PHPIDS

[hostingguy]

On the mod security site it says that it works with them to develop rules - does that mean that they are effectively the same thing? or is this some other form of security that is isolated only to php?

[mikeshinn]

On the mod security site it says that it works with them to develop rules - does that mean that they are effectively the same thing? or is this some other form of security that is isolated only to php?

PHPIDS only works with PHP applications, you have to include the libraries in your application. Our rules already include ample PHP intrusion detection capabilities, so you don't need it.

[dayo]

To clarify Mike's statement, which might be misconstrued to mean that PHPIDS only protects against PHP attempts, the applications covers pretty much everything but it is normally triggered by requests to PHP applications. I.E. You upload PHPIDS to your server and then put and include into your php application to call it, or better, into your php ini auto_prepend_file setting. Basically, it is normally triggered by PHP.

The key to this is in 'normally' if you can setup your webserver to trigger it, then it will do the same job as ModSec.

Since the nginx configuration files are like programming scripts out of the box with simple "if" logic and since it can be extended using perl or lua , it is possible to set Nginx up to to trigger PHPIDS and then decide whether to fulfill a request or not based on the outcome.

The guys driving a lot of these scripting work are in China. Some of their stuff from last year (needs updating): http://agentzh.org/misc/slides/nginx-conf-scripting/#58 and http://agentzh.org/misc/slides/recent-d ... x-conf/#12


Would be nice to see ART investigate such and look into producing its rules in the PHPIDS xml or json format.