PHP based Web Application IDS / IPS

PHP based Web Application IDS / IPS Today I’ve seen a very interesting tool which can be deployed directly into your PHP code and acts as an input filtering module protecting the application form user supplied malicious input: PHPIDS In fact it can be considered an inline PHP IDS /IPS.

The detection system is pretty simple and based on a set of various upgradeable regular expressions that will be cross-checked against any variable passed to the systems main class, named IDS_Monitor. In addition we provide an easy extendable logging mechanism that allows storing detected results in files, sending them via email and things like that.

You could say that there are many other implementation of this idea ranging from the open source mod_security to commercial Web Application Firewalls. I must say that I would be worried of the performance impact of this filtering engine since each invocation implies heavy regex server processing.

You can read more about this nifty tool on the author’s blog


Thank you for reading this post. You can now Read Comments (5) or Leave A Trackback. Print This Post Print This Post

5 Responses to “PHP based Web Application IDS / IPS

  • 1
    May 3rd, 2007 00:42


    Actually mod_security is not directly comparable to our project and even has a couple of disadvantages. I’m going to point that out on a separate blog posting today or somewhen during the next days.

    Concerning your performance concern:
    Not only the PHP IDS is based on regular expressions but so is mod_security. As you might know, the latter is an Apache modul which means that it needs to be loaded on every single request again and additionally make the same cross-checking.

    Moreover the PHP function preg_match() usually is pretty fast. Fetching the rules can be done in various ways, not only by parsing an XML file with SimpleXML like we did it in our first example code (which is very fast too by the way). You can simple pass an array to the monitor class as well.

    If you have any further questions or suggestions, just drop a message 😉

  • 2
    Dragos Lungu
    May 3rd, 2007 01:10

    Hi christ1an,

    Thanks for stopping by. I will definitely test your code . I wil post the test results and give you a ping 😎

  • 3
    May 3rd, 2007 01:36


    We are using the current version of the PHP IDS for testing purposes on a pretty high-trafficked platform and the performance isn’t really an issue – btw. i am currently building up a testsite where you can stress-test the IDS.

    i guess christ1an will keep you informed via his blog ’bout the release of the demo and the URL.


  • 4
    PHP based Intrusion Detection System at Oliver Thylmann’s Thoughts
    May 4th, 2007 10:06

    […] coming-out, there has been some international coverage already and this is just the start. Obviously this creates an […]

  • 5
    Second PHP IDS in 3 months released by CoreLabs | Dragos Lungu Dot Com
    August 22nd, 2007 14:38

    […] the first PHP IDS / IPS security tool was released just a couple of months ago. Slowly but steady the protection is moving […]

Subscribe without commenting

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge