• Version set correctly on assembly (thanks to Albert)
• Moved scanning by SecurePage into Page_Init (thanks to Albert)
• Added new properties to SecurePage that include PostExclusions, GetExclusions, HeaderExclusions and CookieExclusions so that you can choose to exclude say “host” only from headers you can use HeaderExclusions. Of course you can still exclude from all scanners by using Exclusions.
• The event handler is no longer an abstract field meaning that you must change your declaration of public override void IDSEventHandler(Report report, SecurePage SecurePage) so that it does NOT override the base method (as this no longer exists). Instead you must declare public void IDSEventHandler(Report report, SecurePage SecurePage) and then wire this up to the event handler of the SecurePage object in Page_Init: OnIDSEvent += IDSEventHandler; This change is handy because it means that you can easily centralize IDS detection by specifying the same method for each handler rather than having hard to maintain, code duplicating methods in each page.
• ViewStateUserKey is no longer set by SecurePage. The same goes for caching values.
• Changed style of error output to conform to throw rather than re-writing page.
• Updated filter rules.

The latest binary is available at http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_3_0.zip

If you have any suggestions for future improvements to .NETIDS please contribute to our own forum area here on php-ids.org.

This release features many changes including, but not limited, to:

• Fixed bug of null key object in querystring (thanks to albert)
• Many improvements to JavaScript fromCharCode decoding:
  • now supports complete mathematical operation set
  • supports decoding from hexademical and octal
• internal changes including quote normalisation
• Updated filters

The latest binary is available at http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_2_0.zip

If you have any suggestions for future improvements to .NETIDS please contribute to our own forum area here on php-ids.org.

The script was written with following goals in mind,

• To perform regression tests on the IDS (During development phase).
• To perform false positive/negative tests.
• To let IDS users verify that they are safe against latest attack vectors and are using the latest rule sets.

The script is simple to use,

• Load the PHPIDS test URL (on your server) in the browser
• Go to ‘User Script Commands’ option under GreaseMonkey status bar icon and click ‘Run IDS Test’
• Choose to run either one or all 3 default attack vector files by clicking OK/CANCEL.
• Choose whether you want to test IDS with POST requests
• Choose whether want to test the IDS for false positives or false negatives.
• After the test completes, the results can be viewed in the Error Console window.

Notes:

• If the script finds a response code other than 200 on attack, it gets reported in the error console.
• The script injects a parameter named ‘test’ in GET and POST requests.

• Fixed bug of empty Report.Tags object
• Added options to SecurePage to disable each type of scanning
• Updated filters

Most significantly this means that you can control whether page Output Scanning is performed from a SecurePage derived page. For those who are unaware, SecurePage is the simplest inbuilt way of scanning a page in .NETIDS. Simply inherit your page from SecurePage:

public partial class _Default : DOTNETIDS.SecurePage {

and add the method

public override void IDSEventHandler(DOTNETIDS.Report report, DOTNETIDS.SecurePage SecurePage)

This will ensure that your page is scanned in a secure-by-default fashion and also gives the option to disable each type of scan and add exclusions.

The latest package is available at the dotnetids homepage: http://code.google.com/p/dotnetids/

Featured in this release:

• automatic String.fromCharcode conversion and detection
• new and optimized filter rules
• improved halfwidth/fullwidth encoding detection
• enhanced UTF7 converter
• enhanced nullbyte detection
• page output/fragmented XSS scanning

Project home: .NETIDS

Binary: http://dotnetids.googlecode.com/files/dotnetids-src-0_1_0_0.zip
Source: http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_0_0.zip
Documentation: http://www.the-mice.co.uk/dotnetids/docs/
Forum: http://forum.php-ids.org/?CategoryID=9

Many thanks to all who made this possible!

The whole thing is explained in more detail here, but in the mean time check out these SmokeTests:

Test1

Test2

As always please let us know if you manage to either bypass detection or trigger a false positive!