celextel Posted April 29, 2010 Share Posted April 29, 2010 PHP Intrusion Detection System for osCommerce Module to include PHPIDS into osCommerce to Log and Prevent Intrusions http://addons.oscommerce.com/info/7368 PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session. Quote Link to comment Share on other sites More sharing options...
celextel Posted April 29, 2010 Author Share Posted April 29, 2010 Additional Note: This module [front end] automatically creates the database during its first call. Access the website pages and do the testing as mentioned by us, after installing the catalog portion, before going to the admin for accessing the log report. Quote Link to comment Share on other sites More sharing options...
celextel Posted April 29, 2010 Author Share Posted April 29, 2010 This module [front end] automatically creates the database during its first intrusion [test] call. Quote Link to comment Share on other sites More sharing options...
MrPhil Posted April 29, 2010 Share Posted April 29, 2010 Is it really only for osC 2.1? That's quite ancient. Can you describe a bit more of what it does -- does it only look at user form input with attempts at injecting PHP or MySQL code, or does it detect unauthorized changes to files coming from other sources (such as a compromised password or server)? Does it detect attempts to run arbitrary PHP scripts from the browser? Does it detect injection attacks via URL Query Strings? What are its selling points compared to other security measures already available for osC (in other words, why should I use yours instead of theirs)? Does it work in conjunction with other security measures (filling a gap in security), or does it replace others? Quote Link to comment Share on other sites More sharing options...
celextel Posted April 30, 2010 Author Share Posted April 30, 2010 (edited) Is it really only for osC 2.1? That's quite ancient. Can you describe a bit more of what it does -- does it only look at user form input with attempts at injecting PHP or MySQL code, or does it detect unauthorized changes to files coming from other sources (such as a compromised password or server)? Does it detect attempts to run arbitrary PHP scripts from the browser? Does it detect injection attacks via URL Query Strings? What are its selling points compared to other security measures already available for osC (in other words, why should I use yours instead of theirs)? Does it work in conjunction with other security measures (filling a gap in security), or does it replace others? 1. This works well in osC v2.2. We have tested this only on osC v2.2. v2.1 was selected by mistake while doing the contribution upload. We are unable to change it now. We could do another upload under v2.2 if required. 2. Please visit the following websites to know more about its functioning: http://php-ids.org/downloads/ http://www.h-online.com/security/features/Getting-started-with-the-PHPIDS-intrusion-detection-system-746233.html 3. Yes, it does the following: form input with attempts at injecting PHP or MySQL code [ii] Detects attempt to run arbitrary PHP scripts from the browser [iii] Detects injection attacks via URL Query Strings 4. PHPIDS is an unique Intrusion Detection System which is already popular. We have not seen this type of software elsewhere. We also do not have this type of software in the existing osCommerce contributions. 5. Yes, this works in conjunction with other security measures. This might not replace any other contribution. PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of log files or searching hacker forums for your domain. Web applications are regularly threatened by attacks that try to exploit programming weaknesses. The PHP-based, open source PHPIDS solution detects attempted intrusions and raises the alarm when a threat is identified. PHPIDS helps protect PHP-based applications from Cross-Site-Scripting, SQL-Injection and other attacks. The simplest scenario involves logging attacks to establish whether a site is being targeted and requires further protective measures. Installing PHPIDS is usually only a matter of a few simple steps. Edited April 30, 2010 by celextel Quote Link to comment Share on other sites More sharing options...
celextel Posted April 30, 2010 Author Share Posted April 30, 2010 (edited) FAQ: What kinds of attacks are detected by the PHPIDS Currently the PHPIDS detects all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks. Through special conversion algorithms the PHPIDS is even able to detect heavily obfuscated attacks – this covers several charsets like UTF-7, entities of all forms – such as JavaScript Unicode, decimal- and hex-entities as well as comment obfuscation, obfuscation through concatenation, shell code and many other variants. Furthermore the PHPIDS is able to detect yet unknown attack patterns with the PHPIDS Centrifuge component. This component does in depth string analysis and measurement and detects about 85% to 90% of all tested vectors given a minimum length of 25 characters. What’s required to run the PHPIDS You need at least PHP 5.1.6 to use all features of the PHPIDS. Depending on which kind of logging and caching you chose you might need a database that is able to work together with PDO. SimpleXML is required if you wish to use the XML based filter rules – if your system doesn’t provide SimpleXML you can use the fallback JSON based rules. A nice to have for the generic attack detection is Unicode support for the PCRE engine. The PHP packages shipped with current distributions should fulfill all requirements out-of-the-box. How to work with the impact? The impact indicates the severity of the attack. The PHPIDS brings around 50 filter rules to detect attacks and each one of them has an impact – the more rules match on the incoming data, the more likely it’s an attack and the higher ranks the resulting impact. The impact can be received by using the $result->getImpact() on the result object. You can store the impact as session value, if you want to track an attackers activity for some time and wish to react later – when session impact has risen to 50 or 100. A usual very first attack impact is around 5 – 10 – sometimes 15 -20. A typical XSS probing monitored by session based impact usually results in an impact of 50 – 150. So it’s pretty easy to separate the false alerts from the real attacks using session based impact. What can be done in case the impact is very high? There are several ways to react on high (around 15) or very high (around 25-50) impact – first and easiest would be a hard redirect – the suspicious user could be redirected to a warning page which tells him that the application considered his input malicious and asks him to stop. Meanwhile all important parameters of the user can be logged and used for forensics. Another effective way would be to destroy the users session. What about performance issues? The PHPIDS is being developed under constant profiling with xdebug and performance measurements to make sure that your application will not become noticeably slower. Only request parameters are checked whose values inhabits characters besides a-Z, 0-9, @ and _. Furthermore modules like the HTML parser are only included and used in case there is input coming in with a key matching the ones given in the Config.ini / via $monitor->setHtml() for content with HTML allowed. So the performance hungry components normally won’t be loaded during about 95% of all requests. Edited April 30, 2010 by celextel Quote Link to comment Share on other sites More sharing options...
celextel Posted May 1, 2010 Author Share Posted May 1, 2010 PHP Intrusion Detection System for osCommerce Module to include PHPIDS into osCommerce to Log and Prevent Intrusions http://addons.oscommerce.com/info/7368 PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session. Please find this contribution at the following URL: http://addons.oscommerce.com/info/7374 All future versions would be posted only in this page. We have to move this under osCommerce Online Merchant v2.2 as we have tested this only under v2.2. NEW!! PHPIDS for osCommerce 1.1 Just added two more exception variables which PayPal is using during the payment process. We had to include the first two exception variables as PHPIDS was creating hundreds of IDS log file entries even though those requests made by osCommerce were not intrusions. You could ban an IP with high Impact score automatically. Quote Link to comment Share on other sites More sharing options...
celextel Posted May 2, 2010 Author Share Posted May 2, 2010 NEW!! PHPIDS for osCommerce 1.2 Setting to show result [for testing purposes] and to set value for IP ban have been added to the main configuration. This module would ban an IP automatically if (i) banned file exists in the modules directory, (ii) impact score is more than the set value for ip ban and (iii) set value for show result is false. Added contribution link to the PHPIDS Log Report file in the admin. Read Me HTML file updated. Quote Link to comment Share on other sites More sharing options...
alba Posted May 3, 2010 Share Posted May 3, 2010 this sounds like a great addition to security however id suggest seeing if it can be setup so that the log file it writes to is outside the public_html, for added security Quote Link to comment Share on other sites More sharing options...
alba Posted May 3, 2010 Share Posted May 3, 2010 (edited) Ive also found that Test #2 will return a 404 error is your running Mod Security, suPHP and Suhosin on the server: Not Acceptable An appropriate representation of the requested resource /index.html could not be found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Edited May 3, 2010 by alba Quote Link to comment Share on other sites More sharing options...
MrPhil Posted May 3, 2010 Share Posted May 3, 2010 Just to clarify, no, that's not a 404 you're getting. It's a 406. The 404 comes from not having your own error document (e.g., /406.shtml) for error 406. It's stupid to configure Apache that way (report a 404 when it can't find your error handler), but that's how most servers have it. Read http://www.catskilltech.com/freeSW/SMF/faqs/index.html#errorpages Quote Link to comment Share on other sites More sharing options...
celextel Posted May 3, 2010 Author Share Posted May 3, 2010 this sounds like a great addition to security however id suggest seeing if it can be setup so that the log file it writes to is outside the public_html, for added security You could keep the PHPIDS directory itself outside the public_html. This is possible. You need to just change the $oscBasePath value to the new path [example '/home/'] in our module. Quote Link to comment Share on other sites More sharing options...
celextel Posted May 3, 2010 Author Share Posted May 3, 2010 Just to clarify, no, that's not a 404 you're getting. It's a 406. The 404 comes from not having your own error document (e.g., /406.shtml) for error 406. It's stupid to configure Apache that way (report a 404 when it can't find your error handler), but that's how most servers have it. Read http://www.catskilltech.com/freeSW/SMF/faqs/index.html#errorpages Thanks for the clarification. Quote Link to comment Share on other sites More sharing options...
pmfjoe Posted May 4, 2010 Share Posted May 4, 2010 (edited) So I installed it, but when I go to do the test I get: PDOException: could not find driver Any ideas? Edited May 4, 2010 by pmfjoe Quote Link to comment Share on other sites More sharing options...
celextel Posted May 5, 2010 Author Share Posted May 5, 2010 So I installed it, but when I go to do the test I get: PDOException: could not find driver Any ideas? Perhaps you have missed something in the installation process. Please go through each of the step carefully once again. Did you Grant write access [chmod 777] to the "tmp" folder [phpids/lib/IDS/tmp] and also to phpids_log.txt log file which is inside the "tmp" folder? Quote Link to comment Share on other sites More sharing options...
