Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ibuildings techPortal:
PHP intrusion Detection System (PHPIDS)
Aug 04, 2009 @ 13:48:42

On the Ibuildings techPortal site today Boy Baukema looks at PHPIDS, the PHP intrusion detection system and how it can start to help protect you and your application feel a little safer.

Just a reminder to everyone who is interested in WebAppSec and hasn’t done so already to try PHPIDS, the Intrusion Detection System. [...] Installing PHPIDS is easy. Just download the latest version in your preferred format and then review the the FAQ for sample code on how to install it.

He does warn on one thing though - the system is a basic intrusion detection system and is not as complex as other detection tools. There were some complains he had about what it thought were intrusions and recommends that you only have it pointing to the external side of your application to cause less hassle in the long run.

tagged: phpids security intrusion detection tool

Link:

PHPFreaks.com:
Protecting php applications with PHPIDS
Jan 07, 2009 @ 13:57:06

The PHPFreaks.com website has posted a recent tutorial looking at a tool that can help you protect you and your web applications from possible malicious users - PHPIDS.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

They look at the installation of the tool, an example configuration (that sets up some logging and caching settings) and a PHP script to enable the functionality. Then you can use the auto_prepend Apache directive to load it on each page and protect your site quickly and easily.

tagged: phpids tutorial application autoprepend configuration installation

Link:

PHPFreaks.com:
Protecting php applications with PHPIDS
Dec 22, 2008 @ 14:49:42

On the PHPFreaks.com website there's a new article looking at one way to help protect your website from those evil doers out there looking to cause you and your data harm - PHP-IDS.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. [...] In a nutshell PHPIDS is an advanced intrusion detection system written with performance on a large scale in mind. The basic installation and configuration is pretty straight forward.

They (briefly) step you through the installation and configuration of the tool and provide a sample script to get the ball rolling - a file that can be auto_prepended to all scripts run on your Apache server to filter and log incoming requests.

tagged: tutorial phpids tool security protect filter log detect install configure

Link:

HowTo Forge:
Intrusion Detection For PHP Applications With PHPIDS
Jun 24, 2008 @ 15:22:04

On the HowTo Forge website, there's a recently posted article about using the IDS tool for PHP to help with intrusion detection for your website.

This tutorial explains how to set up IDS tool on a web server with Apache2 and PHP5. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

They show the steps you'll need to get things installed and working as well as some of the configuration changes you'll need to add/make (including the creation of an auto-prepend file to make using it all over easy).

tagged: intrusion detection phpids application tutorial install configure

Link:

Lars Strojny's Blog:
Security "to go"?
May 21, 2008 @ 17:53:55

In this new post to his blog today, Lars Strojny looks to clear up some of the confusion that might be forming around the term "intrusion detection", more specifically, related to projects like PHP-IDS.

PHP-IDS is an intrusion detection tool on the application level. Application firewalls know about a certain protocol and its structure (e.g. HTTP) and inspect the protocol to detect attack patterns. Some of them are even capable of learning from usual request signatures and enforcing rules based on the learned data. There are various commercial products to achieve application firewalling. PHP-IDS does the same for free and sits directly on the webserver in the scope of the application.

He recommends it as a good supplement to the hardening you've already done for your server (you have hardened it, haven't you?) to help keep you and your data safe from prying eyes.

tagged: security application level phpids protect harden

Link:

Tutorial:
An Introduction to PHPIDS (PHP-Intrusion Detection System)
Jun 19, 2007 @ 20:28:56

After several weeks of work Mario Heiderich, Lars Strojny and of course myself released the first stable versions of the PHPIDS - currently at version 0.2.2.

You will find the project site on http://php-ids.org/

In this article I would like to present our framework and explain how it can be used, hoping that developers consider it useful to make their application more secure.

The PHPIDS is a system that is meant to be an additional layer of security for any PHP based website or web application. In fact, this layer does not filter input - that would be a task for different layers - but it makes sure that no potential attack against the application goes unnoticed.

