today I started coding again on PHPIDS.

I implemented it in this wordpress installation. Each attack is logged into a mysql table and the system is in so called "kick ass mode".
So if you inject some stuff you will soon or later mess up your session.

If you reset your session you are back on 0 and can inject other attacks or just leave me a comment. :)

Feel free to play a little bit around with the search or the admin login and inject some attacks.

A low level attack e.g.

'>XXX

If you need some higher impact values try to search for

'>XXX javascript:alert(1) SELECT DISTINC ;

The coding itself was cleaning up codebase, so no new feature is in the code, just a few modified commands for mysql logging and sending mails.

I really need some attack requests and some more testing to further implement new functionality. So feel free to suggest wishes, what you would like to see or to have.
Because most coding effort is currently framework stuff, it will take some time for a new version because till now everything works quite fine.

Oh, and please don't hurt this system, or at least try to :)

There was an attack scenario which poisons a proxy server such that the upgrade handshake of the websockets can be attacked.
Look here if you are interested in the details.

This means for my implementation it has to wait until the actual draft gets updated/modified.
It makes no sense for further developing without knowing what actually will change in the specification.

I will continue coding on my implementation as soon as the draft is updated and browsers who removed it re-enable websockets again.

the last 3 months, I had so much work to do, I wasn't able to write a single line of code for this project.
I plan to continue coding mid February again, so stay tuned.

If anyone wants to contribute, in whatever way, just let me know.

yesterday I wanted to do some tests with Websockets which will be available when HTML5 is coming to the real world.

I downloaded a phpwebsocket implementation, done early this year and tried to get it running with the examples.

Soon I noticed, it cannot work, cause the browsers (I tested with Chrome and Firefox), modified the way they handle the handshakes.
Earlier this year, it was possible to just send a standard reply to the browser and the connection gets initiated.

Now you have to do some calculations from given keys from the browser at server side.
So the browser initiates the connection to a socket and sends some data.

E.g.:

GET / HTTP/1.1
Connection: Upgrade
Host: example.com
Upgrade: WebSocket
Sec-WebSocket-Key1: 3e6b263  4 17 80
Origin: http://example.com
Sec-WebSocket-Key2: 17  9 G`ZD9   2 2b 7X 3 /r90

WjN}|M(6

At server side, you have to do the following now:

Extract the keys
Count Spaces
calculate(key/spaces)
get random challenge
concatenate calculated keys+random challenge
build md5 hash of concatenation
and sent it back to the client.

If the generated hash value is the one the client expects, you get a connection, else this fails.

It took quite some time to get this running, maybe I will explain the implementation later.

I've uploaded my code to sourceforge, you can download it from there if you want to test it.

svn co https://phpwebsocket.svn.sourceforge.net/svnroot/phpwebsocket phpwebsocket

It is not working for multiple clients from the same machine, but for a first test or impression its usable.
I will do some work on the code to fix this, but for know you have to live with that :)

If you downloaded the code, just start the server with:

php TestServer.php

Open your browser and point it to the client html file called test.html in the client directory.

If you have any question or problem, just let me know.

as promised I will explain how you can create custom modules for the ips system today.

At first you should get the latest version from the svn reposatory from sourcforge.

svn co https://php-ips.svn.sourceforge.net/svnroot/php-ips/trunk/ php-ips

To add a new module, you just need to create a new directory under phpids/lib/Modules
We will name it Example.

mkdir phpids/lib/Modules/Example

This is you new Module Directory. Now we need a place where we can add Commands for our Module.
The Directory name, the system searches Commands is named, well "Command" :)

mkdir phpids/lib/Modules/Command

Our first command, we will implement is a modified version of the log command.
The default command just opens a file and writes logging messages to it.
This is fine, but we are logs going in a database, so wa can do some analysing logfiles more easily with a nice backend. To simplify this example much, I will use a SQLite Database. If you want another Database, like MySQL, PGSQL or even Microsoft SQL Server you can do this on your own.

