Download & Extend
PHPIDS » Issues

flooded logs

Posted by nschloe on August 18, 2009 at 2:27pm
Project:PHPIDS
Version:6.x-1.8
Component:Miscellaneous
Category:feature request
Priority:normal
Assigned:IT-Cru
Status:closed (fixed)

Issue Summary

Hi,

I'm using PHPIDS since a day, and it works great. All the dumb stuff that bots usually insert into my forums or comment forms are now filtered before Mollom or CAPTCHA actually needs to deal with it.

Now, the one little thing is that my logs are flooded with phpids entries, naturally. That kind of obfuscates the real important information to me, so I'd love to have a function that say "log as soon as total impact is...", to drop the usual kind of botting and capture the real intrusion attempts.

What do you think?

Cheers,
Nico

Login or register to post comments

Comments

#1

Posted by IT-Cru on August 18, 2009 at 4:20pm
Assigned to:Anonymous» IT-Cru

Hello Nico,

please try out current dev-snapshot and take a look to following issue #489134: JSON option on false positives. I think many of your log entries are coming from html and/or json false positives.

In the dev-snapshot you have two more input-fields in PHPIDS-settings to configure your html/json included fields/variables.

Please give feedback if it helps.

Greetz Gos77

#2

Posted by nschloe on August 19, 2009 at 8:34am

Alright, I tried the dev version now; and well, it doesn't really reduce the number of log entries here, but that may actually be correct. A lot of the item look like

Total impact: 5
All tags: id, rfe, xss
Variable: q | Value: system/files/bibtex-natbib-400x109.png
Impact: 5 | Tags: id, rfe, xss

    * Rule: (?:\\x[01FE]\w)|(?:%[01FE]\w)|(?:&#[01FE]\w)|(?:\\[01FE][0-9a-f])|(?:[01FE]\w)
      Description: Detects nullbytes and HTTP response splitting
      Tags: id, rfe, xss

so you can't really tell what's going on, but there are also many like
Total impact: 9
All tags: xss, csrf
Variable: body | Value: the johns hopkins health system http://pharm acyrxworld.info/item.php?id=5566 underwood breast <a href=http://legalrxdrugstore.com/item/general_health/sinemet.html>sinemet</a> free medical career assesstment and aptitude test
Impact: 9 | Tags: xss, csrf

-- obvious crawlers that is. That makes me think they're also responsible for hits like the one above.

I'm just getting so many of them that I can't really see anything else in the logs anymore by default, but I was thinking that hey, I could actually just filter the logs maybe. Anyway, it's seems a bit overkill to log each and every of those crawls.

PS. In the dev version, you might wanna think about naming the version "dev" instead of "1.8" in the info file.

#3

Posted by IT-Cru on September 30, 2009 at 9:41am
Status:active» postponed (maintainer needs more info)

need feedback .. otherwise issue will be closed in 2 weeks

#4

Posted by nschloe on October 2, 2009 at 8:41am

Err, alright? What else do you need to know, besides what I wrote in comment #2?

#5

Posted by IT-Cru on October 2, 2009 at 2:46pm

Hello,

we have same problem some days ago on a site. It was a spam bot, with allways the same IP-address. I've blocked its IP-address (Administer -> User Management -> Access Rules) within Drupal settings and inform the owner of the server that he possible have a spam bot running on it.

I think your phpids is running correct.

I Hope this could help you a little bit.

Automated blocking is a possible feature for the future of phpids module.

Greetz Gos77

#6

Posted by IT-Cru on November 25, 2009 at 9:54am
Status:postponed (maintainer needs more info)» closed (fixed)

closed because of no more activity.