SMB_Filter/filter.sh

#!/bin/bash

CPU_THRESHOLD=90.0
TIME_THRESHOLD=$((10 * 3600)) #10 hours in seconds

# Getting all Process IDs running on Port 445 or 139 (Default SMB ports)
SMB_PIDS=$(ss -tanp '( sport = :445 or sport = :139 )' 2>/dev/null \
        | awk -F ',' 'NR>1 && $2 ~ /pid=/ {
                        split($2,a," ");
                        split(a[1],b,"=");
                        print b[2]
                }' | sort -u) 
if [ -z "$SMB_PIDS" ]; then
        echo "No SMB connections found."
        exit 0
fi

# Checking to see if any PIDs exceed CPU or Time thresholds
ps -axo pid,comm,pcpu,etime | awk -v cpu="$CPU_THRESHOLD" -v time="$TIME_THRESHOLD" -v smb_pids="$SMB_PIDS" '
BEGIN {
        split(smb_pids, arr, " ")
        for (i in arr) {
                smb[arr[i]] = 1
        }
}
NR > 1 {
        if(!($1 in smb)) {
                next
        }

        # Converting etime into seconds
        split($4, parts, "-")
        if (length(parts) == 2) {
                days=parts[1]
                hms=parts[2]
        } else {
                days=0
                hms=parts[1] 
        }

        split(hms, t, ";")
        if (length(t) == 3) {
                h=t[1]; m=t[2]; s=t[3]
         } else if (length(t) == 2) {
                h=t[1]; m=t[2]; s=0
        } else {
                h=0; m=0; s=0
        }

        elapsed = days*86400 + h*3600 + m*60 + s

        # Comparing elapsed to thresholds
        if ($3 >= cpu && elapsed >= time) {
                printf "PID: %s | Command: %s | CPU: %s%% | Runtime: %s (%.2f hours)\n,$1, $2, $3, $4, elapsed/3600"
        }
}'