DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	d4591b38dc	fix(profiler): aggregate bash PROMPT_COMMAND lines into attacker profile SSH/telnet decky containers emit shell commands via `logger -t bash "CMD …"` which produces RFC 5424 lines with MSGID=NIL. Both parsers were leaving event_type="-", so the behavioral profiler's `_COMMAND_EVENT_TYPES` filter silently dropped them — the IP profile existed but no command transcripts or artifacts. Confirmed in the wild: 44/48 events from one attacker were event_type="-". Rewrite event_type to "command" in both parsers when MSGID=NIL and the msg starts with "CMD ". Correlation parser also extracts the cmd= payload into fields["command"] so the profiler can build the transcript; collector parser leaves fields={} to avoid duplicate pills in the dashboard.	2026-04-28 19:09:41 -04:00
anti	862e4dbb31	merge: testing → main (reconcile 2-week divergence)	2026-04-28 18:36:00 -04:00
anti	c384a3103a	refactor: separate engine, collector, mutator, and fleet into independent subpackages - decnet/engine/ — container lifecycle (deploy, teardown, status); _kill_api removed - decnet/collector/ — Docker log streaming (moved from web/collector.py) - decnet/mutator/ — mutation engine (no longer imports from cli or duplicates deployer code) - decnet/fleet.py — shared decky-building logic extracted from cli.py Cross-contamination eliminated: - web router no longer imports from decnet.cli - mutator no longer imports from decnet.cli - cli no longer imports from decnet.web - _kill_api() moved to cli (process management, not engine concern) - _compose_with_retry duplicate removed from mutator	2026-04-12 00:26:22 -04:00

Author

SHA1

Message

Date

anti

d4591b38dc

fix(profiler): aggregate bash PROMPT_COMMAND lines into attacker profile

SSH/telnet decky containers emit shell commands via `logger -t bash "CMD …"`
which produces RFC 5424 lines with MSGID=NIL. Both parsers were leaving
event_type="-", so the behavioral profiler's `_COMMAND_EVENT_TYPES` filter
silently dropped them — the IP profile existed but no command transcripts
or artifacts. Confirmed in the wild: 44/48 events from one attacker were
event_type="-".

Rewrite event_type to "command" in both parsers when MSGID=NIL and the
msg starts with "CMD ". Correlation parser also extracts the cmd= payload
into fields["command"] so the profiler can build the transcript; collector
parser leaves fields={} to avoid duplicate pills in the dashboard.

2026-04-28 19:09:41 -04:00

anti

862e4dbb31

merge: testing → main (reconcile 2-week divergence)

2026-04-28 18:36:00 -04:00

anti

c384a3103a

refactor: separate engine, collector, mutator, and fleet into independent subpackages

- decnet/engine/ — container lifecycle (deploy, teardown, status); _kill_api removed
- decnet/collector/ — Docker log streaming (moved from web/collector.py)
- decnet/mutator/ — mutation engine (no longer imports from cli or duplicates deployer code)
- decnet/fleet.py — shared decky-building logic extracted from cli.py

Cross-contamination eliminated:
- web router no longer imports from decnet.cli
- mutator no longer imports from decnet.cli
- cli no longer imports from decnet.web
- _kill_api() moved to cli (process management, not engine concern)
- _compose_with_retry duplicate removed from mutator

2026-04-12 00:26:22 -04:00

3 Commits