From c1c42fcce0db3dc98810d996c74e8f3c088c7fa7 Mon Sep 17 00:00:00 2001
From: Steven Kreuzer <skreuzer@FreeBSD.org>
Date: Wed, 27 Apr 2011 17:42:00 +0000
Subject: [PATCH] arpCounterattack is a program for detecting and remedying
 "ARP attacks." It monitors traffic on any number of Ethernet interfaces and
 examines ARP replies and gratuitous ARP requests. If it notices an ARP reply
 or gratuitous ARP request that is in conflict with its notion of "correct"
 Ethernet/IP address pairs, it logs the attack if logging is enabled, and, if
 the Ethernet interface that the attack was seen on is is configured as being
 in aggressive mode, it sends out a gratuitous ARP request and a gratuitous
 ARP reply with the "correct" Ethernet/IP address pair in an attempt to reset
 the ARP tables of hosts on the local network segment. The corrective
 gratuitous ARP request and corrective gratuitous ARP reply can be sent from
 an Ethernet interface other than the one that the attack was seen on.

WWW: http://acm.poly.edu/wiki/ARP_Counterattack

PR:		ports/151973
Submitted by:	Boris Kochergin <spawk@acm.poly.edu>
---
 security/Makefile                             |  1 +
 security/arpCounterattack/Makefile            | 32 ++++++++++++++
 security/arpCounterattack/distinfo            |  2 +
 .../files/arpCounterattack.in                 | 44 +++++++++++++++++++
 .../arpCounterattack/files/pkg-message.in     | 11 +++++
 security/arpCounterattack/pkg-descr           | 15 +++++++
 security/arpCounterattack/pkg-plist           |  6 +++
 7 files changed, 111 insertions(+)
 create mode 100644 security/arpCounterattack/Makefile
 create mode 100644 security/arpCounterattack/distinfo
 create mode 100644 security/arpCounterattack/files/arpCounterattack.in
 create mode 100644 security/arpCounterattack/files/pkg-message.in
 create mode 100644 security/arpCounterattack/pkg-descr
 create mode 100644 security/arpCounterattack/pkg-plist

