Loading...
 

Intrusion Detection System

An intrusion detection system (IDS) is a software application that monitors a network or systems for malicious activity or policy violations. An IDS specifically does not aim to prevent malicious actions but instead to monitor and log every event, and in cases where a rule has been defined, take a predefined action.* As of Tiki 18, Exposé is available as a package to provide website threat identification for Tiki.

Introduction

"An IDS system should not be relied upon for sole protection in your environment! It should only be used in the first level of threat identification. Please read up on Defense in Depth for more information on a layered security approach" (from https://github.com/enygma/expose ).

"Here's a quick list (of features):

  • A queue system that lets you do offline processing (store on request, cron to check or something similar)
  • Notifications of results (just email right now)
  • Setting thresholds for notifications

Since it was based on the PHPIDS system, it also has features in common with it:

  • Setting exceptions
  • Setting restrictions ("only look at...")
  • Uses the same filter definitions

I tried to make it so that anyone that's used PHPIDS will feel pretty at home using Expose."

Installation

Exposé isn't bundled with Tiki as an external library by default. Instead, it can be installed "on demand" via the Packages feature.

Image

Please follow the standard instructions for package installation. Note: in some edge cases, there may be a problem with the package installation GUI. For example, currently (pre-Tiki 17 release) in a Windows WAMP localhost server, there's an error that Composer can't be found. In this case, Exposé may be successfully fetched and installed via the command line:

Copy to clipboard
php temp/composer.phar require enygma/expose

Configuration and use

After the Exposé package is installed, go to Site Acccess tab on the Security Admin page (tiki-admin.php?page=security#content_admin1-4).

Image

When the feature is activated, relevant options are displayed.

Image

Custom rules file

Exposé uses the PHPIDS project's ruleset for detecting potential threats. This can be extended with custom rules. The default location and name of the custom rules file is temp/ids_custom_rules.json.

Image

Intrusion detection system mode

The IDS operation mode needs to be defined, and there are two choices here: Log only and Log and block requests. Log and block requests will block an intrusion whose impact is over a given threshold. "As the impact scores in Expose are numeric (0 through whatever, depending on the rules matched) you can easily set a threshold to prevent low-level, annoying notifications being delivered" (https://expose.readthedocs.io/en/latest/).

Intrusion detection system threshold

This is to define the IDS threshold as a numerical value, when in the "Log and block requests" mode. "Some applications know for a fact that they’ll always be getting a certain amount of traffic that’s in the 1-2 impact score range. Getting notifications for every one of these requests would get annoying pretty quickly, so you can set your threshold a bit higher." Setting the threshold to 8 means that Expose will only send notifications when the score is greater than or equal to 8. There’s no concept of “high”, “medium” or “low” in Expose as the meanings of these terms vary greatly by environment and application. "NOTE: Currently notifications are the only thing that setting a threshold changes. Logging and other processing is unchanged" (ibid).

Log to file

Events are logged to a file the default name of which is "ids.log".

History of this Tiki feature:

[+]
alias

doc.tiki.org

Get Started

Admin Guide User Guide

Keywords

Keywords serve as "hubs" for navigation within the Tiki documentation. They correspond to development keywords (bug reports and feature requests):

Accessibility (WAI and 508)
Accounting
Articles and Submissions
Backlinks
Banners
Batch
BigBlueButton audio/video/chat/screensharing
Blog
Bookmark
Browser Compatibility
Link Cache
Calendar
Category
Chat
Clean URLs
Comments
Communication Center
Compression (gzip)
Contacts (Address Book)
Contact us
Content Templates
Contribution
Cookie
Copyright
Credit
Custom Home and Group Home Page
Date and Time
Debugger Console
Directory of hyperlinks
Documentation link from Tiki to doc.tiki.org (Help System)
Docs
Draw
Dynamic Content
Dynamic Variable
External Authentication
FAQ
Featured links
File Gallery
Forum
Friendship Network (Community)
Gmap Google maps
Groups
Hotword
HTML Page
i18n (Multilingual, l10n)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
Kaltura video management
Karma
Live Support
Login
Logs (system & action)
Look and Feel
Mail-in
Map with Mapserver
Menu
Meta Elements
Mobile Tiki and Voice Tiki
Module
MultiTiki
MyTiki
Newsletter
Notepad
Payment
Performance Speed / Load
Permissions
Platform independence (Linux-Apache, Windows/IIS, Mac, BSD)
Polls
Profiles
Profile Manager
Report
Toolbar
Quiz
Rating
Feeds
Score
Search engine optimization
Search
Search and Replace
Security
Semantic links
Shadowbox
Shadow Layers
Share
Shopping cart
Shoutbox
Slideshow
Smiley
Social Networks
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Stats
Surveys
Tags
Task
Tell a Friend, alert + Social Bookmarking
TikiTests
Theme CSS & Smarty
Tiki Manager
Trackers
Transitions
User Administration including registration and banning
User Files
User Menu
Watch
WebDAV
Webmail
Web Services
Wiki History, page rename, etc
Wiki Syntax
Wiki structure (book and table of content)
Workspace
WSOD
WYSIWYCA
WYSIWYG
XMLRPC

Tiki Newsletter

Delivered fresh to your email inbox!
Newsletter subscribe icon
Don't miss major announcements and other news!
Contribute to Tiki