public function testHasEventException()
{
$this->setExpectedException('InvalidArgumentException');
$this->report->hasEvent(array(1, 2, 3));
}
/**
* Process results from IDS scan.
*
* @param \IDS\Init $init PHPIDS init object reference.
* @param \IDS\Report $result The result object from PHPIDS.
*
* @return void
*/
private function _processIdsResult(\IDS\Init $init, \IDS\Report $result)
{
// $result contains any suspicious fields enriched with additional info
// Note: it is moreover possible to dump this information by simply doing
//"echo $result", calling the \IDS\Report::$this->__toString() method implicitely.
$requestImpact = $result->getImpact();
if ($requestImpact < 1) {
// nothing to do
return;
}
// update total session impact to track an attackers activity for some time
$sessionImpact = SessionUtil::getVar('idsImpact', 0) + $requestImpact;
SessionUtil::setVar('idsImpact', $sessionImpact);
// let's see which impact mode we are using
$idsImpactMode = System::getVar('idsimpactmode', 1);
$idsImpactFactor = 1;
if ($idsImpactMode == 1) {
$idsImpactFactor = 1;
} elseif ($idsImpactMode == 2) {
$idsImpactFactor = 10;
} elseif ($idsImpactMode == 3) {
$idsImpactFactor = 5;
}
// determine our impact threshold values
$impactThresholdOne = System::getVar('idsimpactthresholdone', 1) * $idsImpactFactor;
$impactThresholdTwo = System::getVar('idsimpactthresholdtwo', 10) * $idsImpactFactor;
$impactThresholdThree = System::getVar('idsimpactthresholdthree', 25) * $idsImpactFactor;
$impactThresholdFour = System::getVar('idsimpactthresholdfour', 75) * $idsImpactFactor;
$usedImpact = $idsImpactMode == 1 ? $requestImpact : $sessionImpact;
// react according to given impact
if ($usedImpact > $impactThresholdOne) {
// db logging
// determine IP address of current user
$_REMOTE_ADDR = System::serverGetVar('REMOTE_ADDR');
$_HTTP_X_FORWARDED_FOR = System::serverGetVar('HTTP_X_FORWARDED_FOR');
$ipAddress = $_HTTP_X_FORWARDED_FOR ? $_HTTP_X_FORWARDED_FOR : $_REMOTE_ADDR;
$currentPage = System::getCurrentUri();
$currentUid = UserUtil::getVar('uid');
if (!$currentUid) {
$currentUid = 1;
}
// get entity manager
$em = ServiceUtil::get('doctrine.entitymanager');
$intrusionItems = array();
foreach ($result as $event) {
$eventName = $event->getName();
$malVar = explode(".", $eventName, 2);
$filters = array();
foreach ($event as $filter) {
array_push($filters, array('id' => $filter->getId(), 'description' => $filter->getDescription(), 'impact' => $filter->getImpact(), 'tags' => $filter->getTags(), 'rule' => $filter->getRule()));
}
$tagVal = $malVar[1];
$newIntrusionItem = array('name' => array($eventName), 'tag' => $tagVal, 'value' => $event->getValue(), 'page' => $currentPage, 'user' => $em->getReference('ZikulaUsersModule:UserEntity', $currentUid), 'ip' => $ipAddress, 'impact' => $result->getImpact(), 'filters' => serialize($filters), 'date' => new \DateTime("now"));
if (array_key_exists($tagVal, $intrusionItems)) {
$intrusionItems[$tagVal]['name'][] = $newIntrusionItem['name'][0];
} else {
$intrusionItems[$tagVal] = $newIntrusionItem;
}
}
// log details to database
foreach ($intrusionItems as $tag => $intrusionItem) {
$intrusionItem['name'] = implode(", ", $intrusionItem['name']);
$obj = new IntrusionEntity();
$obj->merge($intrusionItem);
$em->persist($obj);
}
$em->flush();
}
if (System::getVar('idsmail') && $usedImpact > $impactThresholdTwo) {
// mail admin
// prepare mail text
