2009-08-14 Sancho Lerena <slerena@artica.es>

* linux/plugins/arp_attack: New agent plugin to detect ARP attacks.




git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@1851 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f

pandora_agents/ChangeLog

@@ -2,6 +2,8 @@
 
 	* linux/pandora_agent_installer: Fixed problems with .conf backup
 
+	* linux/plugins/arp_attack: New agent plugin to detect ARP attacks.
+
 	* linux/plugins/iptables_plugin: New agent plugin for Netfilter.
 
 	* linux/plugins/apache_status: new agent plugin (apache status).

pandora_agents/linux/plugins/arp_attack

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+TEMP=/tmp/pandora.plugin.arp
+
+cat /proc/net/stat/arp_cache | tail -1 | tr "[:lower:]" "[:upper:]" > $TEMP
+ARP_ENTRIES_T=`cat $TEMP | awk '{ print $1 }'`
+ARP_ENTRIES=`echo "ibase=16; $ARP_ENTRIES_T" | bc`
+ARP_DESTROY_T=`cat $TEMP | awk '{ print $3 }'`
+ARP_DESTROY=`echo "ibase=16; $ARP_DESTROY_T" | bc`
+ARP_ALLOC_T=`cat $TEMP | awk '{ print $2 }'`
+ARP_ALLOC=`echo "ibase=16; $ARP_ALLOC_T" | bc`
+rm $TEMP 2> /dev/null
+
+echo "<module>"
+echo "<name>ARP Entries</name>"
+echo "<type>generic_data</type>"
+echo "<description>Get destroyed entries in Network stack ARP table</description>"
+echo "<data>$ARP_ENTRIES</data>"
+echo "</module>"
+
+echo "<module>"
+echo "<name>ARP Destroy</name>"
+echo "<type>generic_data_inc</type>"
+echo "<description>Get deleted entries in Network stack ARP table</description>"
+echo "<data>$ARP_DESTROY</data>"
+echo "</module>"
+
+echo "<module>"
+echo "<name>ARP Alloc</name>"
+echo "<type>generic_data_inc</type>"
+echo "<description>Get allocated entries in Network stack ARP table</description>"
+echo "<data>$ARP_ALLOC</data>"
+echo "</module>"
+