Further I will use the PDO php package doing the Database stuff, so forgive me, its my second time working with it, so hopefully I don't mess up my code to much. (We will see if Zend Framework spoiled me too much :))

To create the Command, all we have to do is add a new file. With the name Log.php. Lets do it.

touch phpids/lib/Modules/Command/Log.php

In the file itself you need to insert the following code, before we begin.

class Module_Example_Command_Log extends Ips_Command_Abstract {
	private static $_instance=null;

	public static function getInstance() {
		if (self::$_instance==null)
		self::$_instance=new self();
		return self::$_instance;
	}

	protected function realExecute() {
	}

	protected function realSimulate($fileHandle) {
	}

}

From the frameworks point of view, thats all. Just implement the methods and you are done. (Well you need to configure the system, using the new Module Directory, furthermore it makes no sense to only implement one command in a module. So you have to implement all commands you need in this module.
I will show the configuration Part at the end. )

Ok, forget the last note, we implement the code now here, cause I wann show some things you probably need while you are implementing your own commands.

As I said, we wanna log to a sqlite database. So first of all, we need to create it. (We will use sqlite3, so moke sure you got the sqlite3 package of your distribution. Further you need php5-sqlite php module)

First the table definition:

CREATE TABLE [loggertable] (
[id] INTEGER  NOT NULL PRIMARY KEY AUTOINCREMENT,
[time] TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
[affected_tags] VARCHAR(256)  NULL,
[impact] INTEGER  NOT NULL,
[session_impact] INTEGER  NOT NULL,
[attacker_ip] VARCHAR(128)
);

Just open a new file, called create_loggerdb.sql and insert the sql code in it. Than use the following commands

sqlite3 logger.db < create_loggerdb.sql
chown www-data logger.db
chmod u+rw logger.db

(www-data is the user running the httpd server at debian based systems. So you have to use your user who run the httpd server on your host)

Now we have our database finished. Just put the file to a place where you httpd server can reach it. I willt put it in the directory /var/www/path/to/webroot/phpips/examples/logger.db

If you downloaded a package greater alpha_01 you already have such a file in the examples directory. You can use it if you like.

Now lets go back to our logger command.

I will now add some methods to the class, you can just copy and paste the following code or do it on your own.

I created a method called dbInsert, here the code:

private function dbInsert(){
	$this->_dbPath=$this->_dbPath=$this->_registry->getBasePath().
                               "phpips/examples/db/logger.db";
	$this->_dbTableName="loggertable";
	$db=new PDO('sqlite:'.$this->_dbPath);
	$idsReport=$this->_registry->getidsReport();
	$session_impact=$this->_registry->getHighestSessionImpact();
	$impact=$idsReport->getImpact();
	$attacker_ip=$_SERVER['REMOTE_ADDR'];
	$affected_tags=$idsReport->getTags();
	$affected_tags_text="";
	foreach ($affected_tags as $tag){
		$affected_tags_text.="[".$tag."]";
	}
	$values=array($impact,$affected_tags_text,
                             $session_impact,$attacker_ip);
	$insert=$db->prepare("INSERT INTO ".
             $this->_dbTableName." ( impact,
						affected_tags,
						session_impact,
						attacker_ip
						)
						values (?,?,?,?);"
						)->execute($values);
}

I modified the realExecute method like this:

protected function realExecute() {
    $this->dbInsert();
}

The realSimulate method I just copied from an existing one.

protected function realSimulate($fileHandle) {
	$logText = "\n-------\n";
	$logText.= "SIMULATING LOGGING COMMAND\n";
	$logText.= "Logging to Database\n";
	$logText.= "-------\n";
	$this->_registry->add("SimulationOutputBuffer", $this->_registry->
                 get("SimulationOutputBuffer").$logText);
	fwrite($fileHandle, $logText);
}

To get the full code I post it here again:

class Module_Example_Command_Log extends Ips_Command_Abstract {
	/*
	 * This is the sample command descripted implementing in my blog.
	 * http://ra23.net/wop/category/phpips/
	 *
	 */
	private static $_instance=null;
	private $_dbPath=null;
	private $_dbTableName=null;
	public static function getInstance() {
		if (self::$_instance==null)
		self::$_instance=new self();
		return self::$_instance;
	}
	protected function realExecute() {
		$this->dbInsert();
	}

