--- ./phpids.module.orig 2010-03-26 22:53:36.000000000 +0100 +++ ./phpids.module 2010-04-12 23:13:49.274592252 +0200 @@ -11,6 +11,19 @@ * @see http://www.php-ids.org */ +define('PHPIDS_ANONUSER_PASSIVE', 1); // anonymous: only log, no action +define('PHPIDS_ANONUSER_ACTIVE', 2); // anonymous: log and act +define('PHPIDS_AUTHUSER_SKIP', 1); // authenticated: no log, no action +define('PHPIDS_AUTHUSER_PASSIVE', 2); // authenticated: only log, no action +define('PHPIDS_AUTHUSER_ACTIVE', 3); // authenticated: log and act +define('PHPIDS_HANDLING_NONE', 0); +define('PHPIDS_HANDLING_LOG', 1); +define('PHPIDS_HANDLING_ACTION', 2); +define('PHPIDS_ACTION_NONE', 0); +define('PHPIDS_ACTION_LOG', 1); +define('PHPIDS_ACTION_LOG_AND_MAIL', 2); +define('PHPIDS_ACTION_BLOCK', 3); + /** * Create html report from PHPIDS generated report. * @@ -21,12 +34,15 @@ * Returns $message as a html string. */ function phpids_createReport($report) { - $message = 'Total impact: '. $report->getImpact() .'
'; + $remote_ip = $_SERVER['REMOTE_ADDR']; + + $message = 'PHPIDS Report for request to URI ' . $_SERVER['REQUEST_URI'] . ' from ' . $remote_ip . ' (' . gethostbyaddr($remote_ip) . ') at ' . date(DATE_RFC850, $_SERVER['REQUEST_TIME']) . ':
'; + $message .= 'Total impact: '. $report->getImpact() .'
'; $message .= 'All tags: '. join(", ", $report->getTags()) .'
'; // iterate through the result an get every event (IDS_Event) foreach ($report as $event) { $message .= '
Variable: '. $event->getName() .' | Value: '. htmlspecialchars($event->getValue()) .'
'; - $message .= 'Impact: '. $event->getImpact() .' | Tags: '. join(", ", $event->getTags()) .'
'; + $message .= 'Impact: '. $event->getImpact() .' | Tags: '. join(", ", $event->getTags()) .'
'; // iterator throught every filter $message .= ''; } - return $message; + // dump server variables. + $message .= '
Server variables:
'. str_replace(' ', ' ', nl2br('[$_SERVER] => '. print_r($_SERVER, TRUE))); + + // find available traceroute variant + if (substr(PHP_OS, 0, 3) == 'WIN') { + $tracecmd = 'tracert'; + } + else { + $tracecmd = exec('which tracepath'); + if (empty($tracecmd)) { + $tracecmd = exec('which traceroute'); + } + } + if (!empty($tracecmd)) { + $traceroute_result = array(); + exec("$tracecmd $remote_ip", $traceroute_result); + $message .= '
TraceRoute to remote address:
'. str_replace(' ', ' ', nl2br(implode("\n", $traceroute_result))); + } + + // whois host? + if (exec('which whois')) { + $whois_result = array(); + exec("whois $remote_ip", $whois_result); + $message .= '
WHOIS result for remote address:
'. str_replace(' ', ' ', nl2br(implode("\n", $whois_result))); + } + + // nmap verbose host probing + if (exec('which nmap')) { + $nmap_result = array(); + exec("nmap -vA -PN $remote_ip", $nmap_result); + $message .= '
Nmap examination of remote address:
'. str_replace(' ', ' ', nl2br(implode("\n", $nmap_result))); + } + + return $message; } /** @@ -44,7 +93,7 @@ * * @param $msg * Report message as a string. - * @params $prio + * @param $prio * Watchdog priority. * * @see phpids_createReport() @@ -54,11 +103,10 @@ */ function phpids_doLogging($msg, $prio = WATCHDOG_NOTICE) { if (phpids_getDrupalMajorVersion() > 5) { - $vars=array(); - watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), $vars, $prio); + watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), array(), $prio); } else - watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), $prio); + watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), $prio); } /** @@ -66,31 +114,24 @@ * * @param $action * Action which is taken after checked by PHPIDS (warning, blocking, unknown) + * @param $message + * The full PHPIDS report * * @see phpids_mail() * @see drupal_mail() */ -function phpids_doWarning($action) { +function phpids_doWarning($action, $message) { global $language; - - $to = variable_get('phpids_mail', ''); - if (!$to == '' && (!variable_get('phpids_testonly_activated', FALSE) || (variable_get('phpids_testonly_activated', FALSE) && variable_get('phpids_testonly_withmail', FALSE)))) { - switch ($action) { - case 'warning': - $params['subject'] = 'PHPIDS detect a warning on '. variable_get('site_name', 'Drupal'); - break; - case 'blocking': - $params['subject'] = 'PHPIDS detect a blocking on '. variable_get('site_name', 'Drupal'); - break; - default: - $params['subject'] = 'PHPIDS detect an unknown attack type on '. variable_get('site_name', 'Drupal'); + if ($recipient = variable_get('phpids_mail', '')) { + $params['subject'] = "PHPIDS $action event by " . $_SERVER['REMOTE_ADDR'] . ' on ' . $_SERVER['REQUEST_URI']; + $params['body'] = drupal_html_to_text($message); + if (phpids_getDrupalMajorVersion() == '5') { + drupal_mail($action, $recipient, $params['subject'], $params['body']); + } + else { + drupal_mail('phpids', $action, $recipient, $language, $params, variable_get('site_mail', NULL)); } - $params['body'] = 'Please check your logging on your website to get detailed informations.'."\r\n\r\n".'Attacker: '. $_SERVER['REMOTE_ADDR'] ."\r\n".'Attack-Time: '. date('c'); - if (phpids_getDrupalMajorVersion() == '5' ) - drupal_mail($action, $to, $params['subject'], $params['body']); - else - drupal_mail('phpids', $action, $to, $language, $params, variable_get('site_mail', NULL)); - phpids_doLogging('Send warning mail to '. $to); + phpids_doLogging("Sent mail to $recipient for PHPIDS $action." . print_r(array('phpids', $action, $recipient, $language, $params, variable_get('site_mail', NULL)), TRUE)); } } @@ -113,18 +154,17 @@ * @see phpids_getHandling() */ function phpids_getAction($impact, $handling) { - $action = 1; - $log_level = variable_get('phpids_loglevel', 1); + $log_level = variable_get('phpids_loglevel', 1); $warn_level = variable_get('phpids_warnlevel', 9); $block_level = variable_get('phpids_blocklevel', 27); - if ($impact >= $block_level && $handling == 2) - return 3; - elseif ($impact >= $warn_level && $handling == 2) - return 2; + if ($impact >= $block_level && $handling == PHPIDS_HANDLING_ACTION) + return PHPIDS_ACTION_BLOCK; + elseif ($impact >= $warn_level && $handling == PHPIDS_HANDLING_ACTION) + return PHPIDS_ACTION_LOG_AND_MAIL; elseif ($impact < $log_level) - return 0; - return $action; + return PHPIDS_ACTION_NONE; + return PHPIDS_ACTION_LOG; } /** @@ -139,7 +179,7 @@ /** * Returns PHPIDS handling status by current user. - * + * * @return * Returns value how to handle current user. * 0: handle for user #1 @@ -149,27 +189,22 @@ function phpids_getHandling() { global $user; - $handling = 1; switch ($user->uid) { - case 0: - if (variable_get('phpids_anonymous', 2) == 2) - $handling = 2; - break; - case 