Based on a collection of heavily tested regular expressions the PHPIDS is able to efficiently recognize, classify and ultimately react on many different kinds of attacks - including, besides others, XSS, SQL injection, directory traversal, String.fromCharcode attacks, halfwidth/fullwidth encoding attacks and remote code execution. Due to its flexible and easy configuration the PHPIDS reaction will happen in exactly the way the developer intends.

The integration is as simple as can be. Besides PHP 5.2 the only necessary extension is SimpleXML and the following code:

[php] try {

// instanciate the storage object and fetch the rules
$storage = new IDS_Filter_Storage();
$storage->getFilterFromXML('../../lib/default_filter.xml');

/*
* Instanciate the IDS and start the detection
* 
* here we are using $_GET but you can pass any 
* array you want like $_SERVER, $_SESSION etc.
*/
$get = new IDS_Monitor($_GET, $storage);
$report = $get->run();

if (!$report->isEmpty()) {
    
    // Get the overall impact
    echo "Impact: {$report->getImpact()}n";
    
    // Get array of every tag used
    echo 'Tags: ' . join(', ', $report->getTags()) . "n";
    
    // Iterate through the report and get every event (IDS_Event)
    foreach ($report as $event) {
        echo "Variable: {$event->getName()} | Value: {$event->getValue()}n";
        echo "Impact: {$event->getImpact()} | Tags: " . join(", ", $event->getTags()) . "n";
        
        // Iterator throught every filter 
        foreach ($event as $filter) {
            echo "Description: {$filter->getDescription()}n";
            echo "Tags: " . join(", ", $filter->getTags()) . "n";
        }
    }
}

/*
* Additionally you have the option to store the detected
* data using IDS_Log_Composite and for example IDS_Log_File
*/
require_once '../../lib/IDS/Log/File.php';
require_once '../../lib/IDS/Log/Composite.php';

$compositeLog = new IDS_Log_Composite();
$compositeLog->addLogger(
   IDS_Log_File::getInstance('log.txt')
);

if (!$report->isEmpty()) {
    $compositeLog->execute($report);
}

} catch (Exception $e) { printf( 'An error occured: %s', $e->getMessage() ); } ?> [/php]

Ideally the PHPIDS should be included in a central position of the application or even better via auto_prepend_file. If an attack takes place the IDS result object will be returned filled with data and the programmer can decide the appropriate reaction. For the most part decisions about the reaction are dependent on the detected attacks' cumulative impact.

The impact variable acts as an indicator for an attack's severity and can be used to grade the application's reaction on that attack. For example, if the impact was 3, an appropriate response might be to log the issue in a file, whereas if the impact was around 12, a warning mail to the site owner might be more applicable whilst an impact of 24 or above might print out a message to the attacker stating that his intrusion attempt has been detected and request aborted.

The PHPIDS is heavily tested via phpUnit and profiles via xdebug meaning that you can expect a minimal performance hit to your applications. We are currently using the PHPIDS with great success on several high traffic sites; ormigo.com and neu.de being the two foremost examples of this. Documentation and support is available on the project site or via our forum. Future development for the PHPIDS will possibly rank around detection of fragmented XSS and enhanced detection of heavily encoded attack vectors.

For users of .NET there's the .NETIDS written by Martin Hinks which is a port of the PHPIDS and uses the same filter rules. You will find any related resources on the .NETIDS project page (http://code.google.com/p/dotnetids/). Support for the .NETIDS is also available in the PHPIDS forum.

Regards, Christian Matthies & Mario Heiderich

tagged: tutorial article phpids intrusion detection system tutorial article phpids intrusion detection system

Link:

Tutorial:
An Introduction to PHPIDS (PHP-Intrusion Detection System)
Jun 19, 2007 @ 20:28:56

After several weeks of work Mario Heiderich, Lars Strojny and of course myself released the first stable versions of the PHPIDS - currently at version 0.2.2.