Micke Posted May 6, 2010 Share Posted May 6, 2010 Hi All. I get this after installing: Parse error: syntax error, unexpected '{' in /a/path/to/shop/here/includes/modules/osc_phpids.php on line 80 Any idea whats wrong? //Micke Quote Link to comment Share on other sites More sharing options...
celextel Posted May 6, 2010 Author Share Posted May 6, 2010 Hi All. I get this after installing: Any idea whats wrong? //Micke Did you make any change to osc_phpids.php? If so, please download this contribution once again and copy this file to your server without making any modification to this file. If you still get the same error, then please go through each of the step carefully once again. As such there should not be any problem if you have uploaded the PHPIDS directory correctly apart from the files in this contribution. Quote Link to comment Share on other sites More sharing options...
Micke Posted May 6, 2010 Share Posted May 6, 2010 Did you make any change to osc_phpids.php? If so, please download this contribution once again and copy this file to your server without making any modification to this file. If you still get the same error, then please go through each of the step carefully once again. As such there should not be any problem if you have uploaded the PHPIDS directory correctly apart from the files in this contribution. I changed PHP version to PHP 5.2.6 and now the page loads. Must have done something wrong though - I have set: $show_result = 'true'; but no message is showing when I add to the url: ?id=1&test=">XXX and when I look at the admin log report it says: 1146 - Table 'databasename_2.phpids_intrusions' doesn't exist select id, ip, name, impact, value, page, created from phpids_intrusions order by id [TEP STOP] I'll go through the steps all over again. Quote Link to comment Share on other sites More sharing options...
celextel Posted May 6, 2010 Author Share Posted May 6, 2010 I changed PHP version to PHP 5.2.6 and now the page loads. Must have done something wrong though - I have set: $show_result = 'true'; but no message is showing when I add to the url: and when I look at the admin log report it says: I'll go through the steps all over again. Please check without doing any modifications to our file. DB table gets created automatically during the first test call if all the files are in place. Quote Link to comment Share on other sites More sharing options...
Micke Posted May 6, 2010 Share Posted May 6, 2010 Please check without doing any modifications to our file. DB table gets created automatically during the first test call if all the files are in place. I have done the installation procedure from the beginning - not changing any files. The database is not created and I can not see any messages after setting: $show_result = 'true'; and "attacking" with the URL parameters in the installation instructions. Would it do any good to create the database table manually in phpMyAdmin? Quote Link to comment Share on other sites More sharing options...
celextel Posted May 6, 2010 Author Share Posted May 6, 2010 (edited) I have done the installation procedure from the beginning - not changing any files. The database is not created and I can not see any messages after setting: $show_result = 'true'; and "attacking" with the URL parameters in the installation instructions. Would it do any good to create the database table manually in phpMyAdmin? Perhaps PHPIDS directory is not in the right place. You should rename "phpids-0.6.3.1" directory as "phpids" [not Caps]. [You should do simple zipping and not to a folder.] Make sure that this renamed directory has the following directories directly in it: docs lib nbproject tests Keep $show_result = 'false'; and do the test-1 and test-2. Go to the MySQL DB and see whether the new table has been created. No need to create it manually. If still this does not work, you should add the following code to the index file at the top error_reporting(E_ALL); ini_set('display_errors', '1'); after <?php and see as to what is wrong. Avoid doing this [error_reporting] in a Live Shop. Edited May 6, 2010 by celextel Quote Link to comment Share on other sites More sharing options...
Micke Posted May 6, 2010 Share Posted May 6, 2010 Got it working! :) The problem was I had another contribution installed called FWR Security Pro. I disabled it and the installation worked like a charm! I have turned FWR Security Pro on again and now I'll see what happens. I hope these two contributions can interact in a good way. If you think I'm wrong - please tell me. Quote Link to comment Share on other sites More sharing options...
celextel Posted May 7, 2010 Author Share Posted May 7, 2010 Got it working! :) The problem was I had another contribution installed called FWR Security Pro. I disabled it and the installation worked like a charm! I have turned FWR Security Pro on again and now I'll see what happens. I hope these two contributions can interact in a good way. If you think I'm wrong - please tell me. Glad to know about this. Perhaps you could use only one of this. We do not have any problem with our module as we do not have FWR Security Pro in our websites. We have to see whether these two could exist together. Quote Link to comment Share on other sites More sharing options...
celextel Posted May 9, 2010 Author Share Posted May 9, 2010 NEW!! PHPIDS for osCommerce 1.3 1. Version Checker and IP look up link added to admin PHPIDS Log Report file. 2. File Log has been disabled by default now. It is not required as DB Log is enabled. 3. Added few more exception variables which osCommerce is using during the checkout and other process. 4. Some functions [tep] have been modified. 5. Added more explanatory notes to the module file. 6. You could use this now with Security Pro of FWR with a small modification. Quote Link to comment Share on other sites More sharing options...
sishimaru Posted May 11, 2010 Share Posted May 11, 2010 hi celextel, i really aprecited your contributions, thank you very much. I've been trying to install this addons to my live webstore. http://www.harcomas I'm using oscommerce 2.2. When i loggin to my admin page i got an error 1146 - Table 'xxxxx_xxx.phpids_intrusions' doesn't exist select id, ip, name, impact, value, page, created from phpids_intrusions order by id what should i do? I felt i was run according to the instructions but i got error, should i restart my brain?? needed your advice celextel.. thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.