1: - $handling = 0; - break; - default: - $auth = variable_get('phpids_authenticated', 2); - switch ($auth) { - case 1: - $handling = 0; - break; - case 3: - $handling = 2; - break; + case 0: // anonymous + if (variable_get('phpids_anonymous', PHPIDS_ANONUSER_ACTIVE) == PHPIDS_ANONUSER_ACTIVE) { + return PHPIDS_HANDLING_ACTION; + } + case 1: // webmaster + return PHPIDS_HANDLING_NONE; + default: // authenticated user + switch(variable_get('phpids_authenticated', PHPIDS_AUTHUSER_PASSIVE)) { + case PHPIDS_AUTHUSER_SKIP: + return PHPIDS_HANDLING_NONE; + case PHPIDS_AUTHUSER_ACTIVE: + return PHPIDS_HANDLING_ACTION; } } - return $handling; + return PHPIDS_HANDLING_LOG; } /** @@ -180,31 +215,31 @@ || file_exists(variable_get('phpids_path', realpath(dirname(__FILE__))) .'/IDS/Config/Config.ini.php')) { $phpids_handling = phpids_getHandling(); - if ($phpids_handling > 0) { + if ($phpids_handling !== PHPIDS_ACTION_NONE) { $phpids_report = phpids_runPHPIDS(); if (!$phpids_report->isEmpty()) { switch (phpids_getAction($phpids_report->getImpact(), $phpids_handling)) { - case 3: + case PHPIDS_ACTION_BLOCK: if (!function_exists('drupal_goto')) { require_once './includes/common.inc'; require_once './includes/path.inc'; } $message = phpids_createReport($phpids_report); phpids_doLogging($message, (phpids_getDrupalMajorVersion() > 5) ? WATCHDOG_ALERT : WATCHDOG_ERROR); - phpids_doWarning('blocking'); + phpids_doWarning('blocking', $message); if (!variable_get('phpids_testonly_activated', FALSE)) drupal_goto('warning.html'); break; - case 2: + case PHPIDS_ACTION_LOG_AND_MAIL: $message = phpids_createReport($phpids_report); phpids_doLogging($message, WATCHDOG_WARNING); - phpids_doWarning('warning'); + phpids_doWarning('warning', $message); break; - case 1: + case PHPIDS_ACTION_LOG: $message = phpids_createReport($phpids_report); phpids_doLogging($message); break; - case 0: + case PHPIDS_ACTION_NONE: break; default: $message = phpids_createReport($phpids_report); @@ -252,7 +287,7 @@ * @see phpids_getDrupalMajorVersion() */ function phpids_menu() { - $items = array(); + $items = array(); switch (phpids_getDrupalMajorVersion()) { case '7': $items['admin/config/system/phpids'] = array( @@ -287,7 +322,7 @@ ); break; case '5': - require_once('phpids.admin.inc'); + require_once('phpids.admin.inc'); $items[] = array( 'path' => 'admin/settings/phpids', 'title' => t('PHPIDS settings'), @@ -311,7 +346,7 @@ /** * Implements hook_perm(). - * + * * @return * Returns array for possible permission settings. */ --- ./phpids.admin.inc.orig 2010-02-04 23:13:21.000000000 +0100 +++ ./phpids.admin.inc 2010-04-12 22:47:58.756716681 +0200 @@ -55,27 +55,38 @@ '#default_value' => variable_get('phpids_mail', ''), '#description' => t("Leave empty if you don't want to send out email"), ); + $form['general']['phpids_mail_details'] = array( + '#type' => 'checkbox', + '#title' => t('Report details in mail'), + '#default_value' => variable_get('phpids_mail_details', FALSE), + '#description' => t('Enable this to have the complete PHPIDS report mailed out to you.'), + ); // finetune filter settings $form['filters'] = array( '#type' => 'fieldset', '#title' => t('Filter settings'), '#description' => t("Finetune settings when PHPIDS shouldn't take action. Keep in mind that user 1 is always ignored and anonymous