anti a6c7cfdf66 fix: normalize SSH bash CMD lines to service=ssh, event_type=command ...

The SSH honeypot logs commands via PROMPT_COMMAND logger as:
  <14>1 ... bash - - -  CMD uid=0 pwd=/root cmd=ls
These lines had service=bash and event_type=-, so the attacker worker
never recognized them as commands. Both the collector and correlation
parsers now detect the CMD pattern and normalize to service=ssh,
event_type=command, with uid/pwd/command in fields.

2026-04-14 01:54:36 -04:00

4.0 KiB

Raw Blame History

View Raw