diff --git a/security/Makefile b/security/Makefile
index 26ef7c1c0ad4..d7e897a7c9d1 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -24,6 +24,7 @@
     SUBDIR += apache-xml-security-c
     SUBDIR += apg
     SUBDIR += arirang
+    SUBDIR += arpCounterattack
     SUBDIR += authforce
     SUBDIR += autossh
     SUBDIR += avcheck
diff --git a/security/arpCounterattack/Makefile b/security/arpCounterattack/Makefile
new file mode 100644
index 000000000000..bb19119d2613
--- /dev/null
+++ b/security/arpCounterattack/Makefile
@@ -0,0 +1,32 @@
+# New ports collection makefile for:	arpCounterattack
+# Date created:				05 November 2010
+# Whom:					Boris Kochergin <spawk@acm.poly.edu>
+# $FreeBSD$
+#
+
+PORTNAME=	arpCounterattack
+PORTVERSION=	1.2.0
+CATEGORIES=	security
+MASTER_SITES=	http://isis.poly.edu/~bk/${PORTNAME}/ \
+		http://bk.macroblock.net/${PORTNAME}/
+EXTRACT_SUFX=	.tbz
+
+MAINTAINER=	spawk@acm.poly.edu
+COMMENT=	Detects and remedies ARP attacks
+
+LIB_DEPENDS=	dnet.1:${PORTSDIR}/net/libdnet
+
+SUB_FILES=	pkg-message
+
+USE_RC_SUBR=	${PORTNAME}
+
+.include <bsd.port.pre.mk>
+
+post-install:
+	@if [ ! -f ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ]; then \
+		${CP} -p ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf.sample \
+		${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ; \
+	fi
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/arpCounterattack/distinfo b/security/arpCounterattack/distinfo
new file mode 100644
index 000000000000..37d5bf3d58d1
--- /dev/null
+++ b/security/arpCounterattack/distinfo
@@ -0,0 +1,2 @@
+SHA256 (arpCounterattack-1.2.0.tbz) = 28cb61cb799871bbb10057fddbd7a445f10b27725eca088f370eeff157f88f3d
+SIZE (arpCounterattack-1.2.0.tbz) = 507939
diff --git a/security/arpCounterattack/files/arpCounterattack.in b/security/arpCounterattack/files/arpCounterattack.in
new file mode 100644
index 000000000000..6594649d5b21
--- /dev/null
+++ b/security/arpCounterattack/files/arpCounterattack.in
@@ -0,0 +1,44 @@
+#!/bin/sh
+# $FreeBSD
+
+# PROVIDE: arpcounterattack
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+
+# Define these arpcounterattack_* variables in one of these files:
+#	/etc/rc.conf
+#	/etc/rc.conf.local
+#	/etc/rc.conf.d/arpcounterattack
+#
+# DO NOT CHANGE THESE DEFAULT VALUES HERE
+#
+arpcounterattack_enable="${arpcounterattack_enable-NO}"
+arpcounterattack_pidfile="/var/run/arpCounterattack.pid"
+
+. /etc/rc.subr
+
+name="arpcounterattack"
+rcvar=`set_rcvar`
+command="%%PREFIX%%/sbin/arpCounterattack"
+
+load_rc_config $name
+
+: ${arpcounterattack_config="%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf"}
+: ${arpcounterattack_flags="-c ${arpcounterattack_config}"}
+
+pidfile="${arpcounterattack_pidfile}"
+required_files="${arpcounterattack_config}"
+
+case "${arpcounterattack_flags}" in
+*-p\ *)
+	echo "ERROR: \$arpcounterattack_flags includes -p option." \
+		"Please use \$arpcounterattack_pidfile instead."
+	exit 1
+	;;
+*)
+	arpcounterattack_flags="-p ${pidfile} ${arpcounterattack_flags}"
+	;;
+esac
+
+run_rc_command "$1"
diff --git a/security/arpCounterattack/files/pkg-message.in b/security/arpCounterattack/files/pkg-message.in
new file mode 100644
index 000000000000..1c44db265d5a
--- /dev/null
+++ b/security/arpCounterattack/files/pkg-message.in
@@ -0,0 +1,11 @@
+
+Before starting arpCounterattack, you should edit its configuration file,
+%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf. Then, add the following
+line to /etc/rc.conf:
+
+arpcounterattack_enable="YES"
+
+Finally, to start it, run the following command:
+
+%%PREFIX%%/etc/rc.d/arpCounterattack start
+
diff --git a/security/arpCounterattack/pkg-descr b/security/arpCounterattack/pkg-descr
new file mode 100644
index 000000000000..7252ac7db14e
--- /dev/null
+++ b/security/arpCounterattack/pkg-descr
@@ -0,0 +1,15 @@
+arpCounterattack is a program for detecting and remedying "ARP attacks." It
+monitors traffic on any number of Ethernet interfaces and examines ARP replies
+and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP
+request that is in conflict with its notion of "correct" Ethernet/IP address
+pairs, it logs the attack if logging is enabled, and, if the Ethernet
+interface that the attack was seen on is is configured as being in aggressive
+mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with
+the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables
+of hosts on the local network segment. The corrective gratuitous ARP request
+and corrective gratuitous ARP reply can be sent from an Ethernet interface
+other than the one that the attack was seen on.
+
+WWW: http://acm.poly.edu/wiki/ARP_Counterattack
+
+-Boris Kochergin <spawk@acm.poly.edu>
diff --git a/security/arpCounterattack/pkg-plist b/security/arpCounterattack/pkg-plist
new file mode 100644
index 000000000000..a37a292e0168
--- /dev/null
+++ b/security/arpCounterattack/pkg-plist
@@ -0,0 +1,6 @@
+sbin/arpCounterattack
+@unexec if cmp -s %D/etc/arpCounterattack/arpCounterattack.conf.sample %D/etc/arpCounterattack/arpCounterattack.conf; then rm -f %D/etc/arpCounterattack/arpCounterattack.conf; fi
+etc/arpCounterattack/arpCounterattack.conf.sample
+@exec if [ ! -f %D/etc/arpCounterattack/arpCounterattack.conf ] ; then cp -p %D/%F %B/arpCounterattack.conf; fi
+etc/arpCounterattack/oui.txt
+@dirrmtry etc/arpCounterattack