anti
b043c96d29
The TTP worker subscribes to attacker.session.ended but no upstream component published it — the rule pack (R0001–R0030) therefore never fired on live SSH traffic even after the consume-side wiring landed in E.3.18a/b/c. The collector now hosts a per-attacker_ip command index (_SessionAggregator) that watches the same parsed-event stream as _publish_log. Shell `command` events are appended to a per-IP list; on `session_recorded` the aggregator slices the list to commands inside the [ended_at - duration_s, ended_at] window and publishes attacker.session.ended with the session metadata + commands list. The TTP worker's _build_events fan-out (E.3.18b) turns each command into a source_kind="command" TaggerEvent that the RuleEngineTagger (E.3.18c) matches against R0001–R0030. Memory bound: per-IP entries TTL-evict at DECNET_COLLECTOR_SESSION_AGG_TTL_SEC (default 3600 s). Publish failures are swallowed in the aggregator — a misbehaving bus cannot stall the per-container stream threads.
2.3 KiB
2.3 KiB