PHP-IDS

Written by: Chris in Web Technology

What is an IDS?

An IDS is an “Intrusion Detection System,” a system which detects attempts (whether manual or automated) to break into another system or network. These systems are designed solely for detection and notification.  The resulting actions are up to those responsible. For this reason, IDSs tend to have a lot of rules and therefore tend to cause false positives.  It is up to the maintainers to decide which rules (or filters) should be used in the first place and which should be tuned.

What is PHP-IDS?

PHP-IDS is an open-source IDS made for and in PHP.  It is a collection of blacklist filters designed to detect common (and less common) intrusions that can occur in PHP applications, such as SQL injections. These filters are all regular expressions which are fairly robust in general, but the filters still need some work.  Some of the false positives (discussed below) seem quite ridiculous!

The Good

  • It can log incidents to a file or a database (or anything else which you implement the class for) as well as e-mail you when the incidents occur.
  • Since it is a function called by your PHP application, it returns a result you can use to then execute an action based on how strong the attack is according to PHP-IDS.  This allows you to use it as an IPS but you have to be careful with this since, as previously stated, false positives can occur.
  • However, it does have flexibility in what can be detected.  The filters come as a simple XML file (there’s also a JSON version) which makes it relatively easy to add and remove filters.
  • The general configuration file can be overridden.  This way, you can have a different configuration or set of rules used for different parts of your application or even dynamically change the configuration based on circumstance.
  • The auto_prepend_file setting in PHP can be used to add PHP-IDS to every page in an application, site or server.
  • The demo on the PHP-IDS website can be used for testing and getting an impression of its strengths and weaknesses without having to set up such a test bed yourself.

The Bad

  • Hardly any documentation.  Most of what is provided is really more developer documentation than user documentation.
  • More or less requires a change of the PHP include path, which can be a bit obscure.
  • No (special) protection from separated XSS injections.  For example, attacks that can be split in half between two inputs.
  • Naturally, it doesn’t protect you from everything.  Some security holes made by sloppy or careless programming (or some obscure feature) will go right through as nothing automated can protect you from that (e.g. the WordPress array attack). It may not fit in “The Bad,” but it’s definitely something to keep in mind.
  • Examples show GPC (and R) lumped together (much like how $_REQUEST works by default), but they at least do warn of array_merge()‘s effects.
  • The community is virtually non-existent. There are posts asking for help that are not being answered; even posts which are pointing out valid false positives. Speaking of, the box to report false positives on the demo page is not currently functional.

The Ugly

  • It’s only IDS, not an IPS. The major problems with IDS systems currently is that a simple notification isn’t good enough.  Chances are by the time you’re done reading the fact that there could be a problem, the exploit is done and over with and it is too late.
  • It is not a whitelist.  No matter how good the blacklist, the moment any new features or technologies are provided, it will instantly be a step behind and usually will remain a step behind. On the other hand, whitelists take more effort to produce (depending on the situation) but only allow specific data that is expected.
  • There are quite a lot of false positives to worry about in this IDS.
  • The project seems to be dying; there have been no updates to the filters in two months.

False positives

  • Two hyphens side-by-side anywhere (i.e. -‌-).  Technically, one should never end up with this, but many are lazy and substitute proper en dashes (–) and em dashes (—) with hyphens. In the proper context this is not a false positive (– is a comment in SQL queries).
  • Certain blocks of unrelated text having specific common punctuation and/or “reserved words”, e.g. L’or! triggers a false positive.
  • The longer and more varied the text is (comments, blog posts, news articles, …) the more likely it is to be a false positive.

False negatives

I tried to locate a few but I haven’t found any yet. I’ve tried a variety of different methods as well as obscure and browser-specific hacks and so far have found nothing which gets through — yet. But at least it has that going for it.

Conclusion

It makes a nice addition to existing security measures. It is useful — as an IDS — for tracking repeat attacks and users attempting to abuse a system. However, even altered to function as an IPS, it needs more work to be used alone and therefore cannot be relied on yet as an IPS. It is certainly no substitute for mod_security.