News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Tutorial:
An Introduction to PHPIDS (PHP-Intrusion Detection System)
June 19, 2007 @ 15:28:56

After several weeks of work Mario Heiderich, Lars Strojny and of course myself released the first stable versions of the PHPIDS - currently at version 0.2.2.

You will find the project site on http://php-ids.org/

In this article I would like to present our framework and explain how it can be used, hoping that developers consider it useful to make their application more secure.

The PHPIDS is a system that is meant to be an additional layer of security for any PHP based website or web application. In fact, this layer does not filter input - that would be a task for different layers - but it makes sure that no potential attack against the application goes unnoticed.

Based on a collection of heavily tested regular expressions the PHPIDS is able to efficiently recognize, classify and ultimately react on many different kinds of attacks - including, besides others, XSS, SQL injection, directory traversal, String.fromCharcode attacks, halfwidth/fullwidth encoding attacks and remote code execution. Due to its flexible and easy configuration the PHPIDS reaction will happen in exactly the way the developer intends.

The integration is as simple as can be. Besides PHP 5.2 the only necessary extension is SimpleXML and the following code:


<?php
set_include_path
('../../lib/');
require_once 
'IDS/Monitor.php';
require_once 
'IDS/Filter/Storage.php';

try {

    
// instanciate the storage object and fetch the rules
    
$storage = new IDS_Filter_Storage();
    
$storage->getFilterFromXML('../../lib/default_filter.xml');
    
    
/*
    * Instanciate the IDS and start the detection
    * 
    * here we are using $_GET but you can pass any 
    * array you want like $_SERVER, $_SESSION etc.
    */
    
$get = new IDS_Monitor($_GET$storage);
    
$report $get->run();

    if (!
$report->isEmpty()) {
        
        
// Get the overall impact
        
echo "Impact: {$report->getImpact()}n";
        
        
// Get array of every tag used
        
echo 'Tags: ' join(', '$report->getTags()) . "n";
        
        
// Iterate through the report and get every event (IDS_Event)
        
foreach ($report as $event) {
            echo 
"Variable: {$event->getName()} | Value: {$event->getValue()}n";
            echo 
"Impact: {$event->getImpact()} | Tags: " join(", "$event->getTags()) . "n";
            
            
// Iterator throught every filter 
            
foreach ($event as $filter) {
                echo 
"Description: {$filter->getDescription()}n";
                echo 
"Tags: " join(", "$filter->getTags()) . "n";
            }
        }
    }
    
    
/*
    * Additionally you have the option to store the detected
    * data using IDS_Log_Composite and for example IDS_Log_File
    */
    
require_once '../../lib/IDS/Log/File.php';
    require_once 
'../../lib/IDS/Log/Composite.php';
   
    
$compositeLog = new IDS_Log_Composite();
    
$compositeLog->addLogger(
       
IDS_Log_File::getInstance('log.txt')
    );
    
    if (!
$report->isEmpty()) {
        
$compositeLog->execute($report);
    }

} catch (
Exception $e) {
    
printf(
        
'An error occured: %s',
        
$e->getMessage()
    );
}
?>

Ideally the PHPIDS should be included in a central position of the application or even better via auto_prepend_file. If an attack takes place the IDS result object will be returned filled with data and the programmer can decide the appropriate reaction. For the most part decisions about the reaction are dependent on the detected attacks' cumulative impact.

The impact variable acts as an indicator for an attack's severity and can be used to grade the application's reaction on that attack. For example, if the impact was 3, an appropriate response might be to log the issue in a file, whereas if the impact was around 12, a warning mail to the site owner might be more applicable whilst an impact of 24 or above might print out a message to the attacker stating that his intrusion attempt has been detected and request aborted.

The PHPIDS is heavily tested via phpUnit and profiles via xdebug meaning that you can expect a minimal performance hit to your applications. We are currently using the PHPIDS with great success on several high traffic sites; ormigo.com and neu.de being the two foremost examples of this. Documentation and support is available on the project site or via our forum. Future development for the PHPIDS will possibly rank around detection of fragmented XSS and enhanced detection of heavily encoded attack vectors.

For users of .NET there's the .NETIDS written by Martin Hinks which is a port of the PHPIDS and uses the same filter rules. You will find any related resources on the .NETIDS project page (http://code.google.com/p/dotnetids/). Support for the .NETIDS is also available in the PHPIDS forum.

Regards, Christian Matthies & Mario Heiderich

1 comment voice your opinion now!
tutorial article phpids intrusion detection system tutorial article phpids intrusion detection system


blog comments powered by Disqus

Similar Posts

IBM developerWorks: Build Ajax-based Web sites with PHP

BinaryTides.com: Install Nginx + Php FPM + APC on CentOS 6.4

YoungCoders.com: The PHP Construct You've Never Used

BarelyFitz.com: CSS Colors - Take Control Using PHP

php|architect: Rich Internet Applications With PHP and Flex (Part 2)


Community Events





Don't see your event here?
Let us know!


unittest laravel install podcast zendserver library language voicesoftheelephpant deployment interview api symfony package series community framework opinion release bugfix introduction

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework