Project

General

Profile

Feature #4221

Integrate PHP Intrusion Detection System

Added by Yannick Warnier about 10 years ago. Updated about 10 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
14/01/2012
Due date:
% Done:

0%

Estimated time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

PHPIDS [[https://phpids.org/2011/08/26/phpids-0-7-%E2%80%9Dsummer-breeze%E2%80%9D-is-out/]] is an Intrusion Detection System that can be very easily put in place: it executes before any code and checks the user input (GET, POST, REQUEST, SERVER) for anything suspicious.

If it detects some kind of attack attempt, it reports it (either in the database, in a file or by e-mail, or any combination of these).

I think it would be great to have this additional level of reporting and record it inside a new tracking table. If we could put this together with an optional feature to report it to a central Chamilo database, we could be advised on all the suspicious things people try to do on portals of our community and try to make Chamilo better.

There is an integration guide here [[http://www.howtoforge.com/intrusion-detection-for-php-applications-with-phpids]].

The idea would be to (1) create a new table to register attacks, (2) add two new settings to the admin security tab, (3) optionally include the IDS library in global.inc.php:

Database table

This is a proposal that might have to be

CREATE TABLE track_intrusion(
  id int unsigned not null auto_increment,
  type int unsigned not null default 0,
  message text
);

Admin settings

insert into settings_current values ('intrusion_detector_enable',NULL,'radio','Security','false','IntrusionDetectorEnableTitle','IntrusionDetectorEnableComment',NULL,NULL,1),
('intrusion_detector_report_url',NULL,'text','Security','http://report.chamilo.org/ids/','IntrusionDetectorURLTitle','IntrusionDetectorURLComment',NULL,NULL,1)

insert into settings_options values
('intrusion_detector_enable', 'true', 'Yes'),
('intrusion_detector_enable', 'false', 'No'),

The text should be (in English):
$IntrusionDetectorEnableTitle = "Intrusion detection system";
$IntrusionDetectorEnableComment = "Enabling the intrusion detection system might impact your performance slightly, but will ensure a large majority of security threats (even failed ones) will be reported, so you can analyse them and act to reduce the risk.";
$IntrusionDetectorURLTitle = "Intrusion detection report URL";
$IntrusionDetectorURLComment = "When the intrusion detector is enabled, it is possible to configure your portal so that any intrusion attempt will be reported directly to Chamilo, thus improving the capacity of the development team to protect Chamilo against new threats. You can also set it up to report the threats to one of your (or your provider's) webservices. See http://report.chamilo.org/ids/doc/ to learn what API your webservice should provide in order to do that. The default value for this option is http://report.chamilo.org/ids/. Leave empty to disable.";

Inclusion into global.inc.php

See inclusion code as described in http://www.howtoforge.com/intrusion-detection-for-php-applications-with-phpids
The included script should look something like this (with database logging code to be added):

<?php
$lib = api_get_path(LIBRARY_PATH);
  require_once $lib.'/ids/init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = IDS_Init::init($lib.'/ids/config/config.ini');
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
   require_once $lib.'IDS/Log/File.php';
   require_once $lib.'IDS/Log/Composite.php';

   $compositeLog = new IDS_Log_Composite();
   $compositeLog->addLogger(IDS_Log_File::getInstance($init));
   $compositeLog->execute($result);
  }
?>

Also available in: Atom PDF