	protected function realSimulate($fileHandle) {
		$logText = "\n-------\n";
		$logText.= "SIMULATING LOGGING COMMAND\n";
		$logText.= "Logging to Database\n";
		$logText.= "-------\n";
		$this->_registry->add("SimulationOutputBuffer", $this->_registry->
                         get("SimulationOutputBuffer").$logText);
		fwrite($fileHandle, $logText);
	}
	private function dbInsert(){
		$this->_dbPath=$this->_dbPath=$this->_registry->getBasePath().
                                       "phpips/examples/db/logger.db";
		$this->_dbTableName="loggertable";
		$db=new PDO('sqlite:'.$this->_dbPath);
		$idsReport=$this->_registry->getidsReport();
		$session_impact=$this->_registry->getHighestSessionImpact();
		$impact=$idsReport->getImpact();
		$attacker_ip=$_SERVER['REMOTE_ADDR'];
		$affected_tags=$idsReport->getTags();
		$affected_tags_text="";
		foreach ($affected_tags as $tag){
			$affected_tags_text.="[".$tag."]";
		}
		$values=array($impact,$affected_tags_text,
                                     $session_impact,$attacker_ip);
		$insert=$db->prepare("INSERT INTO ".
                                   $this->_dbTableName." (   impact,
							                affected_tags,
									session_impact,
									attacker_ip
								)
								values (?,?,?,?);"
								)->execute($values);
}

The other needed commands like Mail, Warn, Kick, Ban I just copied out of the Test folder and renamed them to fit the module.

Thes example is included withing the alpha_2 release, so you get the code here:

http://sourceforge.net/projects/php-ips/files/

To get this module now running, just go to etc/System.ini and edit it. Below I show you what you need to change:

UseCustomCommands="On"
CustomCommandModuleName="Example"

Now your new Module is activated and the system uses our created new log command.

I hope you enjoyed this post, if anything isn't clear or you just found an error in this post, use the comment system.

I'll upload the alpha_2 release asap, so you can implement your own command modules now.

regards

The system itself is based on the Intrusion Detection System PHPIDS

The main goal is to program a framework like ips system, which interacts with the ids.
Currently interacting with the ids is working fine and I'm implementing the framework around the system.
If you wanna check out the current version, its online under: http://ra23.net/phpips/online_version_ra23_alpha01/example.php. Take a look and play a bit around with it.
But don't hurt my machine ;)

At a later stage a programmer would be able to implement modules for the ips, and configure the system with a few configuration files or even from a database.

There is no Documentation for the code yet and how you can implement modules (which is working already, but I'm not fully satisfied yet.)

To give you a short preview how you can install and setup the example in your enviroment, I'll show some Details now.

As I already said, the System is based on phpids. If you already have a running phpids, you can use it, if not there will be an actual version included in the first code release.

So you need to configure the ids first. Currently I'm not using special functions in my setup. I just editied the main configuration (phpids-0.6.4/lib/IDS/Config/Config.ini.php)

Just use the absolute path to the location where your phpids is located.

 base_path       = /var/www/path/to/webroot/php-ips/phpids-0.6.4/lib/IDS/

You can find the documantation for phpids here. Search for "How to install the PHPIDS"

The project is currently hosted on sourceforge.net

To Download the first alpha release follow this link

Well, if you downloaded my code, you have to configure it too.
There are three things which have to be done, pretending you wanna get the example.php up and running.

1. Configure phpips/etc/System.ini:
You need to setup the Basepath:

BasePath="/var/www/path/to/webroot/php-ips/"

2. Edit example.php

You need to define a path here too, now third time. All good things are three you know ;)

define("PATH_TO_ROOT", "/var/www/path/to/webroot/php-ips/" );

I promise, it was the last time setting a path.

3. Edit System.ini to fit your needs.

You find the Documentation inline. For the first running test, you don't need to modify anything inside.

On my example page, the Debugger is enabled. So if you wanna see what the system actually does in the Background get the following Fiefox addons:

FireBug
FirePHP

I write another post in a couple of days, explaining how to create you own modules, configuring the system and so on....
This need further testing right now and is not satisfying me right now.

If you found a bug or have trouble with setting the system up, just use the comment system.

I advice you, the system is under heavy development. Things can change rapidly, so try it, have fun with it, but things can change very fast. Never ever use the alpha version in a production enviroment.

Never. Ever. Please!