$mailBody = __('The following attack has been detected by PHPIDS') . "\n\n";
$mailBody .= __f('IP: %s', $ipAddress) . "\n";
$mailBody .= __f('UserID: %s', $currentUid) . "\n";
$mailBody .= __f('Date: %s', DateUtil::strftime(__('%b %d, %Y'), time())) . "\n";
if ($idsImpactMode == 1) {
$mailBody .= __f('Request Impact: %d', $requestImpact) . "\n";
} else {
$mailBody .= __f('Session Impact: %d', $sessionImpact) . "\n";
}
$mailBody .= __f('Affected tags: %s', join(' ', $result->getTags())) . "\n";
$attackedParameters = '';
foreach ($result as $event) {
$attackedParameters .= $event->getName() . '=' . urlencode($event->getValue()) . ", ";
}
$mailBody .= __f('Affected parameters: %s', trim($attackedParameters)) . "\n";
$mailBody .= __f('Request URI: %s', urlencode($currentPage));
// prepare other mail arguments
$siteName = System::getVar('sitename');
$adminmail = System::getVar('adminmail');
$mailTitle = __('Intrusion attempt detected by PHPIDS');
if (ModUtil::available('ZikulaMailerModule')) {
$args = array();
$args['fromname'] = $siteName;
$args['fromaddress'] = $adminmail;
$args['toname'] = 'Site Administrator';
$args['toaddress'] = $adminmail;
$args['subject'] = $mailTitle;
$args['body'] = $mailBody;
$rc = ModUtil::apiFunc('ZikulaMailerModule', 'user', 'sendmessage', $args);
} else {
$headers = "From: {$siteName} <{$adminmail}>\n" . "X-Priority: 1 (Highest)";
System::mail($adminmail, $mailTitle, $mailBody, $headers);
}
}
if ($usedImpact > $impactThresholdThree) {
// block request
if (System::getVar('idssoftblock')) {
// warn only for debugging the ruleset
throw new \RuntimeException(__('Malicious request code / a hacking attempt was detected. This request has NOT been blocked!'));
} else {
throw new AccessDeniedException(__('Malicious request code / a hacking attempt was detected. Thus this request has been blocked.'), null, $result);
}
}
return;
}
/**
* dispose affected Variables
*
* @param \IDS\Report $oIdsReport
* @access public
* @static
*/
public static function dispose(\IDS\Report $oIdsReport)
{
$aName = array();
$aDisposed = array();
// get Name of Variables
foreach ($oIdsReport->getIterator() as $oEvent) {
$aName[] = $oEvent->getName();
}
// iterate infected and dispose those
foreach ($aName as $sName) {
// get Type and Key
$aType = explode('.', $sName);
$sType = isset($aType[0]) ? $aType[0] : '';
$sKey = isset($aType[1]) ? $aType[1] : '';
$aAffected = isset($GLOBALS['_' . $sType][$sKey]) ? $GLOBALS['_' . $sType][$sKey] : array();
if (!empty($aAffected)) {
if ('GET' == $sType) {
if (isset($_GET[$sKey])) {
$_GET[$sKey] = null;
unset($_GET[$sKey]);
}
}
if ('POST' == $sType) {
if (isset($_POST[$sKey])) {
$_POST[$sKey] = null;
unset($_POST[$sKey]);
}
}
if ('COOKIE' == $sType) {
if (isset($_COOKIE[$sKey])) {
$_COOKIE[$sKey] = null;
unset($_COOKIE[$sKey]);
}
}
$aDisposed[] = $sType . '[' . $sKey . ']';
\MVC\Log::WRITE("INFO\tdisposed: " . $sType . '[' . $sKey . ']', 'ids.log');
// overwrite
$oRequest = Request::getInstance();
$oRequest->saveRequest();
}
}
\MVC\Registry::set('MVC_IDS_DISPOSED', $aDisposed);
}
public function testGetEventWrong()
{
$this->assertNull($this->report->getEvent('not_available'));
}
public function assertImpact(Report $result, $impact, $suhosinImpact)
{
if (extension_loaded('suhosin')) {
$this->assertEquals($suhosinImpact, $result->getImpact());
} else {
$this->assertEquals($impact, $result->getImpact());
}
}
