Address PR review feedback

* Gate _suricata_http.html and _suricata_files.html Process columns on
  NETWORK_PROC_MAP (consistent with _hosts.html and per the PR description).
* _hosts.html: fall back to legacy host.process_name / host.process_id when
  host.processes is missing (preserves existing process_map enrichment for
  users who don't run the network_etw module).
* network_etw.py: include IPv6 unspecified address ":" in the localhost
  filter; lowercase hostnames in for_http / set_http_owner; strip
  whitespace from XML element text in _read_evt_data; correct docstring
  on _parse_kernel_network_etw (was naming the wrong auxiliary); store
  basename + path separately when hoisting sigma matched_events processes.
* analyzer/network_etw.py: same IPv6 ":" filter; clean up the random
  C:\<dir> output directory after the final upload so it doesn't
  accumulate on VMs that aren't reverted from snapshot.
* test_network_capture_integration.py: assert against the actually-patched
  open mock (and that open_exclusive is NOT called for replaceable
  uploads); document the sys.modules stub pattern.

Note: the gemini-code-assist suggestion to rename ProcessID -> ProcessId
in sigma matched_events lookups was checked against real sigma output
on three different reports — sigma's matched_events use ProcessID
(capital D). Existing code is correct; suggestion not applied.

Author: wmetcalf

analyzer/windows/modules/auxiliary/network_etw.py

@@ -95,7 +95,7 @@ def _should_filter(self, event, event_id):
                 return True
             if dst_port in self._filter_ports or src_port in self._filter_ports:
                 return True
-            if dst_ip in ("127.0.0.1", "::1", "0.0.0.0", ""):
+            if dst_ip in ("127.0.0.1", "::1", "0.0.0.0", "::", ""):
                 return True
             return False
 
@@ -240,3 +240,11 @@ def upload_results(self):
                 upload_to_host(self.log_file_path, os.path.join("aux", "network_etw.json"))
             except Exception as e:
                 log.error("Final network_etw upload failed: %s", e)
+
+        # Clean up the random C:\<dir> we created so it doesn't accumulate on
+        # VMs that aren't reverted from snapshot between analyses.
+        if self.output_dir and os.path.isdir(self.output_dir):
+            try:
+                shutil.rmtree(self.output_dir, ignore_errors=True)
+            except Exception as e:
+                log.debug("network_etw output_dir cleanup failed: %s", e)

modules/processing/network_etw.py

@@ -116,7 +116,7 @@ def add_connection(self, pid, dst_ip, dst_port=None, src_ip="",
             return
         pid = str(pid)
         dst_ip = _clean_ip(dst_ip)
-        if not dst_ip or dst_ip in ("127.0.0.1", "::1", "0.0.0.0"):
+        if not dst_ip or dst_ip in ("127.0.0.1", "::1", "0.0.0.0", "::"):
             return
         if process_name:
             self.add_pid_name(pid, process_name)
@@ -250,7 +250,9 @@ def for_host(self, hostname):
 
     def for_http(self, host, uri):
         """(pid, name) from an already-enriched HTTP transaction. Prefer an
-        exact (host, uri) match; fall back to host alone; finally DNS."""
+        exact (host, uri) match; fall back to host alone; finally DNS.
+        Hostnames are normalised to lowercase per RFC 4343."""
+        host = host.lower() if host else ""
         if host and uri:
             hit = self._http_by_uri.get((host, uri))
             if hit:
@@ -266,6 +268,7 @@ def set_http_owner(self, host, uri, pid, name):
         if not pid:
             return
         pid = str(pid)
+        host = host.lower() if host else ""
         if host and uri:
             self._http_by_uri.setdefault((host, uri), (pid, name))
         if host:
@@ -343,7 +346,7 @@ def _read_evt_data(event_elem):
             # normalise to "" so callers can distinguish "missing" via .get()
             # default vs "present but empty" via "" — same as before, but now
             # entity-decoded (&amp; → &, &lt; → <, &#xNN; → unicode char).
-            out[name] = d.text or ""
+            out[name] = (d.text or "").strip()
         return out
 
     def _parse_sysmon_evtx(self):
@@ -422,7 +425,7 @@ def _parse_sysmon_evtx(self):
 
     def _parse_kernel_network_etw(self, pid_to_name):
         """Parse aux/network_etw.json from the Microsoft-Windows-Kernel-Network
-        ETW provider (captured by the dns_etw auxiliary at analysis time)."""
+        ETW provider (captured by the network_etw auxiliary at analysis time)."""
         connections = []
         etw_path = os.path.join(self.analysis_path, "aux", "network_etw.json")
         if not os.path.exists(etw_path):
@@ -604,7 +607,7 @@ def run(self):
         for c in merged:
             pid = c["pid"]
             dst = c["dst_ip"]
-            if not dst or dst in ("127.0.0.1", "::1", "0.0.0.0"):
+            if not dst or dst in ("127.0.0.1", "::1", "0.0.0.0", "::"):
                 continue
             by_pid.setdefault(pid, {
                 "pid": pid,
@@ -717,7 +720,8 @@ def apply(rec, hit):
                 seen_procs.add(key)
                 procs.append({
                     "pid": pid,
-                    "process_name": image,
+                    "process_name": os.path.basename(image) if image else "",
+                    "process_path": image,
                     "command_line": ev.get("CommandLine", ""),
                     "parent_pid": ev.get("ParentProcessId"),
                     "parent_image": ev.get("ParentImage", ""),

