'PHPIDS',
'description' => t('Configure phpids levels'),
'page callback' => 'drupal_get_form',
'page arguments' => array('phpids_admin_settings'),
'access arguments' => array('administer site configuration'),
);
$items['phpidswarning'] = array(
'title' => 'PHPIDS warning',
'page callback' => 'phpids_warning',
'access callback' => TRUE,
'type' => MENU_CALLBACK
);
return $items;
}
/**
* Implementation of hook_boot().
* $ignore : value depends which action will happen
* 0 = do nothing
* 1 = only log
* 2 = log & actions
*/
function phpids_boot() {
if (file_exists(realpath(dirname(__FILE__) . '/IDS/Config/Config.ini'))) {
global $user, $base_root;
// default is logging
$ignore = 1;
// anonymous user
if ($user->uid == 0) {
$anon = variable_get('phpids_anonymous',2);
if ($anon == 2) $ignore = 2;
}
// authenticated user - always ignore user 1
if ($user->uid != 0) {
if ($user->uid == 1) $ignore = 0;
else {
$auth = variable_get('phpids_authenticated',2);
if ($auth == 1) $ignore = 0;
if ($auth == 3) $ignore = 2;
}
}
// start PHPIDS if ignore is not 0
if ($ignore != 0) {
$request_uri = $base_root . request_uri();
// set include path and required the needed files
$phpids_path = realpath(dirname(__FILE__));
set_include_path(get_include_path(). PATH_SEPARATOR. $phpids_path);
require_once 'IDS/Init.php';
// instanciate the needed stuff
$request = array('GET' => $_GET, 'POST' => $_POST);
$init = IDS_Init::init($phpids_path.'/IDS/Config/Config.ini');
$init->config['General']['tmp_path'] = $phpids_path . '/IDS/tmp';
$init->config['General']['filter_path'] = $phpids_path . '/IDS/default_filter.xml';
$init->config['Caching']['caching'] = 'file';
$init->config['Caching']['path'] = $phpids_path. '/IDS/tmp/default_filter.cache';
$request = new IDS_Monitor($request, $init);
$report = $request->run();
// if report is not empty, always log
// depending on variables, take other actions if impact level matches settings criteria.
if (!$report->isEmpty()) {
// default action is log
$action = 0;
// level of severity
$severity = $report->getImpact();
// get variables to see if we need to take more action than only logging
$mail_level = variable_get('phpids_maillevel',9);
$mail_sent = variable_get('phpids_mail','');
$warn_level = variable_get('phpids_warnlevel',27);
if ($severity >= $mail_level && !empty($mail_sent) && $ignore == 2) $action = 1;
if ($severity >= $warn_level && $ignore == 2) $action = 2;
// create detailed report
$message = 'Total impact: ' . $severity . '
';
$message .= 'All tags: ' . join(", ", $report->getTags()) . '
';
// iterate through the result an get every event (IDS_Event)
foreach ($report as $event) {
$message .= '
Variable: '.$event->getName().' | Value: ' . htmlspecialchars($event->getValue()) . '
';
$message .= 'Impact: '.$event->getImpact().' | Tags: ' . join(", ", $event->getTags()) . '
';
// iterator throught every filter
$message .= '';
foreach ($event as $filter) {
$message .= '- Rule: '. $filter->getRule() .'
';
$message .= 'Description: '. $filter->getDescription() .'
';
$message .= 'Tags: ' . join(", ", $filter->getTags()) . ' ';
}
$message .= '
';
}
// log the impact
//phpids_addevent($user,$message,$severity,$action,$request_uri);
watchdog('phpids',wordwrap($message,'100',' ',TRUE));
// send out mail if needed
if ($action == 1) {
drupal_mail('phpids','warning',$mail_sent,user_preferred_language($account),array('severity' => $severity));
}
// Warning : redirect the user to a warning page so nothing can happen to the system
if ($action == 2) {
// load common.inc and path.inc if necessary
if (!function_exists('drupal_goto')) {
require_once './includes/common.inc';
require_once './includes/path.inc';
}
drupal_goto('phpidswarning');
}
}
}
}
}
/**
* Mail function
* @todo more info in mail
*/
function phpids_mail($key,&$message,$params) {
$language = $message['language'];
$message['subject'] = t('Notification from !site', $variables, $language->language);
$body = 'Check your logs to see a full detail of the report.';
$message['subject'] = t('PHPIDS detected an attack with impact !severity', array('!severity' => $params['severity']));
$message['body'] = t($body);
}
/*
* Callback function to configure PHPIDS
*/
function phpids_admin_settings() {
// general settings
$form['general'] = array(
'#type' => 'fieldset',
'#title' => t('General'),
);
$form['general']['phpids_maillevel'] = array(
'#type' => 'textfield',
'#title' => t('Mail impact'),
'#default_value' => variable_get('phpids_maillevel',9),
'#description' => t('Sends out mail when this level of impact is reached.'),
);
$form['general']['phpids_mail'] = array(
'#type' => 'textfield',
'#title' => t('Email'),
'#default_value' => variable_get('phpids_mail',''),
'#description' => t("Leave empty if you don't want to send out email"),
);
$form['general']['phpids_warnlevel'] = array(
'#type' => 'textfield',
'#title' => t('Warning impact'),
'#default_value' => variable_get('phpids_warnlevel',27),
'#description' => t('Redirects to a warning page after this level of impact is reached.'),
);
// finetine filter settings
$form['filters'] = array(
'#type' => 'fieldset',
'#title' => t('Ignore filters'),
'#description' => t("Finetune settings when PHPIDS shouldn't take action. Keep in mind that user 1 is always ignored and anonymous users are always monitored!"),
);
$options_anon = array(1 => t('Log anonymous users without actions'), 2 => t('Log anonymous users and take actions'));
$form['filters']['phpids_anonymous'] = array(
'#type' => 'select',
'#title' => t('Anonymous users'),
'#description' => t('Choose a setting for anonymous users.'),
'#default_value' => variable_get('phpids_anonymous',1),
'#options' => $options_anon,
);
$options_auth = array(1 => t('Do not log authenticated users'), 2 => t('Log authenticated users without actions'), 3 => t('Log authenticated users and take actions'));
$form['filters']['phpids_authenticated'] = array(
'#type' => 'select',
'#title' => t('Authenticated users'),
'#description' => t('Choose a setting for authenticated users.'),
'#default_value' => variable_get('phpids_authenticated',2),
'#options' => $options_auth,
);
return system_settings_form($form);
}
/**
* Warning page: display this page if the attack has reached warning level thus
* making the action of the (anonymous) user completely worthless.
*/
function phpids_warning() {
$output = t('We have detected malicious input and blocked your attempt.
If you keep experiencing problems but feel like you are doing nothing wrong, please contact the site administrator.');
return $output;
}