fix: use WARNING prefix for monitoring-only alerts, handle all TCP states in lsof

leos565 · leos565 · commit 9f17affb017b · 2026-02-25T22:47:47.000+02:00
- Network monitor alerts now use 'WARNING [rule_id]' instead of
  'BLOCKED [rule_id]' to accurately reflect monitoring-only detection
- Dashboard regex updated to match both BLOCKED and WARNING prefixes
- lsof parser now handles all TCP states (SYN_SENT, CLOSE_WAIT, etc.)
  not just ESTABLISHED; skips LISTEN sockets
- E2E test verified: connection to blocked IP-005 (144.76.217.73)
  detected and alert shown in dashboard
diff --git a/deploy/dashboard/app.py b/deploy/dashboard/app.py
@@ -56,7 +56,7 @@
 _BLOCK_LINE_RE = re.compile(
     r"(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}[,.]?\d*)\s+"
     r"WARNING\s+\[[\w.]+\]\s+"
-    r"BLOCKED\s+\[([A-Z0-9_-]+)\]\s+(.*)"
+    r"(?:BLOCKED|WARNING)\s+\[([A-Z0-9_-]+)\]\s+(.*)"
 )
 
 
diff --git a/deploy/macos/log_tailer.py b/deploy/macos/log_tailer.py
@@ -324,18 +324,24 @@ def monitor_network_connections() -> None:
                 time.sleep(NET_POLL_INTERVAL)
                 continue
 
-            # Parse lsof output for ESTABLISHED TCP connections
-            # Format: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
-            # NAME looks like: 1.2.3.4:443->5.6.7.8:12345 (ESTABLISHED)
+            # Parse lsof output for TCP connections (any state)
+            # Format: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME (STATE)
+            # NAME looks like: 192.168.1.1:54321->104.22.10.63:443
+            # STATE can be: (ESTABLISHED), (SYN_SENT), (CLOSE_WAIT), (LISTEN), etc.
             ip_re = re.compile(r"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+)")
 
             for line in lsof_out.stdout.splitlines():
                 if "TCP" not in line:
                     continue
+                # Skip LISTEN sockets (incoming, not outbound connections)
+                if "(LISTEN)" in line:
+                    continue
                 parts = line.split()
                 if len(parts) < 9:
                     continue
-                name = parts[-1] if parts[-1] != "(ESTABLISHED)" else parts[-2]
+                # The connection info is the second-to-last field if state is present,
+                # or the last field if no state. State is always in parens.
+                name = parts[-2] if parts[-1].startswith("(") else parts[-1]
                 # Extract remote IP from "local->remote" format
                 if "->" in name:
                     remote_part = name.split("->")[1]
@@ -357,7 +363,7 @@ def monitor_network_connections() -> None:
                         if alert_key not in seen_alerts:
                             seen_alerts.add(alert_key)
                             block_logger.warning(
-                                "BLOCKED [%s] action=network-connect target=%s (IP match)",
+                                "WARNING [%s] action=network-connect target=%s (IP match, monitoring-only)",
                                 rid, remote_ip,
                             )
                             dispatch_alert_async(
@@ -380,7 +386,7 @@ def monitor_network_connections() -> None:
                             if alert_key not in seen_alerts:
                                 seen_alerts.add(alert_key)
                                 block_logger.warning(
-                                    "BLOCKED [%s] action=dns-lookup target=%s (resolved from %s)",
+                                    "WARNING [%s] action=dns-lookup target=%s (resolved from %s, monitoring-only)",
                                     rid, blocked_domain, remote_ip,
                                 )
                                 dispatch_alert_async(

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@`
`56`	`56`	`_BLOCK_LINE_RE = re.compile(`
`57`	`57`	`r"(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}[,.]?\d*)\s+"`
`58`	`58`	`r"WARNING\s+\[[\w.]+\]\s+"`
`59`		`- r"BLOCKED\s+\[([A-Z0-9_-]+)\]\s+(.*)"`
	`59`	`+ r"(?:BLOCKED\|WARNING)\s+\[([A-Z0-9_-]+)\]\s+(.*)"`
`60`	`60`	`)`
`61`	`61`
`62`	`62`