To ensure, that always the exactly same versions of the dependencies were installed, the composer.lock should be versionized too. From time to time

php composer.phar update

should update the lock-file

// Before
$monitor = new Monitor($request, $init);
$monitor->run();
// After
$monitor = new Monitor($init);
$monitor->run($request);

Allows to

• reuse of a monitor instance
• prepare a monitor instance before it is used (for example in an environment, that makes use of a dependency injection container)

Hi everyone,

I'm using PHPIDS for security monitoring and collect attacking events for analysing system. So, I found that PHPIDS need to log more and more infomation about attacker's behaviors.

I wrote a few lines of code to improve database logger, then PHPIDS can log POST payload, it should be convenient for auditing and learning on attacker's behaviors.

Thanks and regards.

I have rewrote the code base to follow PSR-1 and PSR-2 coding standards. Job is not complete because standard says that you should declare a class or include classes but don't do both in one file. Meaning you should use autoloader instead of including files in every second file. There is also one other issue and that is with config.ini.php file. Error message with that is "End of line character is invalid; expected "\n" but found "\r\n" on line 1". Maybe just remove the first line of the file and you could also rename the file to config.ini and remove the .php extension...

Most are minor and small non-functional ("styling") changes. I've left the commits as they are to make things more clear, but I would like to squash it before merge. Every commit has a comment.

• @a51875b6 Is there is a reason, why in line 389 and following the $value gets encoded and decoded over and over again?
• I found a test, that simply didn't worked. I refactored it into 3 separate tests (@c63f6c6), but now 2 of those fails, because Filter::__construct() doesn't validate the arguments at all, but exactly this was, what the tests should ensure. I've marked them as skipped for now (I think "incomplete" would have been the better choice :X).

And a question at the end: I've seen many many preg_*()-calls. Couldn't some of them get replace by str_replace()? Or (because this is the first thing, that comes to my mind) are there any issues with special characters?

Enough for now :smile:

Rule 45 can't be parsed - I spent a bit of time on the expression, but can't nail down the problem.

<filter>
    <id>45</id>
    <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,"-]+from)|(?:find_in_set\s*\()]]></rule>
    <description>Detects basic SQL authentication bypass attempts 2/3</description>
    <tags>
        <tag>sqli</tag>
        <tag>id</tag>
        <tag>lfi</tag>
    </tags>
    <impact>7</impact>
</filter>

Defeats the two bypasses described on youtube: https://www.youtube.com/watch?v=mcQYnHMg7E4 https://www.youtube.com/watch?v=l7f8f2AQ-rA

Fix filter xml descriptions so that tests pass Add check for magic quotes on test to get correct impact

I'm using the snippet/module for modx from Stefanie Stölting. At the moment there are attacks comming from different IP-addresses

202.46.50.101 202.46.61.106 202.46.63.65

I would like to make only one entry to block every attack coming from 202.46..

Is there a regular expression?

I'm not familiar with regex....

Thank you for your help.

Sepppl

Current unit tests are broken. Going to fix them before refactoring existing code:

[jay] /var/www/git/PHPIDS] (master)>  phpunit -c phpunit.xml.dist 
PHPIDS TestSuite configuration:

Filter type:            xml
Filter set:             /var/www/git/PHPIDS/lib/IDS/default_filter.xml
Temporary directory:    /tmp/IDS_1360097980.7309
Configuration:          /var/www/git/PHPIDS/lib/IDS/Config/Config.ini.php

PHPUnit 3.6.10 by Sebastian Bergmann.

Configuration read from /var/www/git/PHPIDS/phpunit.xml.dist

..EE............................................................. 65 / 99 ( 65%)
..................................

Time: 01:04, Memory: 20.00Mb

There were 2 errors:

1) IDS\Tests\CachingTest::testCachingFileSetCache
Exception: Temp directory tmp/default_filter.cache seems not writable

/var/www/git/PHPIDS/lib/IDS/Caching/FileCache.php:134
/var/www/git/PHPIDS/tests/IDS/Tests/CachingTest.php:53

2) IDS\Tests\CachingTest::testCachingFileGetCache
Exception: Temp directory tmp/default_filter.cache seems not writable

/var/www/git/PHPIDS/lib/IDS/Caching/FileCache.php:134
/var/www/git/PHPIDS/tests/IDS/Tests/CachingTest.php:63

FAILURES!
Tests: 99, Assertions: 2259, Errors: 2.