You will find the project site on http://php-ids.org/

In this article I would like to present our framework and explain how it can be used, hoping that developers consider it useful to make their application more secure.

The PHPIDS is a system that is meant to be an additional layer of security for any PHP based website or web application. In fact, this layer does not filter input - that would be a task for different layers - but it makes sure that no potential attack against the application goes unnoticed.

Based on a collection of heavily tested regular expressions the PHPIDS is able to efficiently recognize, classify and ultimately react on many different kinds of attacks - including, besides others, XSS, SQL injection, directory traversal, String.fromCharcode attacks, halfwidth/fullwidth encoding attacks and remote code execution. Due to its flexible and easy configuration the PHPIDS reaction will happen in exactly the way the developer intends.

The integration is as simple as can be. Besides PHP 5.2 the only necessary extension is SimpleXML and the following code:

[php] try {

// instanciate the storage object and fetch the rules
$storage = new IDS_Filter_Storage();
$storage->getFilterFromXML('../../lib/default_filter.xml');

/*
* Instanciate the IDS and start the detection
* 
* here we are using $_GET but you can pass any 
* array you want like $_SERVER, $_SESSION etc.
*/
$get = new IDS_Monitor($_GET, $storage);
$report = $get->run();

if (!$report->isEmpty()) {
    
    // Get the overall impact
    echo "Impact: {$report->getImpact()}n";
    
    // Get array of every tag used
    echo 'Tags: ' . join(', ', $report->getTags()) . "n";
    
    // Iterate through the report and get every event (IDS_Event)
    foreach ($report as $event) {
        echo "Variable: {$event->getName()} | Value: {$event->getValue()}n";
        echo "Impact: {$event->getImpact()} | Tags: " . join(", ", $event->getTags()) . "n";
        
        // Iterator throught every filter 
        foreach ($event as $filter) {
            echo "Description: {$filter->getDescription()}n";
            echo "Tags: " . join(", ", $filter->getTags()) . "n";
        }
    }
}

/*
* Additionally you have the option to store the detected
* data using IDS_Log_Composite and for example IDS_Log_File
*/
require_once '../../lib/IDS/Log/File.php';
require_once '../../lib/IDS/Log/Composite.php';

$compositeLog = new IDS_Log_Composite();
$compositeLog->addLogger(
   IDS_Log_File::getInstance('log.txt')
);

if (!$report->isEmpty()) {
    $compositeLog->execute($report);
}

} catch (Exception $e) { printf( 'An error occured: %s', $e->getMessage() ); } ?> [/php]

Ideally the PHPIDS should be included in a central position of the application or even better via auto_prepend_file. If an attack takes place the IDS result object will be returned filled with data and the programmer can decide the appropriate reaction. For the most part decisions about the reaction are dependent on the detected attacks' cumulative impact.

The impact variable acts as an indicator for an attack's severity and can be used to grade the application's reaction on that attack. For example, if the impact was 3, an appropriate response might be to log the issue in a file, whereas if the impact was around 12, a warning mail to the site owner might be more applicable whilst an impact of 24 or above might print out a message to the attacker stating that his intrusion attempt has been detected and request aborted.

The PHPIDS is heavily tested via phpUnit and profiles via xdebug meaning that you can expect a minimal performance hit to your applications. We are currently using the PHPIDS with great success on several high traffic sites; ormigo.com and neu.de being the two foremost examples of this. Documentation and support is available on the project site or via our forum. Future development for the PHPIDS will possibly rank around detection of fragmented XSS and enhanced detection of heavily encoded attack vectors.

For users of .NET there's the .NETIDS written by Martin Hinks which is a port of the PHPIDS and uses the same filter rules. You will find any related resources on the .NETIDS project page (http://code.google.com/p/dotnetids/). Support for the .NETIDS is also available in the PHPIDS forum.

Regards, Christian Matthies & Mario Heiderich

tagged: tutorial article phpids intrusion detection system tutorial article phpids intrusion detection system

Link:


Trending Topics: