avoid duplicate pills in the dashboard.	2026-04-28 19:09:41 -04:00
anti	862e4dbb31	merge: testing → main (reconcile 2-week divergence)	2026-04-28 18:36:00 -04:00

Author

SHA1

Message

Date

anti

d4591b38dc

fix(profiler): aggregate bash PROMPT_COMMAND lines into attacker profile

SSH/telnet decky containers emit shell commands via `logger -t bash "CMD …"`
which produces RFC 5424 lines with MSGID=NIL. Both parsers were leaving
event_type="-", so the behavioral profiler's `_COMMAND_EVENT_TYPES` filter
silently dropped them — the IP profile existed but no command transcripts
or artifacts. Confirmed in the wild: 44/48 events from one attacker were
event_type="-".

Rewrite event_type to "command" in both parsers when MSGID=NIL and the
msg starts with "CMD ". Correlation parser also extracts the cmd= payload
into fields["command"] so the profiler can build the transcript; collector
parser leaves fields={} to avoid duplicate pills in the dashboard.

2026-04-28 19:09:41 -04:00

anti

862e4dbb31

merge: testing → main (reconcile 2-week divergence)

2026-04-28 18:36:00 -04:00

2 Commits