ZIDS: Zend Framework Intruder Detection System

In one of my last posts I shared some information about PHP-IDS (the PHP Intruder Detection System project) with you. In this article, I would like to share a few lines of code that will enable you to easily integrate PHP-IDS into your Zend Framework project. Furthermore, this little plugin allows you to easily define how to deal with possible attacks (e.g., send an email to the admin, make a log entry, or redirect the attacker to a special side).

Get the Source code

You may download the source code here (Google Code).

If you would like to use SVN to check out the latest version, use the following code: svn checkout http://zids.googlecode.com/svn/trunk/ zids-read-only

What is ZIDS?

Basically, PHP-IDS takes all inputs passed to your website and analyzes them regarding potential security issues. Simplified, the result is a number called impact. The higher the impact, the more likely the input contains an attack against your web site. For instance, if the impact is zero, the input can be considered as being save. If the impact is less then 10, the input may be a first attempt to attack your website. If the impact is above 50 you definitely should do something…

ZIDS enables you to easily integrate PHP-IDS in your Zend Framework project. It allows you to define different levels of attack: ‘unlikely’, ‘likely’, ‘very likely’ and ‘attack’.

For each level you may define:

• an interval that defines how the impact will be categorized, e.g. impact 0-10 will be considered as ‘unlikely’ attack.
• how to deal with an attack, e.g. ignore the attack, log the attack, send an email to the admin, or redirect the user to a special side (controller/action)

Furthermore, you may enable to aggregate all impacts in your session. This is useful as usually an attacker will start to analyze your website with a series of “small” attacks, i.e. attacks with an impact below 15. If you enable aggregation, four attacks with an impact of 5 will aggregate to an attack with an impact of 20 (5 + 5 + 5 + 5).

Here is a sample configuration for ZIDS that should clarify how to use ZIDS in your project:

; ==============================================================================
; THIS IS A SAMPLE CONFIGURATION THAT YOU MAY COPY&PASTE TO YOUR APPLICATION.INI
; ============================================================================== 

[production]

; ----- ZIDS
; ZIDS uses PHP-IDS to analyze each request. The impact of a request is 
; an integer value returned by PHP-IDS that indicates indicates the severity 
; of the attack. The higher the impact, the more likely the request was an attack!
;
; ZIDS currently supports 4 levels to categorize a potential attack.
; Each level (accept 'attack') has two options:
;    upto = indicated the upper bound for the impact to fall into this level
;           EXAMPLE I: 'unlikely.upto = 5' means that all requests with an impact below 5 
;           will fall into the level 'unlikely'.
;            EXAMPLE II: 'unlikely.upto = 5' and 'likely.upto = 20' means that all requests
;           with an impact below 5 will fall into the level 'unlikely' and all requests
;           with an impact between 5 (the upper bound of the unlikely level) and 20 will
;           fall into the level 'likely'
;  action = defines how to deal with potential attacks that fall into this level.
;           currently, ZIDS supports four different actions
;           ignore   = simply ignore the attack
;           log      = write a log entry
;           email    = send an email to the admin of the website
;           redirect = stop the request and redirect the user to a different controller/action
; ~~~
; This example setup defines that an impact
; 0 - 5 is being considered as 'unlikely'. 
;            ZIDS will ignore all attacks of this category.
; 6 - 25 is being considered as 'likely'. 
;            ZIDS will log all attacks of this category.
; 26 - 50 is being considered as 'very likely'. 
;            ZIDS will log all attacks of this category and send an email to the admin.
; > 50 is being considered as 'attack'. 
;            ZIDS will log all attacks of this category, send an email to the admin and 
;            redirect the user to a special side.
; ~~~  
zids.level.unlikely.upto = 5
zids.level.unlikely.action = ignore
zids.level.likely.upto = 25
zids.level.likely.action = log
zids.level.verylikely.upto = 50 
zids.level.verylikely.action = log, email 
zids.level.attack.action = log, email, redirect

; ~~~
; if aggregate_in_session = true, ZIDS will aggregate the impact of each attack in the session.
; For instance, if the attacker submits a request with an impact of 5, and later on submits a 
; request with an impact of 10, the second request will be treated as a request with an impact
; of 15 (=5 + 10).
; ~~~
zids.aggregate_in_session = true

; ~~~
; defines the redirect target for the 'redirect' action
; ~~~
zids.redirect.module = default
zids.redirect.controller = index
zids.redirect.action = attack

; ~~~
; defines which items should be logged or put into the email that will be sent to the admin
; currently, ZIDS supports four items:
;     ip        = the IP of the attacker
;     impact    = the impact of the attack
;     tags      = the list of affected tags, e.g. sqli (for SQL Injections), xss, lfi, ...
;     variables = the variable in the request that contained the potential attack
; ~~~
zids.log.items = ip, impact, tags, variables

; ~~~
; defines which requests should be ignored by ZIDS. If the request is in the array of
; requests defined here, ZIDS will simply don't check or do anything.
; ~~~
zids.ignore.requests.module.0 = default
zids.ignore.requests.controller.0 = index
zids.ignore.requests.action.0 = sidebar

; ~~~
; Path to your PHP-IDS config file
; ~~~
zids.phpids.config = APPLICATION_PATH "/library/phpids-0.6.4/lib/IDS/Config/Config.ini.php"

; ~~~
; you may either use the 'email' option in ZIDS_Plugin_Ids constructor, or the setMail() method, 
; or use these parameters to define how to send an email to the admin, in case of an attack with
; a defined 'email' action
; ~~~
zids.email.smtp.auth = "login"
zids.email.smtp.username = "username"
zids.email.smtp.password = "password"
zids.email.smtp.host = "yourprojecthost"
zids.email.from = "noreply@yourproject.com"
zids.email.to = "admin@yourproject.com"

Installing ZIDS

Download the code and follow the instructions given in the README.TXT file…

• Bookmark on Delicious
• Digg this post
• Recommend on Facebook
• Share with Stumblers
• Tweet about it