PHP-Intrusion Detection System (PHPIDS for short) is one of those little gems that you find occasionally out in the wild on the Web, a truly remarkable little bit of code that when added to your site, immediately offers you unparalleled protection against, or rather detection of, malicious break-in attempts.
In a nutshell, it is a simple to use, well structured, fast and state-of-the-art security layer for any PHP based web site, one that doesn’t attempt to strip, sanitize or filter any malicious input, but rather recognizes attack attempts and the warns you of it, allowing you to set up exactly how you would like the system to respond to the various levels of threat detected.
The system uses a number of heavily tested filter rules which returns a numerical impact rating which allows you to set what kind of action is to be attempted against a particular type of attack, for example, based on the impact flag raised, you could simply log the attack attempt, maybe send out an emergency email or even just end the current user (attacker) session completely!
PHPIDS currently detects all sorts of XSS, SQL injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks, but even better, it is even able to detect most heavily obfuscated attacks (things like charsets, entities, JavaScript Unicode, decimal, hex etc.) thanks to its special conversion algorithms.
To run PHPIDS on top of your existing site, you do need at least PHP 5.1.6 in order to make full use of all of PHPIDS’ features. Other than that, a database would be handy if you wanted to initiate some kind of logging system, while SimpleXML and JSON support is also a good idea. Currently the default PHP package shipped with most current distributions fulfil all the requirements out-of-the-box.
The following example usage is a good example of just how easy it is to run PHPIDS over your scripts: (Naturally in real life you would actually want to do something with the $result value if returned!)
require_once ‘IDS/Init.php’;
$request = array(
‘REQUEST’ => $_REQUEST,
‘GET’ => $_GET,
‘POST’ => $_POST,
‘COOKIE’ => $_COOKIE
);
$init = IDS_Init::init(‘IDS/Config/Config.ini’);
$ids = new IDS_Monitor($request, $init);
$result = $ids->run();
if (!$result->isEmpty()) {
// Take a look at the result object
echo $result;
}
Of course, by this stage you would have realised that I’m simply amazed by this little system, and honestly, if you are a PHP developer then you should be too. Furthermore, the code is all LGPL licensed, meaning that there is no excuse not for you to go and download it now! :P
Related link: http://php-ids.org/