tests/test_network_capture_integration.py

@@ -4,6 +4,17 @@
 
 import pytest
 
+
+# Tests for the network_etw / decryptpcap / resultserver code paths run in
+# isolation from the full CAPE runtime. The modules-under-test transitively
+# import gevent + a handful of CAPE-internal helpers that we don't want to
+# bring into pytest just to exercise pure logic.
+#
+# `setdefault` here means: only stub if pytest hasn't already imported the
+# real module via another collected test. That keeps these stubs from
+# clobbering an installed module when running the full suite, while still
+# letting `python -m pytest tests/test_network_capture_integration.py` work
+# in a stripped-down environment.
 def _stub_module(name):
     module = ModuleType(name)
     sys.modules.setdefault(name, module)
@@ -130,15 +141,20 @@ def test_resultserver_allows_overwrite_for_periodic_aux_logs(tmp_path):
     upload = FileUpload(task_id=7, ctx=ctx)
     upload.init()
 
-    fake_fd = mock_open().return_value
+    open_mock = mock_open()
 
     with patch("lib.cuckoo.core.resultserver.path_exists", return_value=True), patch(
-        "lib.cuckoo.core.resultserver.open", mock_open()
+        "lib.cuckoo.core.resultserver.open_exclusive"
+    ) as exclusive_mock, patch(
+        "lib.cuckoo.core.resultserver.open", open_mock
     ) as patched_open:
         upload.handle()
 
+    # Existing replaceable path -> truncate-write via plain open(..., "wb")
     patched_open.assert_any_call(str(tmp_path / "aux/network_etw.json"), "wb")
-    fake_fd.write.assert_not_called()
+    # And NOT via open_exclusive — that would EEXIST and silently drop the
+    # upload, which is exactly the bug REPLACEABLE_RESULT_UPLOADS fixes.
+    exclusive_mock.assert_not_called()
 
 
 def test_pcap_selector_prefers_mixed_pcap_when_configured(tmp_path):

web/templates/analysis/network/_hosts.html

@@ -44,6 +44,11 @@ <h5 class="mb-0 text-white"><i class="fas fa-server me-2 text-info"></i>Hosts</h
                                                 {% if p.process_name %}{{ p.process_name }}{% else %}(unknown){% endif %}{% if p.pid %} ({{ p.pid }}){% endif %}
                                             </span>
                                         {% endfor %}
+                                    {% elif host.process_name or host.process_id %}
+                                        {# Legacy single-owner attribution from CAPE's existing process_map enrichment in network.py — used when network_etw module isn't enabled #}
+                                        <span class="badge bg-warning text-dark">
+                                            {% if host.process_name %}{{ host.process_name }}{% else %}(unknown){% endif %}{% if host.process_id %} ({{ host.process_id }}){% endif %}
+                                        </span>
                                     {% else %}
                                         <span class="text-muted">-</span>
                                     {% endif %}

web/templates/analysis/network/_suricata_files.html

@@ -7,10 +7,12 @@
                     <th style="border-top: 0;" width="15%">File name</th>
                     <td style="border-top: 0;"><b>{{file.filename}}</b></td>
                 </tr>
+                {% if settings.NETWORK_PROC_MAP %}
                 <tr>
                     <th>Process</th>
                     <td>{% if file.process_name %}<span class="badge bg-warning text-dark" title="PID: {{file.process_id}}">{{file.process_name}} ({{file.process_id}})</span>{% else %}<span class="text-muted">-</span>{% endif %}</td>
                 </tr>
+                {% endif %}
                 <tr>
                     <th>Expected File Size</th>
                     <td>{{file.size}} bytes</td>

web/templates/analysis/network/_suricata_http.html

@@ -8,7 +8,7 @@ <h5 class="mb-0 text-white"><i class="fas fa-globe me-2 text-info"></i>Suricata
                 <table class="table table-dark table-striped table-bordered">
                     <tr>
                         <th>Timestamp</th>
-                        <th>Process</th>
+                        {% if settings.NETWORK_PROC_MAP %}<th>Process</th>{% endif %}
                         <th>Source IP</th>
                         <th>Source Port</th>
                         <th>Destination IP</th>
@@ -25,7 +25,7 @@ <h5 class="mb-0 text-white"><i class="fas fa-globe me-2 text-info"></i>Suricata
                     {% for http in suricata.http %}
                     <tr>
                         <td>{{http.timestamp}}</td>
-                        <td>{% if http.process_name %}<span class="badge bg-warning text-dark" title="PID: {{http.process_id}}">{{http.process_name}} ({{http.process_id}})</span>{% else %}<span class="text-muted">-</span>{% endif %}</td>
+                        {% if settings.NETWORK_PROC_MAP %}<td>{% if http.process_name %}<span class="badge bg-warning text-dark" title="PID: {{http.process_id}}">{{http.process_name}} ({{http.process_id}})</span>{% else %}<span class="text-muted">-</span>{% endif %}</td>{% endif %}
                         <td>{{http.srcip}}
                             <a href="https://www.virustotal.com/en/ip-address/{{http.srcip}}/information/">[VT]</a>
                             {% if config.display_et_portal %}