ongrep

A cleaned up fork of ngrep for OpenBSD
git clone git://git.sgregoratto.me/ongrep
Log | Files | Refs | README | LICENSE

commit dab1d86d74066774893bbe4a9c1281890f089989
parent 44201941081f88955a285d730c2ddc12120515b2
Author: Jordan Ritter <jpr5@darkridge.com>
Date:   Fri,  6 Jul 2001 00:17:48 +0000

added script I wrote for George Bakos (alpinista@bigfoot.com) to pump
multiple pcap_dumps through ngrep simultaneously.  meep.

Diffstat:
Ascripts/blort.pl | 129+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 129 insertions(+), 0 deletions(-)

diff --git a/scripts/blort.pl b/scripts/blort.pl @@ -0,0 +1,129 @@ +#!/usr/bin/perl +# +# Author: Jordan Ritter <jpr5@darkridge.com> +# Date: Thu Jul 5 17:08:18 PDT 2001 +# +# Input file format: +# +# Rulename1 file1.gz rule1 bpf_filter1 +# Rulename2 file2.gz rule2 bpf_filter2 +# Rulename3 file3.gz rule3 bpf_filter3 +# +# Output: +# +# ./ngrepped.Rulename1 +# ./ngrepped.Rulename2 +# ./ngrepped.Rulename3 +# +# Considerations: +# +# 1. Not sure how previous script was able to get the pcap filters with spaces using split... +# 2. Don't forget to tweak $max_procs in CONFIG section. +# 3. Blank lines in rule file are bad bad bad. +# 4. Assumes bash. +# + +########## +# CONFIG # +########## + +require 5.004; + +use POSIX qw(:signal_h); + +my($sig_set) = POSIX::SigSet->new(SIGINT); +my($old_sig_set) = POSIX::SigSet->new(); +my($max_procs) = 10; + +my($rules_file,%rules, @rules); +my($fork_level); +my($loops); + +$|++; + + +############# +# FUNCTIONS # +############# + +sub go { + my($rule_name) = shift @_; + return unless $rule_name; + + my(%rule) = %{$rules{$rule_name}}; + + $fork_level++; + + sigprocmask(SIG_BLOCK, $sig_set, $old_sig_set); + + my($pipe) = "pipe-$rule-$fork_level"; + my($daddy) = open($pipe, "-|"); + + if (not defined $daddy) { + + warn "[$rule_name] fork() error: $!\n"; + sigprocmask(SIG_UNBLOCK, $old_sig_set); + sleep(1); + + } elsif (not $daddy) { + + my(@args); + + $SIG{INT} = 'IGNORE'; + sigprocmask(SIG_UNBLOCK, $old_sig_set); + + system("zcat $rule{'file'} | " . + "ngrep -qtI - $rule{'regex'} $rule{'filter'} 2&>1 > " . + "ngrepped.$rule_name"); + + exit; + + } else { + + sigprocmask(SIG_UNBLOCK, $old_sig_set); + + } + + &go(@_); + + close($pipe); + print "[$rule_name] finished\n"; +} + + +######## +# MAIN # +######## + +$rules_file = $ARGV[0]; + +open(RULES, $rules_file) || die "Couldn't open rules file $rules_file: $!.\n"; +my(@lines) = <RULES>; +close(RULES); + +if (($loops = scalar(@lines)) == 0) { + die "Rules file $rules_file empty, exiting.\n"; +} + +%rules = map { chomp(local(@fields) = split / /, $_); + $fields[0] => { "file" => $fields[1], + "regex" => $fields[2], + "filter" => $fields[3] }; } @lines; +@rules = keys %rules; + +print "Hi, I'm ngrepper, and here we go.\n"; + +for ( 0 .. int($loops / $max_procs) ) { + + $fork_level = 1; + @rules_for_this_pass = splice(@rules, 0, $max_procs); + + &go(@rules_for_this_pass); + +} + +print "Welp, I'm done.\n"; + +exit; + +