Hinnerk Altenburg

Today, we at epublica have officially released my work of the last months – a Perl port of PHPIDS, a tool for detection of Cross-Site-Scripting (XSS), Cross-Site-Request-Forgery (CSRF), SQL-Injections (SQLI), Local-File-Inclusions (LFI) etc. in website requests.
The tool is released as CGI::IDS Perl module ‘PerlIDS’ on CPAN.org under the OpenSource ‘Lesser GNU Public License’ (LGPL).

The intrusion detection is based on a set of converters that convert the request according to common techniques that are used to hide attacks. These converted strings are checked for attacks by running a filter set of currently 68 regular expressions and a generic attack detector to find obfuscated attacks. For easily keeping the filter set up-to-date, PerlIDS is compatible to the original XML filter set of PHPIDS, which is frequently updated.
Each matching regular expression has it’s own impact value that increases the tested string’s total attack impact.

Using these total impacts, a threshold can be defined by the calling application to log the suspicious requests to database and send out warnings via e-mail or even SMS on high impacts that indicate critical attack activity. These impacts can be summed per IP address, session or user to identify attackers who are testing the website with small impact attacks over a time.

During our development we have made some speed-improvements to PerlIDS and PHPIDS for the use on really large websites. With our experience of running it on websites with much user traffic, we could help to improve the converters and filter mechanism to reduce the rate of false alarms.

For heavily reducing the server load we introduced a whitelist mechanism to tell PerlIDS which request parameters don’t have to be checked with the expensive regular expressions if they match the whitelist rules.

We’d love to receive your feedback on the module!