As my previous blog states “Prevention is better than Cure”, to achieve the same goal this post explains IDS (Intruder Detection System) and IPS(Intruder Prevention System) for any web application. There are many companies who are developing such applications and apart from this we have option to choose from any open source tool to design our own. These applications are known as “Attack Aware” applications.
What is IDS and IPS?
IDS is acronym for Intruder detection system and it will detect any abnormal user input to application. For example user is trying to do XSS (Cross Site Scripting) attack or SQL injection attack on web application then IDS system will log such attacks with required information like IP address, System Name, Attack Type, Attack Time (Depends on configuration).
IPS is acronym for Intruder Prevention System and it will detect as well as prevent application from executing abnormal user inputs. In the case of IDS we can only identify the attack but IPS will check user input and will stop execution of such attacks.
IDS and IPS both are working based on signature (in developer terms Regular Expressions). We can blacklist some words and when ever such inputs are detected in the data coming to server, in case of IDS it will be logged and in case of IPS it will stop execution of request.
OK now I have some idea about IDS and IPS, But how will they work?
IDS and IPS are available in the form of hardware and software both. We are concern about only software based IDS and IPS here. Overall we are putting one extra layer of application security to prevent application from known vulnerability or weakness of application which may lead to damage the system.
If I have developed any Attack Aware application then can I stop implementing secure code / application practice?
No, you should not drop using your secure code and secure application practice if you implement such solutions. Overall it will just add an extra layer of security and give application developer and system administrator details of various attacks and attack source to prevent application from future problems.
Will IDS and IPS give always proper results?
No, Many times we have faced some false positive results from IDS and IPS tools. For example if there is one field called Name and user has entered his name as O’Relly, when user tries to submit this data it will be treated as SQL injection because of the ‘ (Single Quote).
In the case of URL tempering it will be the great example to understand work of IDS and IPS. User is trying to do SQL injection attack on www.mysite.com/resetPassword?k=abc ‘ OR 1=1;—. Here in this case there is no reason to modify the URL. So for such cases false positive rates will be low and the detection of the attacking the application is high.
Wow, I got idea behind this, but is this really possible?
Yes, now a day’s some companies are providing IDS and IPS specially crafted for detection and prevention from SQL injections, Directory Traversal, XSS attacks. But still due to false positive results and less awareness of such implementation people have not adopted this concept.
In near future I will post to develop your own Web Application IDS and IPS.