DECNET

Author SHA1 Message Date

Author	SHA1	Message	Date
anti	a6c7cfdf66	fix: normalize SSH bash CMD lines to service=ssh, event_type=command The SSH honeypot logs commands via PROMPT_COMMAND logger as: <14>1 ... bash - - - CMD uid=0 pwd=/root cmd=ls These lines had service=bash and event_type=-, so the attacker worker never recognized them as commands. Both the collector and correlation parsers now detect the CMD pattern and normalize to service=ssh, event_type=command, with uid/pwd/command in fields.	2026-04-14 01:54:36 -04:00
anti	988732f4f9	Fix all ruff lint errors across decnet/, templates/, and tests/ Some checks failed CI / Test (pytest) (3.11) (push) Has been cancelled Details CI / Test (pytest) (3.12) (push) Has been cancelled Details Security / SAST (bandit) (push) Has been cancelled Details Security / Dependency audit (pip-audit) (push) Has been cancelled Details CI / Lint (ruff) (push) Has been cancelled Details	2026-04-04 17:36:16 -03:00
anti	bff03d1198	Add cross-decky correlation engine and `decnet correlate` command When the same attacker IP touches multiple deckies, the engine builds a chronological traversal graph and reports the lateral movement path. decnet/correlation/ parser.py — RFC 5424 line → LogEvent; handles src_ip + src field variants graph.py — AttackerTraversal / TraversalHop data types with path/duration engine.py — CorrelationEngine: ingest(), traversals(), report_table/json, traversal_syslog_lines() (emits WARNING-severity RFC 5424) __init__.py — public API re-exports decnet/cli.py — `decnet correlate` command (--log-file, --min-deckies, --output table\|json\|syslog, --emit-syslog) tests/test_correlation.py — 49 tests: parser, graph, engine, reporting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-04 13:53:30 -03:00

anti

a6c7cfdf66

fix: normalize SSH bash CMD lines to service=ssh, event_type=command

The SSH honeypot logs commands via PROMPT_COMMAND logger as:
  <14>1 ... bash - - -  CMD uid=0 pwd=/root cmd=ls
These lines had service=bash and event_type=-, so the attacker worker
never recognized them as commands. Both the collector and correlation
parsers now detect the CMD pattern and normalize to service=ssh,
event_type=command, with uid/pwd/command in fields.

2026-04-14 01:54:36 -04:00

anti

988732f4f9

Fix all ruff lint errors across decnet/, templates/, and tests/

CI / Test (pytest) (3.11) (push) Has been cancelled

Details

CI / Test (pytest) (3.12) (push) Has been cancelled

Details

Security / SAST (bandit) (push) Has been cancelled

Details

Security / Dependency audit (pip-audit) (push) Has been cancelled

Details

CI / Lint (ruff) (push) Has been cancelled

Details

2026-04-04 17:36:16 -03:00

anti

bff03d1198

Add cross-decky correlation engine and decnet correlate command

When the same attacker IP touches multiple deckies, the engine builds a
chronological traversal graph and reports the lateral movement path.

decnet/correlation/
  parser.py   — RFC 5424 line → LogEvent; handles src_ip + src field variants
  graph.py    — AttackerTraversal / TraversalHop data types with path/duration
  engine.py   — CorrelationEngine: ingest(), traversals(), report_table/json,
                traversal_syslog_lines() (emits WARNING-severity RFC 5424)
  __init__.py — public API re-exports

decnet/cli.py — `decnet correlate` command (--log-file, --min-deckies,
                --output table|json|syslog, --emit-syslog)

tests/test_correlation.py — 49 tests: parser, graph, engine, reporting

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-04 13:53:30 -03:00

3 Commits