Performing Intrusion Detection on web services (php)
I’ve written about security in web applications before. Common Intrusion Detection (and prevention) products fail to properly defend web applications from attacks such as XSS, SQL Injection etc. It don’t see them getting better at it either. Web application firewalls, aka WAFs, do a much better job, much due to it’s reverse proxy architecture that allows it to properly decode the application flow.
Another way would of course to implement the IDS functionallity in the web application itself, and this is what PHPIDS does:
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application.
Currently the PHPIDS detects all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks. Through special conversion algorithms the PHPIDS is even able to detect heavily obfuscated attacks - this covers several charsets, entities of all forms, comment obfuscation, obfuscation through concatenation, shell code and many other variants. Furthermore the PHPIDS is able to detect yet unknown attack patterns with the PHPIDS Centrifuge component.
The security of applications are hardly ever though of in this way. If we are looking at the source, why not patch the vulnerability instead of implementing code to detect attacks at them? Well, we might not discover all vulnerabilities, and this kind of security implementation allows for detecting intent.