PHP-IDS

1,787 views

Published on

PHP-IDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,787
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PHP-IDS

  1. 1. PHP-IDS You can’t be what you aren’t
  2. 2. What is an IDS? <ul><li>“Intrusion Detection System” </li></ul><ul><li>Not made to prevent intrusions, only detect </li></ul><ul><li>Resulting actions are up to you </li></ul><ul><li>For this reason, tend to have many false positives (“Better safe than sorry”) </li></ul>
  3. 3. What is PHP-IDS? <ul><li>An IDS made for and in PHP </li></ul><ul><li>A collection of blacklist filters </li></ul><ul><li>Uses regular expressions to detect intrusions </li></ul><ul><li>Fairly robust, but still needs a lot of work </li></ul>
  4. 4. The Good <ul><li>Can log to file/database/other, send e-mails </li></ul><ul><li>Allows you to choose what to do about potential intrusions </li></ul><ul><li>Has some flexibility with what gets detected </li></ul><ul><li>General configuration can be overridden </li></ul><ul><li>auto_prepend_file can add it to everything </li></ul><ul><li>Demo on site can be used for testing </li></ul>
  5. 5. The Bad <ul><li>Hardly any documentation </li></ul><ul><li>More or less requires a change of the include path, paths can be a bit obscure </li></ul><ul><li>No protection from separated XSS injections </li></ul><ul><li>Doesn’t protect you from everything (e.g. WP array attack) </li></ul><ul><li>Examples show GPC (and R!) lumped together, but do warn of array_merge </li></ul>
  6. 6. The Ugly <ul><li>It’s only an IDS, not an IPS </li></ul><ul><li>It’s not a whitelist! </li></ul><ul><li>Lots of false positives to worry about </li></ul>
  7. 7. False positives <ul><li>-- </li></ul><ul><li>Certain blocks unrelated of text having specific common punctuation and/or “reserved” words, e.g. L’or! </li></ul><ul><li>The longer and more varied the text is, the more likely it is to be a false positive </li></ul>
  8. 8. False negatives <ul><li>Haven’t found any yet, so there’s that going for it at least… </li></ul>
  9. 9. Conclusion <ul><li>Makes a nice addition to existing security measures </li></ul><ul><li>Useful for tracking users attempting to abuse system, as an IDS </li></ul><ul><li>Even altered to function as an IPS, needs more work to be used alone </li></ul><ul><li>Cannot be relied on yet as an IPS </li></ul><ul><li>Not a substitute for Apache’s mod_security </li></ul>

×