PHPIDS » Web Application Security 2.0

The next release of the PHPIDS is close and this one is dedicated to false alerts especially. Since we are getting tons of data from some of our clients we are able to optimize the rules for more precise detection.

If you have an application running with PHPIDS on top feel free to send us information about the false alerts you have – we are currently building up an automated regression test system for exactly that purpose. The more data we get the better the PHPIDS will be in the near future.

In the meantime we hope you have fun with the PHPIDS 0.3 – by the way the rules in the trunk are always tested before commit so feel free to check them out any time!

The latest update to .NETIDS has made the grade and is now available for public consumption.

This release features many changes including, but not limited, to:

• Fixed bug of null key object in querystring (thanks to albert)
• Many improvements to JavaScript fromCharCode decoding:
  • now supports complete mathematical operation set
  • supports decoding from hexademical and octal
• internal changes including quote normalisation
• Updated filters

The latest binary is available at http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_2_0.zip

If you have any suggestions for future improvements to .NETIDS please contribute to our own forum area here on php-ids.org.

A GreaseMonkey script that lets you test your IDS installation against latest attack vectors is available here.

The script was written with following goals in mind,

• To perform regression tests on the IDS (During development phase).
• To perform false positive/negative tests.
• To let IDS users verify that they are safe against latest attack vectors and are using the latest rule sets.

The script is simple to use,

• Load the PHPIDS test URL (on your server) in the browser
• Go to ‘User Script Commands’ option under GreaseMonkey status bar icon and click ‘Run IDS Test’
• Choose to run either one or all 3 default attack vector files by clicking OK/CANCEL.
• Choose whether you want to test IDS with POST requests
• Choose whether want to test the IDS for false positives or false negatives.
• After the test completes, the results can be viewed in the Error Console window.

Notes:

• If the script finds a response code other than 200 on attack, it gets reported in the error console.
• The script injects a parameter named ‘test’ in GET and POST requests.

After works of really hard work, great support in the group and the forum we finally announce the release of PHPIDS 0.3. We had some tough battles with pretty exotic XSS vectors and optimized lots of the filter rules. Also we improved the SQL injection detection and added rules to detect the current Firefox flaws. The internal converter is now able to detect string concatenations, works way better with comments (no S/**/E/**/LE/**/CT is no problem anymore for the PHPIDS) and has logic to detect basic algebra inside charcoded strings.

We also worked on the documentation and on the examples – there should be way less trouble to install the PHPIDS – if there ever was

Here’s a list of the major new features:

• Enhanced concatenation converter
• Enhanced charcode converter
• Comment converter and quote normalization
• A whole bunch of new rules
• Even more optimized old rules
• Better documentation and examples
• A whole CakePHP component package amongst the examples
• Still no PHP4 support – but PHP4IDS has!

The PHPIDS team hopes you like the new packages and especially thanks Kishor, SirDarckCat, Ronald v.d. Heetkamp and Giorgio Maone for their great support.

I’m glad to announce that PHP4IDS 0.1 is released. PHP4IDS is a port of PHPIDS for use with PHP4. The current version is based on PHPIDS 0.2.3 and includes the filter-definition-file from this release.

There are some issues users should be aware of:

• due to the origin of this port (large project) the naming convention had to be changed so the different classes will have different names in this version
  • IDS_Report => IDSReport
  • IDS_Converter => IDSConverter
  • IDS_Event => IDSEvent
  • IDS_Monitor => IDSMonitor
  • IDS_Filter_Storage_Abstract => IDSStorageProvider as baseclass and IDSSimpleStorageProvider as a class providing the same functionality as the IDS_Filter_Storage_Abstract (specify an array of filters in the constructor)
  • IDS_Filter_Storage => IDSXmlStorageProvider providing only xml-storage capabilities
  • IDS_Filter_Abstract => IDSFilter
  • IDS_Filter_Regexp => IDSRegexpFilter
• also due to namíng convention all method names are pascal-case (and not case-case)
• the logging facility has been dropped
• the class inheritance structure has been slightly modified in case of the IDSStorageProvider
• JSON support has been dropped because PHP4 lacks the JSON extension (and I had no use for a JSON-storage)
• this version requires PHP 4 >= 4.2.0 because the IDSXmlStorageProvider uses tThe DOM XML extension which is not bundeld with PHP5. Therefore PHP4IDS in its current version (specifically the IDSXmlStorageProvider) can not be considered PHP5 compatible!

I hope that users will nevertheless find PHP4IDS  useful in PHP4-only environments.

With upcoming versions we’ll refactor PHP4IDS so that it will incorporate the logging facility and perhabs change back the naming convention to be compatible with current releases of PHPIDS.

The download of version 0.1 is available in the downloads section or via SVN http://php4ids.googlecode.com/svn/trunk/