users are always monitored!"), ); - $options_anon = array(1 => t('Log anonymous users without actions'), 2 => t('Log anonymous users and take actions')); $form['filters']['phpids_anonymous'] = array( '#type' => 'select', '#title' => t('Anonymous users'), '#description' => t('Choose a setting for anonymous users.'), - '#default_value' => variable_get('phpids_anonymous', 2), - '#options' => $options_anon, + '#default_value' => variable_get('phpids_anonymous', PHPIDS_ANONUSER_ACTIVE), + '#options' => array( + PHPIDS_ANONUSER_PASSIVE => t('Log anonymous users without actions'), + PHPIDS_ANONUSER_ACTIVE => t('Log anonymous users and take actions'), + ), ); - $options_auth = array(1 => t('Do not log authenticated users'), 2 => t('Log authenticated users without actions'), 3 => t('Log authenticated users and take actions')); $form['filters']['phpids_authenticated'] = array( '#type' => 'select', '#title' => t('Authenticated users'), '#description' => t('Choose a setting for authenticated users.'), - '#default_value' => variable_get('phpids_authenticated', 2), - '#options' => $options_auth, + '#default_value' => variable_get('phpids_authenticated', PHPIDS_AUTHUSER_PASSIVE), + '#options' => array( + PHPIDS_AUTHUSER_SKIP => t('Do not log authenticated users'), + PHPIDS_AUTHUSER_PASSIVE => t('Log authenticated users without actions'), + PHPIDS_AUTHUSER_ACTIVE => t('Log authenticated users and take actions'), + ), ); $form['filters']['phpids_html_fields'] = array( '#type' => 'textfield', --- ./phpids.module.orig 2010-03-26 22:53:36.000000000 +0100 +++ ./phpids.module 2010-04-12 23:39:54.030590799 +0200 @@ -11,6 +11,19 @@ * @see http://www.php-ids.org */ +define('PHPIDS_ANONUSER_PASSIVE', 1); // anonymous: only log, no action +define('PHPIDS_ANONUSER_ACTIVE', 2); // anonymous: log and act +define('PHPIDS_AUTHUSER_SKIP', 1); // authenticated: no log, no action +define('PHPIDS_AUTHUSER_PASSIVE', 2); // authenticated: only log, no action +define('PHPIDS_AUTHUSER_ACTIVE', 3); // authenticated: log and act +define('PHPIDS_HANDLING_NONE', 0); +define('PHPIDS_HANDLING_LOG', 1); +define('PHPIDS_HANDLING_ACTION', 2); +define('PHPIDS_ACTION_NONE', 0); +define('PHPIDS_ACTION_LOG', 1); +define('PHPIDS_ACTION_LOG_AND_MAIL', 2); +define('PHPIDS_ACTION_BLOCK', 3); + /** * Create html report from PHPIDS generated report. * @@ -21,12 +34,16 @@ * Returns $message as a html string. */ function phpids_createReport($report) { - $message = 'Total impact: '. $report->getImpact() .'
'; + $remote_ip = $_SERVER['REMOTE_ADDR']; + $add_details = variable_get('phpids_additional_details', array('servervars')); + + $message = 'PHPIDS Report for request to URI ' . $_SERVER['REQUEST_URI'] . ' from ' . $remote_ip . ' (' . gethostbyaddr($remote_ip) . ') at ' . date(DATE_RFC850, $_SERVER['REQUEST_TIME']) . ':
'; + $message .= 'Total impact: '. $report->getImpact() .'
'; $message .= 'All tags: '. join(", ", $report->getTags()) .'
'; // iterate through the result an get every event (IDS_Event) foreach ($report as $event) { $message .= '
Variable: '. $event->getName() .' | Value: '. htmlspecialchars($event->getValue()) .'
'; - $message .= 'Impact: '. $event->getImpact() .' | Tags: '. join(", ", $event->getTags()) .'
'; + $message .= 'Impact: '. $event->getImpact() .' | Tags: '. join(", ", $event->getTags()) .'
