PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications

Another protection for those building website and web applications, as it’s the the most common attack vector nowadays I think it’s important to be extra safe on this front.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of logfiles or searching hacker forums for your domain. Last but not least it’s licensed under the LGPL!

It’s a fairly mature product with some good documentation (docs are here) and it’s easily to programmatically grab the latest version of the filter rules (it’s just an xml file).

You can see a demo here were you can try some injections or XSS and see the warnings.

Download the latest version of PHPIDS here:

PHPIDS 0.4.6 zip
PHPIDS 0.4.6 tar.gz

There are other versons for Drupal and WordPress on the download page.

Or read more here.

Posted in: Countermeasures, Security Software, Web Hacking

, , , , ,

Latest Posts:

APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.

12 Responses to PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications

  1. eM3rC February 12, 2008 at 8:42 am #

    Wow amazing program. Definitely gonna add this when I do my next site.

  2. Pantagruel February 12, 2008 at 5:18 pm #

    Indeed a very sane addition to any server running PHP coded software
    (even something silly as a photo album or so)

  3. anonymous February 16, 2008 at 7:04 pm #

    I don’t get the point of using such a packet. Why not just go to the root of the problem and make your code secure in the first place?

    I believe the more code there is, the more insecure your application will be. I always try to keep my code as simple as possible.

  4. eM3rC February 16, 2008 at 8:51 pm #

    Its always good to keep the code as simple and secure as possible but there’s one things that is always true no matter what code it is. There will always be mistakes. Unless you have decades of experience for programming php securely it wont hurt to add more stuff. There are also some unknown techniques for hacking which you may not be aware of when you write the code.

    One can never be to safe.

  5. zupakomputer February 17, 2008 at 7:06 pm #

    That’s the thing: no matter how well you know any language or instruction set, chances are someone else will know more, and someones else that know less will have cracking tools that can exploit whatever you wrote.
    That’s likely true even if you wrote the language itself – there’ll be some machine code or assembley-based way of altering it.

  6. Darknet February 17, 2008 at 8:15 pm #

    According to the wisdom of ‘anonymous’ we wouldn’t need anti-virus, intrusion detection, firewalls….hell let’s just get rid of the whole security industry and simply ask everyone to code properly!

  7. eM3rC February 17, 2008 at 10:38 pm #

    Couldn’t be more true. There will always be a weakness no matter what you do.

    Lets do all of that and rid the world of disease and hunger!

  8. anonymous February 18, 2008 at 12:43 am #

    My box runs neither a firewall, anti-virus or some sort of intrusion detection. And it has never been compromised in its 4 years of uptime. On average, it serves about 1400 HTTP requests daily.

    I can agree that you may need extra protection in case you do not have the experience, but personally I would never run such an injection detection system on anything. I think it will only give the programmer a false sense of security, which will mosy likely result in other security checks beeing ignored.

  9. Darknet February 18, 2008 at 8:30 am #

    anonymous: I never implied YOU needed it, nor did I say I needed it but does that means it’s not required? I have a feeling you are young. If you’ve ever worked on a reasonably complex problem (more than 100k lines of code) you would know mistakes happen, multiple people are working on the same thing and you need multiple layers of defence (AV/Firewall/Reverse Proxy/IDS/Application Layer Protection etc.). And this tool in particular is an IDS not an IPS anyway so it doesn’t protect you from anything, it just tells you what people are trying to do. The first step of being secure is understanding the threat :)

  10. zupakomputer February 18, 2008 at 10:01 pm #

    Hey, that’s an info-gathering attempt on the slow-witted – claiming your web servers never been hacked and it’s there, naked, waiting…..

  11. Pantagruel February 18, 2008 at 10:50 pm #


    Humor us, share the url/IP. There will be enough people about to point out why certain safety measures can be very helpfull. Just because your box, to your knowledge, hasn’t been p0wned doesn’t mean it won’t be p0wned some time soon (or is under p0wnage right now).
    In general the rule applies, the better you can test the perimeter security of your server, the fewer the amount of possible holes and the smaller the chance of being hacked/compromised.

  12. zupakomputer February 18, 2008 at 11:01 pm #

    One way to stay secure and not use any protection of course is to not advertise your sites and not have any keywords in them, block robots, and so forth; and also do all your own websurfs from a completely other machine with no details of the Siren computer refered to.