#!/bin/bash
#                                                          +----+----+----+----+
#                                                          |    |    |    |    |
# Author: Mark David Scott Cunningham                      | M  | D  | S  | C  |
#                                                          +----+----+----+----+
# Created: 2018-04-16
# Updated: 2018-04-24
#
# Purpose:  Eitest investigation script
#

# Watch for connections to sinkhole
sinkhole="192.42.116.41"

# Repeat in loop until you stop the script
while true; do
  connect=$(ss -antp | grep $sinkhole);

  # If connection found then capture data
  if [[ $connect ]]; then

    # Get pid from connection
    for PID in $(echo $connect | grep -Eio "pid=[0-9]{1,}" | cut -d= -f2); do

      # Strace pid
      # (strace -yrTfs 1024 -e trace=sendto,connect,open,write -o eitest-trace-$PID.out -p $PID &)

      # Get open files from lsof
      (lsof -p $PID > eitest-files-$PID.log &)

      # Log some basic info about hte connection and process
      ps aux | awk "(\$2 ~ /$PID/)"'{print $0}' >> eitest-connection-log.txt;
      echo $connect >> eitest-connection-log.txt;

    done

  fi

  sleep 0.01
done