<?PHP
// $Id: phpids.module,v 1.8.4.2.2.1 2007-10-07 13:59:20 swentel Exp $

/**
 * @file
 *
 * phpids tries to identify attacks (xss, sql-injections ...) and
 * uses an external package called PHPIDS (phpids.org) to scan 
 * incoming and POST & GET variables. It's able to log, redirect 
 * or send out mails to warn the site administrator.
 */

/**
 * Implementation of hook_requirements().
 */
function phpids_requirements($phase) {
  $t = get_t();
  
  $requirements['phpids'] = array(
    'title' => $t('PHPIDS'),  
    'value' => $t('Found'),
  );

  // Test PHPIDS install    
  if (!file_exists(realpath(dirname(__FILE__) . '/IDS/Config/Config.ini'))) {
    $requirements['phpids']['value'] = $t('Not found');
    $requirements['phpids']['description'] = $t('You must dowload the latest <a href="http://www.phpids.org">PHPIDS package</a> and place in the phpids module folder. Warning: the PHP4 version is not supported.');
    $requirements['phpids']['severity'] = REQUIREMENT_ERROR;
  }
  return $requirements;
}

/**
 * Implementation of hook_help().
 * TODO: add more documentation.
 */
function phpids_help($path,$arg) {
  switch ($path) {
    case "admin/help#phpids":
      return '<p>'.  t("Add PHPIDS as a security layer for Drupal."). '</p>';
  }
} 

/**
 * Implementation of hook_menu().
 */
function phpids_menu() {
  $items['admin/settings/logging/phpids'] = array(
    'title' => 'PHPIDS settings',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('phpids_admin_settings'),
  );
  $items['phpidswarning'] = array(
    'title' => 'PHPIDS warning',
    'page callback' => 'phpids_warning',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK
  );
  return $items;
} 

/**
 * Implementation of hook_boot().
 * @ignore : value depends which action will happen
 *   0 = do nothing
 *   1 = only log
 *   2 = log & actions
 */
function phpids_init() {

  if (file_exists(realpath(dirname(__FILE__) . '/IDS/Config/Config.ini'))) {

    global $user, $base_root;

    // default is logging
    $ignore = 1;
    // anonymous user
    if ($user->uid == 0) {
      $anon = variable_get('phpids_anonymous',2);
      if ($anon == 2) $ignore = 2;
    }
    // authenticated user - always ignore user 1
    if ($user->uid != 0) {
      if ($user->uid == 1) $ignore = 0;
      else {
        $auth = variable_get('phpids_authenticated',2);
        if ($auth == 1) $ignore = 0;
        if ($auth == 3) $ignore = 2;        
      }
    }
        
    // start PHPIDS if ignore is not 0
    if ($ignore != 0) {
 
      $request_uri = $base_root . request_uri();

      // set include path and required the needed files
      $phpids_path = realpath(dirname(__FILE__));
      set_include_path(get_include_path(). PATH_SEPARATOR. $phpids_path);
      require_once 'IDS/Init.php';

      // instanciate the needed stuff
      $init = IDS_Init::init('IDS/Config/Config.ini');
      $request = array_merge($_GET,$_POST);
      $request = new IDS_Monitor($request, $init);
      $report = $request->run();

      // if report is not empty, always log
      // depending on variables, take other actions if impact level matches settings criteria.
      if (!$report->isEmpty()) {
        // default action is log
        $action = 0;

        // level of severity
        $severity = $report->getImpact(); 

        // get variables to see if we need to take more action than only logging
        $mail_level = variable_get('phpids_maillevel',9);
        $mail_sent = variable_get('phpids_mail','');
        $warn_level = variable_get('phpids_warnlevel',27);
        if ($severity >= $mail_level && !empty($mail_sent) && $ignore == 2) $action = 1;
        if ($severity >= $warn_level && $ignore == 2) $action = 2;

