'PHPIDS', 'description' => t('Configure phpids levels'), 'page callback' => 'drupal_get_form', 'page arguments' => array('phpids_admin_settings'), 'access arguments' => array('administer site configuration'), ); $items['phpidswarning'] = array( 'title' => 'PHPIDS warning', 'page callback' => 'phpids_warning', 'access callback' => TRUE, 'type' => MENU_CALLBACK ); return $items; } /** * Implementation of hook_init(). * $ignore : value depends which action will happen * 0 = do nothing * 1 = only log * 2 = log & actions */ function phpids_init() { if (file_exists(realpath(dirname(__FILE__) . '/IDS/Config/Config.ini'))) { global $user, $base_root; // default is logging $ignore = 1; // anonymous user if ($user->uid == 0) { $anon = variable_get('phpids_anonymous',2); if ($anon == 2) $ignore = 2; } // authenticated user - always ignore user 1 if ($user->uid != 0) { if ($user->uid == 1) $ignore = 0; else { $auth = variable_get('phpids_authenticated',2); if ($auth == 1) $ignore = 0; if ($auth == 3) $ignore = 2; } } // start PHPIDS if ignore is not 0 if ($ignore != 0) { $request_uri = $base_root . request_uri(); // set include path and required the needed files $phpids_path = realpath(dirname(__FILE__)); set_include_path(get_include_path(). PATH_SEPARATOR. $phpids_path); require_once 'IDS/Init.php'; // instanciate the needed stuff $request = array('GET' => $_GET, 'POST' => $_POST); $init = IDS_Init::init($phpids_path.'/IDS/Config/Config.ini'); $init->config['General']['tmp_path'] = $phpids_path . '/IDS/tmp'; $init->config['General']['filter_path'] = $phpids_path . '/IDS/default_filter.xml'; $init->config['Caching']['caching'] = 'file'; $init->config['Caching']['path'] = $phpids_path. '/IDS/tmp/default_filter.cache'; $request = new IDS_Monitor($request, $init); $report = $request->run(); // if report is not empty, always log // depending on variables, take other actions if impact level matches settings criteria. if (!$report->isEmpty()) { // default action is log $action = 0; // level of severity $severity = $report->getImpact(); // get variables to see if we need to take more action than only logging $mail_level = variable_get('phpids_maillevel',9); $mail_sent = variable_get('phpids_mail',''); $warn_level = variable_get('phpids_warnlevel',27); if ($severity >= $mail_level && !empty($mail_sent) && $ignore == 2) $action = 1; if ($severity >= $warn_level && $ignore == 2) $action = 2; // create detailed report $message = 'Total impact: ' . $severity . '
'; $message .= 'All tags: ' . join(", ", $report->getTags()) . '
'; // iterate through the result an get every event (IDS_Event) foreach ($report as $event) { $message .= '
Variable: '.$event->getName().' | Value: ' . htmlspecialchars($event->getValue()) . '
'; $message .= 'Impact: '.$event->getImpact().' | Tags: ' . join(", ", $event->getTags()) . '
'; // iterator throught every filter $message .= ''; } // log the impact //phpids_addevent($user,$message,$severity,$action,$request_uri); watchdog('phpids',wordwrap($message,'100',' ',TRUE)); // send out mail if needed if ($action == 1) { drupal_mail('phpids','warning',$mail_sent,user_preferred_language($account),array('severity' => $severity)); } // Warning : redirect the user to a warning page so nothing can happen to the system if ($action == 2) { // load common.inc and path.inc if necessary if (!function_exists('drupal_goto')) { require_once './includes/common.inc'; require_once './includes/path.inc'; } drupal_goto('phpidswarning'); } } } } } /** * Mail function * @todo more info in mail */ function phpids_mail($key,&$message,$params) { $language = $message['language']; $message['subject'] = t('Notification from !site', $variables, $language->language); $body = 'Check your logs to see a full detail of the report.'; $message['subject'] = t('PHPIDS detected an attack with impact !severity', array('!severity' => $params['severity'])); $message['body'] = t($body); } /* * Callback function to configure PHPIDS */ function phpids_admin_settings() { // general settings $form['general'] = array( '#type' => 'fieldset', '#title' => t('General'), ); $form['general']['phpids_maillevel'] = array( '#type' => 'textfield', '#title' => t('Mail impact'), '#default_value' => variable_get('phpids_maillevel',9), '#description' => t('Sends out mail when this level of impact is reached.'), ); $form['general']['phpids_mail'] = array( '#type' => 'textfield', '#title' => t('Email'), '#default_value' => variable_get('phpids_mail',''), '#description' => t("Leave empty if you don't want to send out email"), ); $form['general']['phpids_warnlevel'] = array( '#type' => 'textfield', '#title' => t('Warning impact'), '#default_value' => variable_get('phpids_warnlevel',27), '#description' => t('Redirects to a warning page after this level of impact is reached.'), ); // finetine filter settings $form['filters'] = array( '#type' => 'fieldset', '#title' => t('Ignore filters'), '#description' => t("Finetune settings when PHPIDS shouldn't take action. Keep in mind that user 1 is always ignored and anonymous users are always monitored!"), ); $options_anon = array(1 => t('Log anonymous users without actions'), 2 => t('Log anonymous users and take actions')); $form['filters']['phpids_anonymous'] = array( '#type' => 'select', '#title' => t('Anonymous users'), '#description' => t('Choose a setting for anonymous users.'), '#default_value' => variable_get('phpids_anonymous',1), '#options' => $options_anon, ); $options_auth = array(1 => t('Do not log authenticated users'), 2 => t('Log authenticated users without actions'), 3 => t('Log authenticated users and take actions')); $form['filters']['phpids_authenticated'] = array( '#type' => 'select', '#title' => t('Authenticated users'), '#description' => t('Choose a setting for authenticated users.'), '#default_value' => variable_get('phpids_authenticated',2), '#options' => $options_auth, ); return system_settings_form($form); } /** * Warning page: display this page if the attack has reached warning level thus * making the action of the (anonymous) user completely worthless. */ function phpids_warning() { $output = t('We have detected malicious input and blocked your attempt.
If you keep experiencing problems but feel like you are doing nothing wrong, please contact the site administrator.'); return $output; }