despoof 0.9 is a utility for comparing the TTL of a received packet which

is considered "suspicious" with the actual TTL of a test packet sent to
that host, to try and detect packet spoofing. It is intended to be used
as part of an IDS system.

7 files changed, 63 insertions, 0 deletions

diff --git a/net/despoof/Makefile b/net/despoof/Makefile
new file mode 100644
index 000000000000..f1bd069bfc53
--- /dev/null
+++ b/net/despoof/Makefile
@@ -0,0 +1,23 @@
+# New ports collection makefile for:	despoof
+# Date created:				02 September 2000
+# Whom:					Kris Kennaway <kris@FreeBSD.org>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	despoof
+PORTVERSION=	0.9
+CATEGORIES=	net security
+MASTER_SITES=	http://razor.bindview.com/tools/files/
+EXTRACT_SUFX=	.tgz
+
+MAINTAINER=	kris@FreeBSD.org
+
+BUILD_DEPENDS=	${LOCALBASE}/lib/libnet.a:${PORTSDIR}/net/libnet
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/despoof ${PREFIX}/bin
+	${MKDIR} ${PREFIX}/share/doc/despoof
+	${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/despoof
+
+.include <bsd.port.mk>
diff --git a/net/despoof/distinfo b/net/despoof/distinfo
new file mode 100644
index 000000000000..8e67dc7b37ce
--- /dev/null
+++ b/net/despoof/distinfo
@@ -0,0 +1 @@
+MD5 (despoof-0.9.tgz) = 07f2ba923e414e86b0a7dd6aee21d5b6
diff --git a/net/despoof/files/patch-aa b/net/despoof/files/patch-aa
new file mode 100644
index 000000000000..89bfdfbd640f
--- /dev/null
+++ b/net/despoof/files/patch-aa
@@ -0,0 +1,17 @@
+--- Makefile.orig	Sat Sep  2 18:33:10 2000
++++ Makefile	Sat Sep  2 18:35:05 2000
+@@ -1,10 +1,10 @@
+ # despoof makefile
+ #
+-CC=gcc
+-CFLAGS=-O3
++CC?=gcc
++CFLAGS?=-O
+ PROG=despoof
+-DEFS=`libnet-config --defines`
+-LIBS=-lnet -lpcap
++DEFS=-I${LOCALBASE}/include `libnet-config --defines`
++LIBS=-L${LOCALBASE}/lib -lnet -lpcap
+ 
+ default: all
+ 
diff --git a/net/despoof/files/patch-ab b/net/despoof/files/patch-ab
new file mode 100644
index 000000000000..fde6ceb4a075
--- /dev/null
+++ b/net/despoof/files/patch-ab
@@ -0,0 +1,11 @@
+--- despoof.c.orig	Sat Sep  2 18:34:37 2000
++++ despoof.c	Sat Sep  2 18:34:45 2000
+@@ -150,7 +150,7 @@
+ 
+   if (targetaddr == ip->ip_src.s_addr) 
+   {
+-    if (((inquery == 1) && (icmp->icmp_type == ICMP_ECHOREPLY)) || ((inquery == 2) && (icmp->icmp_type == ICMP_TIMESTAMPREPLY)) || ((inquery == 3) && (sport == ntohs(tcphdr->th_dport))))
++    if (((inquery == 1) && (icmp->icmp_type == ICMP_ECHOREPLY)) || ((inquery == 2) && (icmp->icmp_type == ICMP_TSTAMPREPLY)) || ((inquery == 3) && (sport == ntohs(tcphdr->th_dport))))
+     {
+       if (ttlval == ip->ip_ttl)
+       {
diff --git a/net/despoof/pkg-comment b/net/despoof/pkg-comment
new file mode 100644
index 000000000000..aaa9517c02c8
--- /dev/null
+++ b/net/despoof/pkg-comment
@@ -0,0 +1 @@
+Command-line anti-spoofing detection utility
diff --git a/net/despoof/pkg-descr b/net/despoof/pkg-descr
new file mode 100644
index 000000000000..65e5771b2bfe
--- /dev/null
+++ b/net/despoof/pkg-descr
@@ -0,0 +1,7 @@
+A command-line anti-spoofing detection utility. The idea is simple --
+if you receive a packet that you suspect is spoofed, try to determine
+the real TTL of the packet and compare it to the TTL of the packet you
+received. This is intended to be used as a component of an IDS
+toolkit.
+
+WWW:	http://razor.bindview.com/tools/
diff --git a/net/despoof/pkg-plist b/net/despoof/pkg-plist
new file mode 100644
index 000000000000..649e235a9c9b
--- /dev/null
+++ b/net/despoof/pkg-plist
@@ -0,0 +1,3 @@
+bin/despoof
+share/doc/despoof/README
+@dirrm share/doc/despoof