PHP-IDS with Xajax
lvwr
Did someone here ever used PHP-IDS with xajax? Which kind of problems
did you get?
I know that some data generated by xajax, such as passing special
chars as ? or : inside a cdata field are captured, and displayed as a
false positive by php-ids. But I'm not even sure if it is possible to
fix it... considering that cdata itself might configure an attack.
Did you guys had any other kind of problem? Did someone ever seen the
problem mentioned or dealt with a look-like situation?
Thanks a lot!
--
Mario Heiderich
we haven't used it with Xajax yet - can you provide me some example data which triggers false alerts?
Greetings,
.mario
_______________________
php-ids.org
.ﻩﻨﺮﻪﺴ
lvwr
Sorry for taking so long to answer.
Here are some samples of data generated with xajax that triggers the
false alerts... This data was retrieved from the firebug console:
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] <![CDATA[:??]]>
xjxfun validate
xjxr 1214843893862
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] <![CDATA[;]]>
xjxfun validate
xjxr 1214844022237
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] <![CDATA[}]]>
xjxfun validate
xjxr 1214844066904
*
And below are some samples that did not trigger the false positive. As
you might see, the problem seems to be with the CDATA attached by
xajax.
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] a
xjxfun validate
xjxr 1214844169740
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] b
xjxfun validate
xjxr 1214844190517
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] bc
xjxfun validate
xjxr 1214844208692
*
Thank you.
2008/6/26 Mario Heiderich <mario.h...@googlemail.com>:
--
Mario Heiderich
lvwr
Mario Heiderich
Greetings and thanks for poiting out,
.mario
_______________________
php-ids.org
.ﻩﻨﺮﻪﺴ
Mario Heiderich
I just committed a new version of the converter into the trunk - which won't trigger false alerts when dealing with <![CDATA[:??]]> - please tell me if that fixes your problem.
Greetings,
.mario
_______________________
php-ids.org
.ﻩﻨﺮﻪﺴ
lvwr
Thank you for the version. I've been travelling so I couldn't test it
until now. I'll let you know if it is okey asap.
Thank you again.
2008/7/1 Mario Heiderich <mario.h...@googlemail.com>:
--
lvwr
I've been trying to apply the changes you've made to not trigger the
false alert when dealing with CDATA...
I slided through the svn, into the file Converter.php. I copied the
method convertFromProprietaryEncodings, which was the one I guess you
added to deal with the CDATA problem (at least, it was explicit in the
method). I've included it to my Convert class, and though that
hopefully it would be called by the runAll during the use...
Did I made it correct?
if yes, It seems that it did not fix my problem, since I still getting
the false alert when posting such datas... here is an example I've
just tryed out:
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>hostname</k><v>ab</v></e><e><k>ip</k><v>10.2.2.22</v></e><e><k>asset</k><v>2</v></e><e><k>thresholdc</k><v>30</v></e><e><k>thresholda</k><v>30</v></e><e><k>rrd_profile</k><v></v></e><e><k>nat</k><v></v></e><e><k>nsens</k><v>1</v></e><e><k>os</k><v>Unknown</v></e><e><k>mac</k><v></v></e><e><k>macvendor</k><v></v></e><e><k>descr</k><v><![CDATA[&]]></v></e></xjxobj>
xjxfun submitForm
xjxr 1216969673959
Thank you for the help.
João.
Mario Heiderich
yep - you made everything right :) The regex wasn't matching the <![CDATA[&]]> - but the current revision in the trunk does.
Greetings,
.mario