I did a further post, how to build your own modules. You find it here

Es geht hier explizit um die Darstellung, die die Tiefe der Kanäle und der Benutzer beachtet und demnach ausgibt:

#root-channel
  -subchannel1
  -subchannel2
    - subsubchannel21
      o User1
      o User2
  -subchannel3

Mumble verwendet eine Schnittstelle mit dem Namen Ice, die in PHP registriert sein muss.

Unter Debian benötigt man das Paket "php-zeroc-ice"
Aktiviert wird das ganze unter: /etc/php5/conf.d/IcePHP.ini

extension = IcePHP.so

In der Konfigurationsdatei von php, gibt man den Link zu Murmur.ice ein. (Ist im Serverdownload enthalten)

php.ini

ice.slice=/pfad/zu/Murmur.ice

Nun stellt man noch sicher, das in der Konfigurationsdatei von Murmur folgendes enthalten ist:
Murmur.ini

ice="tcp -h 127.0.0.1 -p 6502"

Wenn man nun den Murmur Server startet, sollte die ICE-Schnittstelle auf dem angegebenen Port zur Verfügung stehen, mit der wir jetzt agieren können.

Achtet darauf, das die Variable $ICE global sein muss, ansonsten funktioniert es leider nicht.
Aufgerufen wird das ganze folgendermaßen:

stringToProxy("Meta:tcp -h 127.0.0.1 -p 6502");
    $meta = $base->ice_checkedCast("::Murmur::Meta");

    //paste in your serverid!
    $server= $meta->getServer(1);
    $myoutput=plotTreePlainTest($server->getTree());
  }
  catch (Ice_Exception $ex) {
    print_r($ex);
  }
echo $myoutput;
?>

Auch hier findet wieder eine globale Variable Verwendung. Die Variable kann natürlich auch als Referenz übergeben werden.

Hier die Funktion, die uns die HTML-Ausgabe macht:

function plotTreePlainTest($tree,$indent=0, $first_run=true){
  global $output;
  if(is_object($tree)){
    if(is_array($tree->children)){
      $output.= '
children[0])){
          $output.= '>'.str_repeat(" ", $indent).'+ ';
        }
        else {
          if (is_null($tree->users[0])){
            $display='style="display: none;" ';
          }
          $output.= $display.'>'.str_repeat(" ", $indent).'- ';
        }
      }
      else {
        $output.= ">o ";
      }
      $channelname=str_replace("=","",$tree->c->name);
      $channelname=str_replace("|","",$channelname);
      $channelname=str_replace("-","",$channelname);
      $channelname=preg_replace("/^[0-9]\ (.*)/","$1",$channelname);
      $output.= $channelname."

";
      foreach ($tree->users as $k=>$v){
        $output.= str_repeat(" ", $indent+2);
        $output.= "".''.$v->name."
";
      }
      foreach ($tree->children as $k=>$v){
        if (is_object($tree->children[$k]))
        plotTreePlainTest($tree->children[$k],$indent+2,false);
      }
    }

  }
  return $output;
}

Das alles soll nur eine kleine Hilfestellung zur Anzeige der Channel und Benutzer unter Mumble geben.
Ggf. erweitere ich den Code noch ein wenig, bzw. erläutere noch etwas mehr dazu, falls dies erwünscht ist.

Da ich unter anderem Emails von einem Server empfange der keinen Spamfilter verwendet, in dem speziellen Fall ist es eine Weiterleitung, werden auch sämtliche Mails abgelehnt die in diesem Fall über 15 Punkten liegen.
Dies resultiert dann auf dem externen Mailserver in einem Mailer Error der an mich gerichtet ist und die Spam Mail ist im Anhang der Error Mail.

Damit ist natürlich nicht viel gewonnen und bedeutet nur Mehrarbeit.
Eine Möglichkeit wäre den Host in die generelle Whitelist zu packen, dann wird die Mail aber schon beim eigentlichen Connect direkt durchgelassen ohne das eine Prüfung auf Spam erfolgt.

Der hier aufgeführte Patch führt eine zusätzliche Whitelist ein, die dieses Verhalten ändert.
Kommt eine Mail von einem Host dessen IP in der extra Whitelist steht, wird sie vom Server nie abgelehnt, sondern sie durchläuft die Prüfung durch SpamAssassin. Es spielt keine Rolle ob sie als EXTRA SPAM identifiziert wurde, sie wird ganz normal weitergeleitet, jedoch wird wie gewünscht das Subject richtig umgeschrieben und kann somit lokal direkt in den Spamordner geschoben werden.

Patch für smf-spamd -> Download

diff -up -r smf-spamd-1.3.1/smf-config.h smf-spamd-1.3.1-modded/smf-config.h
--- smf-spamd-1.3.1/smf-config.h	2007-01-18 15:35:08.000000000 +0100
+++ smf-spamd-1.3.1-modded/smf-config.h	2009-08-08 03:51:05.000000000 +0200
@@ -5,10 +5,13 @@
  */

 /* Hosts/Networks whitelist (extended regex format) */
-#define WHITE_LIST	"(^127\\.|^192\\.168\\.|^10\\.)"
+#define WHITE_LIST     "(^127\\.|^192\\.168\\.|^10\\.)"
+
+/* Hosts/Networks which probably send EXTRA SPAM and should not be blocked*/
+#define WHITE_LIST_EXTRA   "(^1\\.2\\.3\\.)"

 /* Maximal message size */
-#define MAX_SIZE	131072 /* bytes */
+#define MAX_SIZE	5131072 /* bytes */

 /* Probable SPAM e-Mail messages Subject tagging */
 #define TAG_SUBJECT	1 /* set 0 to disable */
diff -up -r smf-spamd-1.3.1/smf-spamd.c smf-spamd-1.3.1-modded/smf-spamd.c
--- smf-spamd-1.3.1/smf-spamd.c	2007-01-18 15:35:08.000000000 +0100
+++ smf-spamd-1.3.1-modded/smf-spamd.c	2009-08-08 02:43:33.000000000 +0200
@@ -91,6 +91,10 @@ int daemon(int nochdir, int noclose) {
 static const char *ignore_connect = WHITE_LIST;
 static regex_t re_ignore_connect;

+static const char *no_ignore_connect = WHITE_LIST_EXTRA;
+static regex_t no_re_ignore_connect;
+
+
 struct context {
     char addr[64];
     char fqdn[MAXLINE];
@@ -470,12 +474,18 @@ static sfsistat smf_eom(SMFICTX *ctx) {
     elapsed = context->tend.tv_sec - context->tstart.tv_sec + (context->tend.tv_usec - context->tstart.tv_usec) / 1.0e6;
     if (ret == 1) {
 	if (context->score >= EXTRA_SPAM) {
+	  // if there is an entry in WHITELIST_EXTRA do not reject the message;
+	  if (no_ignore_connect[0] && regexec(&no_re_ignore_connect, context->addr, 0, NULL, 0)){
 	    char reject[MAXLINE];

 	    syslog(LOG_NOTICE, "EXTRA SPAM (%.1f/%.1f), %.3fsec, %s, %s -> %s", context->score, context->threshold, elapsed, context->fqdn, context->from, context->rcpt);
 	    snprintf(reject, sizeof(reject), "Sorry, looks like spam. Contact %s to resolve this issue", CONTACT_ADDRESS);
 	    smfi_setreply(ctx, "554", "5.7.1", reject);
 	    return SMFIS_REJECT;
+          }
+          else{
+            syslog(LOG_NOTICE, "EXTRA SPAM WHITELISTED (%.1f/%.1f), %.3fsec, %s, %s -> %s", context->score, context->threshold, elapsed, context->fqdn, context->from, context->rcpt);
+          }
 	}
 	if (REDIRECT_SPAM) {
 	    if (context->rcpts) {
@@ -572,6 +582,7 @@ int main(int argc, char **argv) {
     int ret = 0;

     regcomp(&re_ignore_connect, ignore_connect, REG_EXTENDED|REG_ICASE);
+    regcomp(&no_re_ignore_connect, no_ignore_connect, REG_EXTENDED|REG_ICASE);
     tzset();
     openlog("smf-spamd", LOG_PID|LOG_NDELAY, SYSLOG_FACILITY);
     if (!strncmp(oconn, "unix:", 5))

Alles weitere zu smf-spamd kann man auf der Seite des Entwicklers nachschaun.

gruss
Andre

#include
int main(void){
  printf("Hello World!");
}

asdsadasd