'; // iterator throught every filter $message .= ''; } - return $message; + if (in_array('servervars', $add_details)) { + // dump server variables. + $message .= '
Server variables:
'. str_replace(' ', ' ', nl2br('[$_SERVER] => '. print_r($_SERVER, TRUE))); + } + + if (in_array('traceroute', $add_details)) { + // find available traceroute variant + if (substr(PHP_OS, 0, 3) == 'WIN') { + $tracecmd = 'tracert'; + } + else { + $tracecmd = exec('which tracepath'); + if (empty($tracecmd)) { + $tracecmd = exec('which traceroute'); + } + } + if (!empty($tracecmd)) { + $traceroute_result = array(); + exec("$tracecmd $remote_ip", $traceroute_result); + $message .= '
TraceRoute to remote address:
'. str_replace(' ', ' ', nl2br(implode("\n", $traceroute_result))); + } + } + + if (in_array('whois', $add_details)) { + // whois host? + if (exec('which whois')) { + $whois_result = array(); + exec("whois $remote_ip", $whois_result); + $message .= '
WHOIS result for remote address:
'. str_replace(' ', ' ', nl2br(implode("\n", $whois_result))); + } + } + + if (in_array('nmap', $add_details)) { + // nmap verbose host probing + if (exec('which nmap')) { + $nmap_result = array(); + exec("nmap -vA -PN $remote_ip", $nmap_result); + $message .= '
Nmap examination of remote address:
'. str_replace(' ', ' ', nl2br(implode("\n", $nmap_result))); + } + } + + return $message; } /** @@ -44,7 +102,7 @@ * * @param $msg * Report message as a string. - * @params $prio + * @param $prio * Watchdog priority. * * @see phpids_createReport() @@ -54,11 +112,10 @@ */ function phpids_doLogging($msg, $prio = WATCHDOG_NOTICE) { if (phpids_getDrupalMajorVersion() > 5) { - $vars=array(); - watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), $vars, $prio); + watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), array(), $prio); } else - watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), $prio); + watchdog('phpids', wordwrap($msg, '100', ' ', TRUE), $prio); } /** @@ -66,31 +123,24 @@ * * @param $action * Action which is taken after checked by PHPIDS (warning, blocking, unknown) + * @param $message + * The full PHPIDS report * * @see phpids_mail() * @see drupal_mail() */ -function phpids_doWarning($action) { +function phpids_doWarning($action, $message) { global $language; - - $to = variable_get('phpids_mail', ''); - if (!$to == '' && (!variable_get('phpids_testonly_activated', FALSE) || (variable_get('phpids_testonly_activated', FALSE) && variable_get('phpids_testonly_withmail', FALSE)))) { - switch ($action) { - case 'warning': - $params['subject'] = 'PHPIDS detect a warning on '. variable_get('site_name', 'Drupal'); - break; - case 'blocking': - $params['subject'] = 'PHPIDS detect a blocking on '. variable_get('site_name', 'Drupal'); - break; - default: - $params['subject'] = 'PHPIDS detect an unknown attack type on '. variable_get('site_name', 'Drupal'); + if ($recipient = variable_get('phpids_mail', '')) { + $params['subject'] = "PHPIDS $action event by " . $_SERVER['REMOTE_ADDR'] . ' on ' . $_SERVER['REQUEST_URI']; + $params['body'] = drupal_html_to_text($message); + if (phpids_getDrupalMajorVersion() == '5') { + drupal_mail($action, $recipient, $params['subject'], $params['body']); } - $params['body'] = 'Please check your logging on your website to get detailed informations.'."\r\n\r\n".'Attacker: '. $_SERVER['REMOTE_ADDR'] ."\r\n".'Attack-Time: '. date('c'); - if (phpids_getDrupalMajorVersion() == '5' ) - drupal_mail($action, $to, $params['subject'], $params['body']); - else - drupal_mail('phpids', $action, $to, $language, $params, variable_get('site_mail', NULL)); - phpids_doLogging('Send warning mail to '. $to); + else { + drupal_mail('phpids', $action, $recipient, $language, $params, variable_get('site_mail', NULL)); + } + phpids_doLogging("Sent mail to $recipient for PHPIDS $action." . print_r(array('phpids', $action, $recipient, $language, $params, variable_get('site_mail', NULL)), TRUE)); } } @@ -113,18 +163,17 @@ * @see phpids_getHandling() */ function phpids_getAction($impact, $handling) { - $action = 1; - $log_level = variable_get('phpids_loglevel', 1); + $log_level = variable_get('phpids_loglevel', 1); $warn_level = variable_get('phpids_warnlevel', 9); $block_level = variable_get('phpids_blocklevel', 27); - if ($impact >= $block_level && $handling == 2) - return 3; - elseif ($impact >= $warn_level && $handling == 2) - return 2; + if ($impact >= $block_level && $handling == PHPIDS_HANDLING_ACTION) + return PHPIDS_ACTION_BLOCK; + elseif ($impact >= $warn_level && $handling == PHPIDS_HANDLING_ACTION) + return PHPIDS_ACTION_LOG_AND_MAIL; elseif ($impact < $log_level) - return 0; - return $action; + return PHPIDS_ACTION_NONE; + return PHPIDS_ACTION_LOG; } /** @@ -139,7 +188,7 @@ /** * Returns PHPIDS handling status by current user. - * + * * @return * Returns value how to handle current user. * 0: handle for user #1 @@ -149,27 +198,22 @@ function phpids_getHandling() { global $user; - $handling = 1; switch ($user->uid) { - case 0: - if (variable_get('phpids_anonymous', 2) == 2) - $handling = 2; - break; - case 1: - $handling = 0; - break; - default: - $auth = variable_get('phpids_authenticated', 2); - switch ($auth) { - case 1: - $handling = 0; - break; - case 3: - $handling = 2; - break; + case 0: // anonymous + if (variable_get('phpids_anonymous', PHPIDS_ANONUSER_ACTIVE) == PHPIDS_ANONUSER_ACTIVE) { + return PHPIDS_HANDLING_ACTION; + } + case 1: // webmaster + return PHPIDS_HANDLING_NONE; + default: // authenticated user + switch(variable_get('phpids_authenticated', PHPIDS_AUTHUSER_PASSIVE)) { + case PHPIDS_AUTHUSER_SKIP: + return PHPIDS_HANDLING_NONE; + case PHPIDS_AUTHUSER_ACTIVE: + return PHPIDS_HANDLING_ACTION; } } - return $handling; + return PHPIDS_HANDLING_LOG; } /** @@ -180,36 +224,36 @@ || file_exists(variable_get('phpids_path', realpath(dirname(__FILE__))) .'/IDS/Config/Config.ini.php')) { $phpids_handling = phpids_getHandling(); - if ($phpids_handling > 0) { + if ($phpids_handling !== PHPIDS_HANDLING_NONE) { $phpids_report = phpids_runPHPIDS(); if (!$phpids_report->isEmpty()) { switch (phpids_getAction($phpids_report->getImpact(), $phpids_handling)) { - case 3: + case PHPIDS_ACTION_BLOCK: if (!function_exists('drupal_goto')) { require_once './includes/common.inc'; require_once './includes/path.inc'; } $message = phpids_createReport($phpids_report); phpids_doLogging($message, (phpids_getDrupalMajorVersion() > 5) ? WATCHDOG_ALERT : WATCHDOG_ERROR); - phpids_doWarning('blocking'); + phpids_doWarning('blocking', $message); if (!variable_get('phpids_testonly_activated', FALSE)) drupal_goto('warning.html'); break; - case 2: + case PHPIDS_ACTION_LOG_AND_MAIL: $message = phpids_createReport($phpids_report); phpids_doLogging($message, WATCHDOG_WARNING); - phpids_doWarning('warning'); + phpids_doWarning('warning', $message); break; - case 1: + case PHPIDS_ACTION_LOG: $message = phpids_createReport($phpids_report); phpids_doLogging($message); break; - case 0: + case PHPIDS_ACTION_NONE: break; default: $message = phpids_createReport($phpids_report); phpids_doLogging($message, (phpids_getDrupalMajorVersion() > 5) ? WATCHDOG_CRITICAL : WATCHDOG_ERROR); - phpids_doWarning('unknown'); + phpids_doWarning('unknown', $message); if (!variable_get('phpids_testonly_activated', FALSE)) drupal_goto('warning.html'); } @@ -252,7 +296,7 @@ * @see phpids_getDrupalMajorVersion() */ function phpids_menu() { - $items = array(); + $items = array(); switch (phpids_getDrupalMajorVersion()) { case '7': $items['admin/config/system/phpids'] = array( @@ -287,7 +331,7 @@ ); break; case '5': - require_once('phpids.admin.inc'); + require_once('phpids.admin.inc'); $items[] = array( 'path' => 'admin/settings/phpids', 'title' => t('PHPIDS settings'), @@ -311,7 +355,7 @@ /** * Implements hook_perm(). - * + * * @return * Returns array for possible permission settings. */ --- ./phpids.admin.inc.orig 2010-02-04 23:13:21.000000000 +0100 +++ ./phpids.admin.inc 2010-04-12 23:42:44.649467274 +0200 @@ -55,27 +55,44 @@ '#default_value' => variable_get('phpids_mail', ''), '#description' => t("Leave empty if you don't want to send out email"), ); + $form['general']['phpids_additional_details'] = array( + '#type' => 'checkboxes', + '#title' => t('Additional details'), + '#default_value' => variable_get('phpids_additional_details', array('servervars')), + '#options' => array( + 'servervars' => t('Server variables'), + 'traceroute' => t('Traceroute'), + 'whois' => t('WHOIS information'), + 'nmap' => t('NMAP (active host auditing)') + ), + '#description' => t('Enable traceroute, whois and nmap network exploration tools to actively acquire more information about the attacker. These tools may cause timeouts or not be available on shared hosting environments.'), + ); // finetune filter settings $form['filters'] = array( '#type' => 'fieldset', '#title' => t('Filter settings'), '#description' => t("Finetune settings when PHPIDS shouldn't take action. Keep in mind that user 1 is always ignored and anonymous users are always monitored!"), ); - $options_anon = array(1 => t('Log anonymous users without actions'), 2 => t('Log anonymous users and take actions')); $form['filters']['phpids_anonymous'] = array( '#type' => 'select', '#title' => t('Anonymous users'), '#description' => t('Choose a setting for anonymous users.'), - '#default_value' => variable_get('phpids_anonymous', 2), - '#options' => $options_anon, + '#default_value' => variable_get('phpids_anonymous', PHPIDS_ANONUSER_ACTIVE), + '#options' => array( + PHPIDS_ANONUSER_PASSIVE => t('Log anonymous users without actions'), + PHPIDS_ANONUSER_ACTIVE => t('Log anonymous users and take actions'), + ), ); - $options_auth = array(1 => t('Do not log authenticated users'), 2 => t('Log authenticated users without actions'), 3 => t('Log authenticated users and take actions')); $form['filters']['phpids_authenticated'] = array( '#type' => 'select', '#title' => t('Authenticated users'), '#description' => t('Choose a setting for authenticated users.'), - '#default_value' => variable_get('phpids_authenticated', 2), - '#options' => $options_auth, + '#default_value' => variable_get('phpids_authenticated', PHPIDS_AUTHUSER_PASSIVE), + '#options' => array( + PHPIDS_AUTHUSER_SKIP => t('Do not log authenticated users'), + PHPIDS_AUTHUSER_PASSIVE => t('Log authenticated users without actions'), + PHPIDS_AUTHUSER_ACTIVE => t('Log authenticated users and take actions'), + ), ); $form['filters']['phpids_html_fields'] = array( '#type' => 'textfield',