public function testHasEventException() { $this->setExpectedException('InvalidArgumentException'); $this->report->hasEvent(array(1, 2, 3)); }
/** * Process results from IDS scan. * * @param \IDS\Init $init PHPIDS init object reference. * @param \IDS\Report $result The result object from PHPIDS. * * @return void */ private function _processIdsResult(\IDS\Init $init, \IDS\Report $result) { // $result contains any suspicious fields enriched with additional info // Note: it is moreover possible to dump this information by simply doing //"echo $result", calling the \IDS\Report::$this->__toString() method implicitely. $requestImpact = $result->getImpact(); if ($requestImpact < 1) { // nothing to do return; } // update total session impact to track an attackers activity for some time $sessionImpact = SessionUtil::getVar('idsImpact', 0) + $requestImpact; SessionUtil::setVar('idsImpact', $sessionImpact); // let's see which impact mode we are using $idsImpactMode = System::getVar('idsimpactmode', 1); $idsImpactFactor = 1; if ($idsImpactMode == 1) { $idsImpactFactor = 1; } elseif ($idsImpactMode == 2) { $idsImpactFactor = 10; } elseif ($idsImpactMode == 3) { $idsImpactFactor = 5; } // determine our impact threshold values $impactThresholdOne = System::getVar('idsimpactthresholdone', 1) * $idsImpactFactor; $impactThresholdTwo = System::getVar('idsimpactthresholdtwo', 10) * $idsImpactFactor; $impactThresholdThree = System::getVar('idsimpactthresholdthree', 25) * $idsImpactFactor; $impactThresholdFour = System::getVar('idsimpactthresholdfour', 75) * $idsImpactFactor; $usedImpact = $idsImpactMode == 1 ? $requestImpact : $sessionImpact; // react according to given impact if ($usedImpact > $impactThresholdOne) { // db logging // determine IP address of current user $_REMOTE_ADDR = System::serverGetVar('REMOTE_ADDR'); $_HTTP_X_FORWARDED_FOR = System::serverGetVar('HTTP_X_FORWARDED_FOR'); $ipAddress = $_HTTP_X_FORWARDED_FOR ? $_HTTP_X_FORWARDED_FOR : $_REMOTE_ADDR; $currentPage = System::getCurrentUri(); $currentUid = UserUtil::getVar('uid'); if (!$currentUid) { $currentUid = 1; } // get entity manager $em = ServiceUtil::get('doctrine.entitymanager'); $intrusionItems = array(); foreach ($result as $event) { $eventName = $event->getName(); $malVar = explode(".", $eventName, 2); $filters = array(); foreach ($event as $filter) { array_push($filters, array('id' => $filter->getId(), 'description' => $filter->getDescription(), 'impact' => $filter->getImpact(), 'tags' => $filter->getTags(), 'rule' => $filter->getRule())); } $tagVal = $malVar[1]; $newIntrusionItem = array('name' => array($eventName), 'tag' => $tagVal, 'value' => $event->getValue(), 'page' => $currentPage, 'user' => $em->getReference('ZikulaUsersModule:UserEntity', $currentUid), 'ip' => $ipAddress, 'impact' => $result->getImpact(), 'filters' => serialize($filters), 'date' => new \DateTime("now")); if (array_key_exists($tagVal, $intrusionItems)) { $intrusionItems[$tagVal]['name'][] = $newIntrusionItem['name'][0]; } else { $intrusionItems[$tagVal] = $newIntrusionItem; } } // log details to database foreach ($intrusionItems as $tag => $intrusionItem) { $intrusionItem['name'] = implode(", ", $intrusionItem['name']); $obj = new IntrusionEntity(); $obj->merge($intrusionItem); $em->persist($obj); } $em->flush(); } if (System::getVar('idsmail') && $usedImpact > $impactThresholdTwo) { // mail admin // prepare mail text $mailBody = __('The following attack has been detected by PHPIDS') . "\n\n"; $mailBody .