multi.pl - ongrep - A cleaned up fork of ngrep for OpenBSD

multi.pl (2477B)
      1 #!/usr/bin/perl
      2 #
      3 # Author: Jordan Ritter <jpr5@darkridge.com>
      4 # Date: Thu Jul  5 17:08:18 PDT 2001
      5 #
      6 # Input file format:
      7 #
      8 #      Rulename1 file1.gz rule1 bpf_filter1
      9 #      Rulename2 file2.gz rule2 bpf_filter2
     10 #      Rulename3 file3.gz rule3 bpf_filter3
     11 #
     12 # Output:
     13 # 
     14 #      ./ngrepped.Rulename1
     15 #      ./ngrepped.Rulename2
     16 #      ./ngrepped.Rulename3
     17 #
     18 # Considerations:
     19 #
     20 #      1. Not sure how previous script was able to get the pcap filters with spaces using split...
     21 #      2. Don't forget to tweak $max_procs in CONFIG section.
     22 #      3. Blank lines in rule file are bad bad bad.
     23 #      4. Assumes bash.
     24 #  
     25 
     26 ##########
     27 # CONFIG #
     28 ##########
     29 
     30 require 5.004;
     31 
     32 use POSIX qw(:signal_h);
     33 
     34 my($sig_set) = POSIX::SigSet->new(SIGINT);
     35 my($old_sig_set) = POSIX::SigSet->new();
     36 my($max_procs) = 10;
     37 
     38 my($rules_file,%rules, @rules);
     39 my($fork_level);
     40 my($loops);
     41 
     42 $|++;
     43 
     44 
     45 #############
     46 # FUNCTIONS #
     47 #############
     48 
     49 sub go {
     50     my($rule_name) = shift @_;
     51     return unless $rule_name;
     52 
     53     my(%rule) = %{$rules{$rule_name}};
     54 
     55     $fork_level++;
     56 
     57     sigprocmask(SIG_BLOCK, $sig_set, $old_sig_set);    
     58 
     59     my($pipe) = "pipe-$rule-$fork_level";
     60     my($daddy) = open($pipe, "-|");
     61 
     62     if (not defined $daddy) {
     63 
     64 	warn "[$rule_name] fork() error: $!\n";
     65 	sigprocmask(SIG_UNBLOCK, $old_sig_set);
     66 	sleep(1);
     67 
     68     } elsif (not $daddy) {
     69 
     70 	my(@args);
     71 
     72         $SIG{INT} = 'IGNORE';
     73         sigprocmask(SIG_UNBLOCK, $old_sig_set);
     74 
     75 	system("zcat $rule{'file'} | " .
     76                "ngrep -qtI - $rule{'regex'} $rule{'filter'} 2&>1 > " .
     77                "ngrepped.$rule_name");
     78 
     79 	exit;
     80     
     81     } else {
     82 	
     83 	sigprocmask(SIG_UNBLOCK, $old_sig_set);
     84 
     85     }
     86 
     87     &go(@_);
     88 
     89     close($pipe);
     90     print "[$rule_name] finished\n";
     91 }
     92 
     93 
     94 ########
     95 # MAIN #
     96 ########
     97 
     98 $rules_file = $ARGV[0];
     99 
    100 open(RULES, $rules_file) || die "Couldn't open rules file $rules_file: $!.\n";
    101 my(@lines) = <RULES>;
    102 close(RULES);
    103 
    104 if (($loops = scalar(@lines)) == 0) { 
    105     die "Rules file $rules_file empty, exiting.\n"; 
    106 }
    107 
    108 %rules = map { chomp(local(@fields) = split / /, $_); 
    109                $fields[0] => { "file" => $fields[1],
    110                                "regex" => $fields[2], 
    111                                "filter" => $fields[3] }; } @lines; 
    112 @rules = keys %rules;
    113 
    114 print "Hi, I'm ngrepper, and here we go.\n";
    115 
    116 for ( 0 .. int($loops / $max_procs) ) {
    117 
    118     $fork_level = 1;
    119     @rules_for_this_pass = splice(@rules, 0, $max_procs);
    120 
    121     &go(@rules_for_this_pass);
    122 
    123 }
    124 
    125 print "Welp, I'm done.\n";
    126 
    127 exit;
    128 
    129