CMS Made Simple Forums

Site security is always an issue as we have seen with the number of upgrades to CMSMS recently. 

Has anyone any comments on

PHPIDS (PHP-Intrusion Detection System) http://php-ids.org/

just to keep a check on intrusions to a site?

I think you´ve developed the phpids module cms ms, but I don´t really get how it is or should be working.

I´m using your default config and only added my email. What do the three level configs mean and how can I test the module?

In the phpids forum someone posted something like:

http://YOUR SITE/?test=">XXX

But this doesn´t seem to result in anything. My logfile is empty and write permissions are ok. Besides I should mention that I´m using pretty urls.

Greats from Germany
LeisureLarry

Thanks for your interest in CMSMS PHPIDS module

The detection will start as soon as the module is installed providing
1) php version  > 5.1.6 and includes SimpleXML extension(normally enabled by default)
2) you are not logged in to admin OR in the same session

The three levels allow you to toggle and set impact levels

1) If you want an email sent to you giving details of intrusion
2) If you want a warning message displayed
3) If you want to ban the intruder

All impacts will be logged in the phpids_log txt file (impact will not be logged on database if you are on local machine)

To check impact uncomment
debug_display($impact, 'impact');
on about line 437 in phpids.module.php
or for results
debug_display($result, 'results');
on about line 476 in phpids.module.php

As you mention if you enter a url like
http://YOUR SITE/?test=">XXX

this should result in an initial impact of 4 each refresh will increase this by the same amount.

For further information visit http://php-ids.org/

Taking into account the number of reproted attacks on CMSMS sites and indeed on this forum it is worth reading Mario's white paper on 'Attack Detection'
http://docs.google.com/View?docID=dd7x5smw_11cfdd34db

I´ve tried the module for several days, but there seems to be a problem with google analytics or something else.

Do you know what could cause the following email and a warning message above the normal content of my website (not always, only if an email was send).
I´ve got several of this ones (forum.cmsmadesimple.org) and another domain. Both websites have links to my website in the content.

Besides the phpids website isn´t really good, I couldn´t find really useful informations.

Greats from Germany
LeisureLarry

LeisureLarry  The docs (Linked above) say something about this is

Furthermore exceptions can be defined in the configuration file. This is an extremely important feature to avoid false alerts on certain web applications. If for example the requests against a programming forum are being monitored with the PHPIDS it probably doesn't make sense to check the post body data. It will in most cases be filled with source code examples and other data that will trigger alert after alert because the filter rules of the PHPIDS match the monitored string. Same goes for parameters used by Google Analytics - those are by the way defined as exclusions on default - also to show how the definition of exclusions in the Config.ini works. After including the files and adding the necessary code it is important to decide how the protected web application should react. There are various ways and most of them should be depending on the impact the overall attack had.

Really odd, reading your quote google analytics should be no problem, but for me it seemed to be the problem used with phpids. For the moment I had to disable phpids, as I need the analytics. If I´ve more time, I will have some testing.

Greats and thanks from Germany
LeisureLarry

Hi guys!

First of all, sorry for my english written, I'm spanish and I don't write english as well as I want.

I think I have a solution for the phpids and google analitycs issue.

I've seen the all the mail that phpids sent me when I've installed google analytics in my site ([url http://www.pablillo.es/]www.pablillo.es[/url]) and I tried to log into my admin area.

The problem, as you know, are in the cookies of the google analytics.

I've searched in config file of phpids and I've seen that exclusion : But the cookie problem sent by phpids said that: ....

Then I used all my brain to search for a solution and I found this: Add two (2) exceptions:
        Since I've added the exceptions, I've had no warn.

I hope that this solutions will work for you

Thank you for your patience

Regards
Pablo
www.pablillo.es