= __f('IP: %s', $ipAddress) . "\n"; $mailBody .= __f('UserID: %s', $currentUid) . "\n"; $mailBody .= __f('Date: %s', DateUtil::strftime(__('%b %d, %Y'), time())) . "\n"; if ($idsImpactMode == 1) { $mailBody .= __f('Request Impact: %d', $requestImpact) . "\n"; } else { $mailBody .= __f('Session Impact: %d', $sessionImpact) . "\n"; } $mailBody .= __f('Affected tags: %s', join(' ', $result->getTags())) . "\n"; $attackedParameters = ''; foreach ($result as $event) { $attackedParameters .= $event->getName() . '=' . urlencode($event->getValue()) . ", "; } $mailBody .= __f('Affected parameters: %s', trim($attackedParameters)) . "\n"; $mailBody .= __f('Request URI: %s', urlencode($currentPage)); // prepare other mail arguments $siteName = System::getVar('sitename'); $adminmail = System::getVar('adminmail'); $mailTitle = __('Intrusion attempt detected by PHPIDS'); if (ModUtil::available('ZikulaMailerModule')) { $args = array(); $args['fromname'] = $siteName; $args['fromaddress'] = $adminmail; $args['toname'] = 'Site Administrator'; $args['toaddress'] = $adminmail; $args['subject'] = $mailTitle; $args['body'] = $mailBody; $rc = ModUtil::apiFunc('ZikulaMailerModule', 'user', 'sendmessage', $args); } else { $headers = "From: {$siteName} <{$adminmail}>\n" . "X-Priority: 1 (Highest)"; System::mail($adminmail, $mailTitle, $mailBody, $headers); } } if ($usedImpact > $impactThresholdThree) { // block request if (System::getVar('idssoftblock')) { // warn only for debugging the ruleset throw new \RuntimeException(__('Malicious request code / a hacking attempt was detected. This request has NOT been blocked!')); } else { throw new AccessDeniedException(__('Malicious request code / a hacking attempt was detected. Thus this request has been blocked.'), null, $result); } } return; }
/** * dispose affected Variables * * @param \IDS\Report $oIdsReport * @access public * @static */ public static function dispose(\IDS\Report $oIdsReport) { $aName = array(); $aDisposed = array(); // get Name of Variables foreach ($oIdsReport->getIterator() as $oEvent) { $aName[] = $oEvent->getName(); } // iterate infected and dispose those foreach ($aName as $sName) { // get Type and Key $aType = explode('.', $sName); $sType = isset($aType[0]) ? $aType[0] : ''; $sKey = isset($aType[1]) ? $aType[1] : ''; $aAffected = isset($GLOBALS['_' . $sType][$sKey]) ? $GLOBALS['_' . $sType][$sKey] : array(); if (!empty($aAffected)) { if ('GET' == $sType) { if (isset($_GET[$sKey])) { $_GET[$sKey] = null; unset($_GET[$sKey]); } } if ('POST' == $sType) { if (isset($_POST[$sKey])) { $_POST[$sKey] = null; unset($_POST[$sKey]); } } if ('COOKIE' == $sType) { if (isset($_COOKIE[$sKey])) { $_COOKIE[$sKey] = null; unset($_COOKIE[$sKey]); } } $aDisposed[] = $sType . '[' . $sKey . ']'; \MVC\Log::WRITE("INFO\tdisposed: " . $sType . '[' . $sKey . ']', 'ids.log'); // overwrite $oRequest = Request::getInstance(); $oRequest->saveRequest(); } } \MVC\Registry::set('MVC_IDS_DISPOSED', $aDisposed); }
public function testGetEventWrong() { $this->assertNull($this->report->getEvent('not_available')); }
public function assertImpact(Report $result, $impact, $suhosinImpact) { if (extension_loaded('suhosin')) { $this->assertEquals($suhosinImpact, $result->getImpact()); } else { $this->assertEquals($impact, $result->getImpact()); } }