"An IDS system should not be relied upon for sole protection in your environment! It should only be used in the first level of threat identification. Please read up on Defense in Depth for more information on a layered security approach" (from https://github.com/enygma/expose ).
"Here's a quick list (of features):
- A queue system that lets you do offline processing (store on request, cron to check or something similar)
- Notifications of results (just email right now)
- Setting thresholds for notifications
Since it was based on the PHPIDS system, it also has features in common with it:
- Setting exceptions
- Setting restrictions ("only look at...")
- Uses the same filter definitions
I tried to make it so that anyone that's used PHPIDS will feel pretty at home using Expose."
Exposé isn't bundled with Tiki as an external library by default. Instead, it can be installed "on demand" via the Packages feature.
Please follow the standard instructions for package installation. Note: in some edge cases, there may be a problem with the package installation GUI. For example, currently (pre-Tiki 17 release) in a Windows WAMP localhost server, there's an error that Composer can't be found. In this case, Exposé may be successfully fetched and installed via the command line:
php temp/composer.phar require enygma/expose
After the Exposé package is installed, go to Site Acccess tab on the Security Admin page (tiki-admin.php?page=security#content_admin1-4).
When the feature is activated, relevant options are displayed.
Exposé uses the PHPIDS project's ruleset for detecting potential threats. This can be extended with custom rules. The default location and name of the custom rules file is temp/ids_custom_rules.json.
The IDS operation mode needs to be defined, and there are two choices here: Log only and Log and block requests. Log and block requests will block an intrusion whose impact is over a given threshold. "As the impact scores in Expose are numeric (0 through whatever, depending on the rules matched) you can easily set a threshold to prevent low-level, annoying notifications being delivered" (https://expose.readthedocs.io/en/latest/).
This is to define the IDS threshold as a numerical value, when in the "Log and block requests" mode. "Some applications know for a fact that they’ll always be getting a certain amount of traffic that’s in the 1-2 impact score range. Getting notifications for every one of these requests would get annoying pretty quickly, so you can set your threshold a bit higher." Setting the threshold to 8 means that Expose will only send notifications when the score is greater than or equal to 8. There’s no concept of “high”, “medium” or “low” in Expose as the meanings of these terms vary greatly by environment and application. "NOTE: Currently notifications are the only thing that setting a threshold changes. Logging and other processing is unchanged" (ibid).
Events are logged to a file the default name of which is "ids.log".[+]