You are viewing revision #3 of this wiki article.
This is the latest version of this article.
You may want to see the changes made in this revision.
- 1) Installation
- 2) Reacting to the attack:
- 3) Enabling / Disabling
- 4) Next version 0.3
- 5) How to upgrade?
PHPIDS is a well known project that can be found in php-ids.org.
PHPIDS is an intrusion detection system, essentially based on IDS rules, it recognizes attacks by filtering information sent to the system and returns a rating and a report of what is considered a potential attack. From this information the system can react to the attack, send e-mail alerts, generate detailed logs, block the user, generate black list, etc..
The project PHPIDS was encapsulated in the form of the application component Yii and can be downloaded at http://www.yiiframework.com/extension/phpids/ along with its instructions, installation and use.
This how-to shows its installation and in more detail some uses.
This component was tested on versions 1.1.5 and 1.1.4 with PHP 5.2. The current version of the component is 0.2 in the inscription of how-to.
1) Installation ¶
Unzip the file ... .webapp / protected / components / ids
Create the directory ... / components / ids / IDS / tmp writable
Update on ... main.php his / protected / config
... / / 'Preload' => array ('log') 'Preload' => array ('log', 'ids'), ... components = array ( ... 'ids' => array ( 'class' => 'application.components.ids.CPhpIds' ) )
Add the component 'ids' to the preload index of your application config. In components add the component 'ids' and its settings. The file above is the minimum for the operation of 'ids'.
All application forms will be filtered by the PHPIDS, the variables $ _REQUEST, $ _GET, $ _POST and $ _COOKIE are verified by reported attacks types in the IDS rules detection. If a potential attack is detected, the application is stopped before processing the request, an exception is thrown with a generic message error with no details to the attacker and a detailed log is generated.
This log is generated by the application component Log Yii, so a attack can be sent by e-mail (EmailLog), or stored in a database, file or simply displayed in the browser with the WebLog.
We can go further in the configuration. A simple detail is the message that is sent to the attacker:
... 'ids' => array ( 'Class' => 'application.components.ids.CPhpIds' 'genericMessage' => 'Unexpected error!' / / Message sent to the attacker ) ...
The goal is that this message does not give details about the attack, nor inform the attacker that his attack was detected. And the treatment is given internally by the application, sending emails, or by simply blocking the user.
This message does not enter the log, the details of the attack are generated and sent to the logging component.
2) Reacting to the attack: ¶
... 'Ids' => array ( 'Class' => 'application.components.ids.CPhpIds' 'GenericMessage' => 'Unexpected error!' / / Message sent to the attacker 'Callback' => create_function (''," echo 'Error!'; Yii:: app () -> end (); return false; ") ) ...
The callback parameter receives a valid callback as parameter, see call_user_func function in the PHP Manual. It can be a function, or a class and the method that should be called. In the above example we create a simple function that prints error and terminates the application.
Through this configuration, the developer can handle in a better way detected attacks, sending emails, alerts, creating a black list, removing user access, ending the session, etc.. After the processing of the callback, default exception component will not trigger, so ending the request is the responsibility of developer using the function / method passed as callback.
3) Enabling / Disabling ¶
... 'Ids' => array ( 'Class' => 'application.components.ids.CPhpIds' 'GenericMessage' => 'Unexpected error!' / / Message sent to the attacker 'Callback' => create_function (''," echo 'Error!'; Yii:: app () -> end (); return false; ") 'Enable' => ('',' create_function return $ _GET ["r"]! = Site / contact ";'), ) ...
The enable parameter is used to enable or disable the execution of PHPIDS. This parameter can directly receive a boolean value, true IDS to run the check or false not to run. It can also receive a valid callback that should return a boolean value. With this IDS configuration can be activated in the requests you want, based on the rules of valid callback passed as parameter. See call_user_func function to learn more about valid callbacks.
4) Next version 0.3 ¶
For next release, more configuration possibilities of PHPIDS, Log internal as IDS, tmp folder and others.
Having your major change in processing the callback, which received as a parameter to assess the impact of the attack, so the developer can decide how to react based on the knowledge level of the attacker.
5) How to upgrade? ¶
Download the updated file default_rules.xml http://php- ids.org / and replace the version old in the ... / public / components / ids / IDS
Credits and thanks the team of developers PHPIDS. -------------------------------------------------- --------------