        // create detailed report
        $message = 'Total impact: ' . $severity . '<br />';
        $message .= 'All tags: ' . join(", ", $report->getTags()) . '<br />';
        // iterate through the result an get every event (IDS_Event)
        foreach ($report as $event) {
          $message .= '<hr>Variable: '.$event->getName().' | Value: ' . htmlspecialchars($event->getValue()) . '<br />';
          $message .= 'Impact: '.$event->getImpact().' | Tags: ' . join(", ", $event->getTags()) . '<br />'; 
          // iterator throught every filter 
          $message .= '<ul>';
          foreach ($event as $filter) {
            $message .= '<li>Rule: '. $filter->getRule() .'<br />';
            $message .= 'Description: '. $filter->getDescription() .'<br />';
            $message .= 'Tags: ' . join(", ", $filter->getTags()) . '</li>';
          }
	  $message .= '</ul>';
        }

        // log the impact
        //phpids_addevent($user,$message,$severity,$action,$request_uri);
        watchdog('phpids',wordwrap($message,'100',' ',TRUE));

        // send out mail if needed
        // TODO: more info in mail
        if ($action == 1) {
          $body = 'Check your logs to see a full detail of the report.';
          drupal_mail('',$mail_sent,'PHPIDS detected an attack with impact '.$severity,$body);
        }
        // Warning : redirect the user to a warning page so nothing can happen to the system
        if ($action == 2) {
          drupal_goto('phpidswarning');
          exit();
        }
      }
    }
  }
}

/*
 * Callback function to configure PHPIDS
 */
function phpids_admin_settings() {
  // general settings 
  $form['general'] = array(
    '#type' => 'fieldset',
    '#title' => t('General'),
  );
  $form['general']['phpids_maillevel'] = array(
    '#type' => 'textfield',
    '#title' => t('Mail impact'),
    '#default_value' => variable_get('phpids_maillevel',9),
    '#description' => t('Sends out mail when this level of impact is reached.'),
  );
  $form['general']['phpids_mail'] = array(
    '#type' => 'textfield',
    '#title' => t('Email'),
    '#default_value' => variable_get('phpids_mail',''),
    '#description' => t('Leave empty if you don\'t want to send out email. Action field on logs overview will display "log" then.'),
  );
  $form['general']['phpids_warnlevel'] = array(
    '#type' => 'textfield',
    '#title' => t('Warning impact'),
    '#default_value' => variable_get('phpids_warnlevel',27),
    '#description' => t('Redirects to a warning page after this level of impact is reached.'),
  );
  // finetine filter settings
  $form['filters'] = array(
    '#type' => 'fieldset',
    '#title' => t('Ignore filters'),
    '#description' => t('Finetune settings when PHPIDS shouldn\'t take action. Keep in mind that user 1 is always ignored and anonymous users are always monitored!'),
  );
  $options_anon = array(1 => t('Log anonymous users without actions'), 2 => t('Log anonymous users and take actions'));
  $form['filters']['phpids_anonymous'] = array(
    '#type' => 'select',
    '#title' => t('Anonymous users'),
    '#description' => t('Choose a setting for anonymous users.'),
    '#default_value' => variable_get('phpids_anonymous',1),
    '#options' => $options_anon,
  );
  $options_auth = array(1 => t('Do not log authenticated users'), 2 => t('Log authenticated users without actions'), 3 => t('Log authenticated users and take actions'));
  $form['filters']['phpids_authenticated'] = array(
    '#type' => 'select',
    '#title' => t('Authenticated users'),
    '#description' => t('Choose a setting for authenticated users.'),
    '#default_value' => variable_get('phpids_authenticated',2),
    '#options' => $options_auth,
  );

  return system_settings_form($form);
}

/**
 * Warning page: display this page if the attack has reached warning level thus
 * making the action of the (anonymous) user completely worthless.
 */
function phpids_warning() {
  $output = t('We have detected malicious input and blocked your attempt.<br />If you keep experiencing problems but feel like you are doing nothing wrong, please contact the site administrator.');
  return $output;
}