PHP based Intrusion Detection System
During the last few weeks a friend of mine and myself spent some time working on a PHP based Web application IDS, which essentially is designed to be an additional layer of protection for any website it is used on.
It's not officially published yet since we're still changing some parts but I'd like to hear other peoples opinion on this prior contributing it to PEAR, which is what we are intending to do in near future. You will find the project including a Subversion repository temporarily on http://code.google.com/p/phpids/
The detection system is pretty simple and based on a set of various upgradeable regular expressions that will be cross-checked against any variable passed to the systems main class, named IDS_Monitor. In addition we provide an easy extendable logging mechanism that allows storing detected results in files, sending them via email and things like that.
Here's an example of use:
<*?phpObviously the effectiveness of the IDS is dependent on the quality of patterns that are used, therefore the system is supplied with a bunch of default patterns, mainly written by .mario who is one of the versed people dealing with filtering I've ever met. Moreover to mention is Ronald (better known as Jungsonn), who also shared his thoughts and expertise. Thank you.
try {
$storage = new Filter_Storage();
$storage->getFilterFromXML('phpids/default_filter.xml');
$get = new IDS_Monitor($_GET, $storage);
$result = $get->run();
// display results
print_r($result);
//Or store the data using IDS_Log_Composite and
// Log_File
require_once('phpids/log/log_file.php');
require_once('phpids/log/log_composite.php');
$compositeLog = new IDS_Log_Composite();
$compositeLog->addLogger(
Log_File::getInstance('results.txt')
);
if (!empty($result)) {
$compositeLog->execute($result);
}
} catch (Exception $e) {
printf(
'An error occured: %s',
$e->getMessage()
);
}
?*>
So I think very most XSS and SQL injection vectors (being trivial or advanced) should be covered.
Are there any comments or suggestions?
16 Comments:
SQL Injection detection is not built in yet but will follow the next days. If some of you readers is interested in joining the project and gaining commit rights just drop us a line or post a request via the google group.
Greetings,
.mario
Oh, that's a really good idea a PHP IDS! And actually, I thought about it today for on of my projects at work.
Will definitely give it a try :)
Thank you very much neuroo but please wait a couple of days until we release a final version.
This is nothing we're working full time on but rather a secondary project.
Anyway, please keep us updated once you field-test it ;)
I left you guys a comment back on sla.ckers, and actually set up a mirror of my site on http://beta.secexp.com to give this a shot. Only problem being that I am < newbie at php, so if you guys could provide some assistance as to how integrate this with my current CMS, joomla, that'd be great. My CMS does have an index.php where I assume would be a great place to insert the "require_once" statements.
Thanks!
I think that it is a new idea to include ids function in a php script. But what is an advantage over an existing WAF, like mod_security?
Hey
http://freshmeat.net/labrova
it was done like 4 years ago
@thrill: Thanks, sounds good - the more testing the ids gets the better it will grow.
We will include an advanded exaple file in the coming package to allow users to see what can be done with the ids. At the moment we are livetesting with a four-step-reaction based on the impact of the matching rules and the session - first logging, then mailing to the admins, then a warning for the user and then a kick/ban. works pretty good.
Greetings,
.mario
@naka: Well, I think a lot of people are wondering about that, including myself, however although I'm not very familiar with mod_security I think it has a couple of disadvantages if directly compared to a solution like this.
Firstly, mod_security is based on regular expressions just like our IDS, however it's not that extensive and a system admin is more or less on his own to set up new rules and check their impact. So he's likely to make mistakes if he has no experiences in regex.
Secondly, mod_security of course requires root access since new rules need to be added into the http.conf file. Might sometimes be a disadvantage.
Next thing is performance. Does anyone know more about this? I'm aware of the fact that a) php is pretty slow and b) we have at least one function call per regex rule per paramter but the mod_security modul needs to be started on every request and furthermore do the same cross-checking with it's filters.
There might be more aspects but this is what came into my mind so far.
Yes indeed, mod_security still requires people to have access to Apache & PHP e.g. server access beyond FTP only. A lot of users have virtual hosting, I think around 75% of my clients do not own a server and cannot install mod_security.
So the PHP IDS is really portable in comparison to mod_security. Pick it up and upload it and your nearly done. So I really like this idea. it isn't thought of as a replacement, but as an alternative so that anyone can have some sort of protection and not discriminate the users who can't configure a webserver.
Ronald.
@DokFleed:
Just played a little bit with labrova - nice one - but the filters aren't that fresh i guess - i managed to inject decimal entities, hex entities, ie specific encoding, UTF7 etc...
check this link with utf7 enabled - should show result an XSS that wasn't detected by labrova:
http://www.dokfleed.net/duh/banners.php?op=EmailStats&name=sex&bid=%2bACIAPgA8AFMAQwBSAEkAUABUAD4AYQBsAGUAcgB0ACgAMQAyADMANAApADwALwBTAEMAUgBJAFAAVAA%2b-
Greetings,
.mario
True,
the project stopped a while ago. its going through a patent process.
But the updated versions, checks different encdoing and is ported to .Net & JSP too.
cheers
DokFLeed
@dokfled:
Sounds good - interested in collaborating?
Greetings,
.mario
Sure,
give me a shout on my email.
btw, UTF7 is very case specific and doesn't pass to database. Other problem in PHP you need to recompile it with MB String etc.. which most of sites don't do , don't know why.
@DokFLeed
Just dropped you a line via yer contact form...
And where is the difference between PHP-IDS and mod_security for Apache ?
Anonymous: I've already answered that question a couple of times. Please read the comments of this article and moreover this one.
Post a Comment