Linde002::PHP

If you’ve been tinkering with PHP-IDS and like to log your intrusions you’ve probably been looking at PHP-IDS logging features. I will show you today how you can log your intrusions to mysql using PHP-IDS’s built-in logging features.

Using the database to log your intrusions allow you to easily run statistical analysis on your intrusions (and who doesn’t like stats?)

First of all you need to setup your intrusion table. The SQL for this is buried into one of the source files (I belive database.php) and looks like this:

CREATE TABLE intrusions (
  `id` int(11) unsigned NOT NULL auto_increment,
  `name` varchar(128) NOT NULL,
  `value` text NOT NULL,
  `page` varchar(255) NOT NULL,
  `ip` varchar(15) NOT NULL,
  `impact` int(11) unsigned NOT NULL,
  `created` datetime NOT NULL,
  PRIMARY KEY  (id)
) ENGINE=MyISAM;

After you’ve created the table you need to edit your ‘IDS/Config/Config.ini’ file. Edit the following lines so they match your configuration:

    wrapper         = "mysql:host=localhost;port=3306;dbname=YOURDB"
    user               = DATABASE_USER
    password        =  DATABASE_PASS
    table              = intrusions

After you’ve finished the configuration you can add the MySQL logger to your PHP-IDS setup like this:

$request = array(
			'REQUEST' => $_REQUEST,
			'GET' => $_GET,
			'POST' => $_POST,
			'COOKIE' => $_COOKIE
		);
$init = IDS_Init::init('/path/to/Config.ini');
$ids = new IDS_Monitor($request, $init);

$result = $ids->run();

if (!$result->isEmpty())
{
	$compositeLog = new IDS_Log_Composite();
	$compositeLog->addLogger(IDS_Log_Database::getInstance($init));
	$compositeLog->execute($result);
}

Et Voila! You have MySQL logging for PHP-IDS.

Note that PHP-IDS needs PHP5 to work and the MySQL logging features depend on PDO with your specific database-pdo driver