/usr/portage

Intrusion detection for PHP 4

A local startup, Ormigo, launched PHP IDS, a PHP-based intrusion detection system. It was written by Mario Heiderich and christ1an (who did the regular expression magic). The outstanding difference to approaches like mod_security is that it is purely PHP-based and can be integrated into your application. It basically takes a user submitted content array ($_POST, $_GET, $_COOKIE) and applies a certain set of regular expressions. When I read about it on Oliver Thylmanns Weblog I was really fascinated by the idea and started playing around with it. I’ve submitted a number of patches and proposals and started a branch to introduce a more convenient result handling which was merged back into the trunk a few hours ago. There will be a release in the next weeks and I’m looking forward on helping to make this project grow up.
Just for the record: after christ1an asked me for whom I’m working for he found a nice XSS on Neu.de which was fixed on monday. Thanks again for the hint, christ1an.

The PHP IDS subversion repository: http://phpids.googlecode.com/svn/trunk/

Filed on 15-05-2007, 22:10 under , , , , , & four comments & no trackbacks

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

  1. Scott states:
    published on May 16th 2007, 08:51:41 am *

    Interesting. Can a server admin simply put it in front of a PHP app without having to mess with the app code? Can one apply a standard set of filter rules like those at gotroot? If so, I can think of a few projects where we could use this instead of mod_security…

    Reply

  2. Lars Strojny reckons:
    published on May 16th 2007, 09:10:41 am *

    PHP IDS moves the responsibility for application level intrusion detection away from the admin into the hands of the developer/security engineer. That makes sense in a lot of cases. The administrator do not need to know about the attack vendors against the application, he is overwhelmed with hardening his servers anyway. Developers knows best about the application, they can implement and control the filters much saner, I would guess.
    Standard filters: that’s one of the main advantages that PHP IDS comes with a pre defined set of filters against various intrusions (http://phpids.googlecode.com/svn/trunk/phpids/default_filter.xml).
    But nevertheless, I would guess, that an admin could implement this also on application level. Just take a look at the following snippet:
    require_once ‘IDS/Filter/Storage.php’;
    require_once ‘IDS/Monitor.php’;
    $storage = new IDS_Filter_Storage;
    $storage->getFiltersFromXML($filterpath);
    $monitor = new IDS_Monitor($_POST, $storage);
    $result = $monitor->run();
    if (!$result->isEmpty()) { if ($result->getImpact() > 10) { die("Guy, you suck!"); }
    }

    Reply

  3. Scott means:
    published on May 16th 2007, 09:31:33 am *

    Hmm, for my projects I cannot trust the developers to take this responsibility, since the developers are often 3rd party. The projects also have a lot of legacy code that is no longer properly maintained. I need a solution that can be bolted in front of the app to protect the developers from themselves.

    That said, maybe with auto_prepend_file I could get PHP IDS to do what I need.

    Reply

  4. Lars Strojny reckons:
    published on May 16th 2007, 11:28:59 am *

    auto_prepend would work too, of course.

    Reply

Add a Comment & let me know what you think