pepe le moko
I'm trying to setup snort with BASE. It looks like everything is installed right, but I don't see any user manual or FAQ on how to use this thing. Since I seem to be the only person who asks these questions, lets call it a SAQ ( seldom asked questions )
1) how do i configure alerting? clicking on the "Alert Group Maintenance" lets me create a new Alert Group. I am then presented with a box allowing me to chose an action ( I assume that is something that will happen when i get a packet that matches a snort signature? ). I want to get an email when i see an SQL exploit, so i choose email alert (full) and put my email address in the box. I click entire query and get this:
/var/www/html/base-126.96.36.199/includes/base_state_criteria.inc.php:155: WARNING: The following query key has not been implemented, yet: "7".
Report it to the BASE developers, please.
is this a setup issue, or a problem with... what ( BASE, mysql, php what?)
2) Is there a help screen somewhere? I'm not seeing a link anywhere.
3 ) how do i delete an alert group? the delete button does this:
4) the FAQ said that it is possible to different levels of alerting with some database magic. what do i do to get this to go?
Pepe Le Moko
pepe le moko
can i get any help with this please? I'm trying to enable debug in the app. what debugging steps should i try? this is a a stock rhel4 machine with the latest updates.
Pepe Le Moko
I know this is just another of those 'me too' message, but I think Pepe is on to something. The documentation for Base is really lacking. If there is any I really can't find it. Google shows many 'howto docs' but they all are how to install snort and Base, not how to USE them.
How about a glossary of terms? Some practical examples of what Base can do?
What does Base mean by Sensors, classifications. 'Add to AG' 'Email Alerts' (which you'd think would be obvious, but clearly is not) What does 'Archiving' and alert MEAN.
Yes I'm aware that to gain FULL functionality I should dig though the source and read 10,000 messages about snort on the Snort boards...but frankly if that the ONLY way to learn how to use this application, then I think something is broken.
I agree that the documentation is lacking. So lets fix it. Who would like to volunteer to begin writing it. I will enable the wiki on sf.net and we can use that. Send me an email at email@example.com and I can set you up with access to edit.