Generating code coverage report, this may take a moment.

As of now filters will only be collected in an array when there is no cached representation of them which preserves memory.

The cached content will only be written when no cache was found which preserves IO on each request in case the cache is already hot.

Looks like the documentation is not up to dated. The code snippet on https://phpids.org/faq/ is wrong as the new code uses namespace

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = IDS_Init::init('IDS/Config/Config.ini');
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
  }

It should be:

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = \IDS\Init::init('IDS/Config/Config.ini');
  $ids = new \IDS\Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
  }

there exists a ReDOS vulnerability for the following input:

///////////////////////////////////////////////////////////////////////////////////=>

about 4K of ///// = 30 seconds parse time on an AWS T2 Micro

Let me know if I can help you guys dig into this denial of service vulnerability.

It's unable to write to the default_filter.cache which for some reason changes user:group to root:root sometimes after I copy over files from my local editor (in Mac) to the external Linux box through FTP (which also changes those files' user:group to root:root even though I set the docroot's files recursively to user lighttpd).

The source code is below (version 0.5.6) and of course the path to it is in the page error below that; I don't know why this is happening or how to prevent any of the files being changed to root user:

        if (file_exists($this->path) && !is_writable($this->path)) {
            throw new Exception('Make sure all files in ' . 
            htmlspecialchars($this->path, ENT_QUOTES, 'UTF-8') . 
                'are writeable!');
        }

We apologize, but an error occurred while processing your booking. Please try your search again. If the problem continues to occur, please contact us.

Date/Time 2018-07-10 04:56:09 PM URL / Script /index.html Server 192.168.xx.xx IP Address 192.168.x.xxx Browser Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Exception exception 'Exception' with message 'Make sure all files in /var/www/html/xxx/libraries/phpids/lib/IDS/tmp/default_filter.cacheare writeable!' in /var/www/html/xxx/libraries/phpids/lib/IDS/Caching/File.php:99 Stack trace: #0 /var/www/html/xxx/libraries/phpids/lib/IDS/Caching/File.php(116): IDS_Caching_File->__construct('storage', Object(IDS_Init)) #1 [internal function]: IDS_Caching_File::getInstance('storage', Object(IDS_Init)) #2 /var/www/html/xxx/libraries/phpids/lib/IDS/Caching/Factory.php(80): call_user_func(Array, 'storage', Object(IDS_Init)) #3 /var/www/html/xxx/libraries/phpids/lib/IDS/Filter/Storage.php(106): IDS_Caching::factory(Object(IDS_Init), 'storage') #4 /var/www/html/xxx/libraries/phpids/lib/IDS/Monitor.php(189): IDS_Filter_Storage->__construct(Object(IDS_Init)) #5 /var/www/html/xxx/libraries/ids.php(33): IDS_Monitor->__construct(Array, Object(IDS_Init)) #6 /var/www/html/xxx/index.html(30): include_once('/var/www/html/e...') #7 {main}

We have a form where visitors can simply enter week numbers in a single text input. IDS/Converter converts the string 28,29,30,31,32,33,34,35 to 28,29,30,31,32,33,34,35  !"# $[!!!] (bin2hex is 32382c32392c33302c33312c33322c33332c33342c33350a1c1d1e1f20212223). The last line is added by runCentrifuge The middle one is added by convertFromJSCharcode (perhaps one character is added by another method, could have been a fluke).

convertFromJSCharcode is checking exactly for comma separated char codes.

The problem is of course that 22,23,24, etc, when long enough, is perfectly valid form data. I guess this simply can't be fixed. Because it is also potential bad data.

Hello! Please, help me!

I'm try use in config.ini: exceptions[] = /POST.visual_PROPx82_x_([0-9]*)$/

But i have error: Fatal error: Uncaught exception 'Exception' with message 'Please make sure the folder is writable' in /home/a/artema9p/phpids2/lib/IDS/Monitor.php:217 Stack trace: #0 /home/a/artema9p/phpids2/phpids.php(89): IDS_Monitor->__construct(Array, Object(IDS_Init)) #1 {main} thrown in /home/a/artema9p/phpids2/lib/IDS/Monitor.php on line 217

It's normal?