PHP based Intrusion Detection System

May 4, 2007 Comments

This is one of the first things that Mario started to implement when he arrived here at Ormigo. It’s now called phpids and available for all to use, already gaining some traction with the security crowd. The thing is that we are dealing with lots of personal data here at Ormigo, so we want to try to make as sure as possible that it’s safe.

What the phpids does is listen in on strange requests coming into a php based application and gives them a certain escalation state. Based on state it can choose, or rather be told to, do certain things, like fully deny access from a certain IP, remove the page for that user and only show a warning, do nothing and log, send our email alerts, whatever. It’s there to make sure that you are not running blind. Holes in the application are sure to happen, but the biggest problem is not knowing about them.

You can check out the code right here on Google Code, or join the Google Group or simply do a Smoketest. Have fun and be sure to report back.

Since coming-out, there has been some international coverage already and this is just the start. Obviously this creates an overhead but hey, let’s see where it takes us, and from a management perspective you do need to calculate the potential costs of a breach of your application against the possible costs of a few more servers.

I am looking forward to seeing more people take it up and contribute back into the project.

Viewing 3 Comments

Christian Matthies 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Hi Oliver,

Thanks for your commenting. I'm happy that obviously so many people like what Mario and I am doing and I honestly hope that this will at least help a bit to improve the overall quality of PHP applications out there, once we've published a final version.

The latter is going to happen in near future, however we're still working on the SQL injection patterns. There are in fact some ways to detect such attacks but it's quite difficult to find a way without getting too many false alerts.

So while XSS or CSRF attacks can be taken care of by static rules, we might have to implement a bit of intelligence into the system regarding SQL injections.

Anyway, we'll keep the public updated.

Regards, Christian

reply edit flag record video comment

http://christ1an.blogspot.com/

Oliver 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

As Mario works here and I am the one giving him the time to do this, I will hopefully fully updated. And thanks for joining the effort :)

reply edit flag record video comment

http://thylmann.net/

Steve Dix 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Very, very interesting.

reply edit flag record video comment

http://www.stevedix.de/blog