12 February 2008 | 7,326 views

PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications

Check For Vulnerabilities with Acunetix

Another protection for those building website and web applications, as it’s the the most common attack vector nowadays I think it’s important to be extra safe on this front.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of logfiles or searching hacker forums for your domain. Last but not least it’s licensed under the LGPL!

It’s a fairly mature product with some good documentation (docs are here) and it’s easily to programmatically grab the latest version of the filter rules (it’s just an xml file).

You can see a demo here were you can try some injections or XSS and see the warnings.


Download the latest version of PHPIDS here:

PHPIDS 0.4.6 zip
PHPIDS 0.4.6 tar.gz

There are other versons for Drupal and WordPress on the download page.

Or read more here.

Recent in Countermeasures:
- Don’t Get Hacked – Have A Free Acunetix Security Scan
- Bro – Passive Open-Source Network Traffic Analyzer
- Hook Analyser 3.1 – Malware Analysis Tool

Related Posts:
- .NETIDS – .NET Intrusion Detection System
- psad – Intrusion Detection and Log Analysis with iptables
- Samhain v.2.5.9c – Open Source Host-Based Intrusion Detection System (HIDS)

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,046 views
- Password Hasher Firefox Extension - 116,909 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,542 views

Low-cost VPS Hosting

12 Responses to “PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications”

  1. eM3rC 12 February 2008 at 8:42 am Permalink

    Wow amazing program. Definitely gonna add this when I do my next site.

  2. Pantagruel 12 February 2008 at 5:18 pm Permalink

    Indeed a very sane addition to any server running PHP coded software
    (even something silly as a photo album or so)

  3. anonymous 16 February 2008 at 7:04 pm Permalink

    I don’t get the point of using such a packet. Why not just go to the root of the problem and make your code secure in the first place?

    I believe the more code there is, the more insecure your application will be. I always try to keep my code as simple as possible.

  4. eM3rC 16 February 2008 at 8:51 pm Permalink

    Its always good to keep the code as simple and secure as possible but there’s one things that is always true no matter what code it is. There will always be mistakes. Unless you have decades of experience for programming php securely it wont hurt to add more stuff. There are also some unknown techniques for hacking which you may not be aware of when you write the code.

    One can never be to safe.

  5. zupakomputer 17 February 2008 at 7:06 pm Permalink

    That’s the thing: no matter how well you know any language or instruction set, chances are someone else will know more, and someones else that know less will have cracking tools that can exploit whatever you wrote.
    That’s likely true even if you wrote the language itself – there’ll be some machine code or assembley-based way of altering it.

  6. Darknet 17 February 2008 at 8:15 pm Permalink

    According to the wisdom of ‘anonymous’ we wouldn’t need anti-virus, intrusion detection, firewalls….hell let’s just get rid of the whole security industry and simply ask everyone to code properly!

  7. eM3rC 17 February 2008 at 10:38 pm Permalink

    Couldn’t be more true. There will always be a weakness no matter what you do.

    Lets do all of that and rid the world of disease and hunger!

  8. anonymous 18 February 2008 at 12:43 am Permalink

    My box runs neither a firewall, anti-virus or some sort of intrusion detection. And it has never been compromised in its 4 years of uptime. On average, it serves about 1400 HTTP requests daily.

    I can agree that you may need extra protection in case you do not have the experience, but personally I would never run such an injection detection system on anything. I think it will only give the programmer a false sense of security, which will mosy likely result in other security checks beeing ignored.

  9. Darknet 18 February 2008 at 8:30 am Permalink

    anonymous: I never implied YOU needed it, nor did I say I needed it but does that means it’s not required? I have a feeling you are young. If you’ve ever worked on a reasonably complex problem (more than 100k lines of code) you would know mistakes happen, multiple people are working on the same thing and you need multiple layers of defence (AV/Firewall/Reverse Proxy/IDS/Application Layer Protection etc.). And this tool in particular is an IDS not an IPS anyway so it doesn’t protect you from anything, it just tells you what people are trying to do. The first step of being secure is understanding the threat :)

  10. zupakomputer 18 February 2008 at 10:01 pm Permalink

    Hey, that’s an info-gathering attempt on the slow-witted – claiming your web servers never been hacked and it’s there, naked, waiting…..

  11. Pantagruel 18 February 2008 at 10:50 pm Permalink


    Humor us, share the url/IP. There will be enough people about to point out why certain safety measures can be very helpfull. Just because your box, to your knowledge, hasn’t been p0wned doesn’t mean it won’t be p0wned some time soon (or is under p0wnage right now).
    In general the rule applies, the better you can test the perimeter security of your server, the fewer the amount of possible holes and the smaller the chance of being hacked/compromised.

  12. zupakomputer 18 February 2008 at 11:01 pm Permalink

    One way to stay secure and not use any protection of course is to not advertise your sites and not have any keywords in them, block robots, and so forth; and also do all your own websurfs from a completely other machine with no details of the Siren computer refered to.