Why do certain alerts seem to have 'unknown' IPs?
The Snort database plug-in only logs packet information into the database when an alert is
triggered by a rule (signature). Therefore, since alerts generated by pre-preprocessors
such as portscan and mini-fragment have no corresponding rules, no packet information is
logged beyond an entry indicating their occurrence. As a consequence, BASE cannot display
any packet-level (e.g. IP address) information for these alerts.
For these particular alerts, certain statistics may show zero unique IP addresses, list
the IP address as 'unknown', and will not list any packet information when decoding the alert.
BASE appears to be broken in Lynx
This is a known issue. Lynx mangles some of the form arguments appended to the URL. It's resolution is being investigated, but use Netscape, Opera, or IE in the mean time.
Can priorities be assigned to Alerts?
The quick answer to this question is no. BASE is at the mercy of the underlying database, since Snort doesn't assign priorities, BASE does not have priorities. Nevertheless, there are several work-arounds:
- It is possible to enforce priorities of sort at the database level by writing alerts of different severity to separate databases. For example, critical alerts such as buffer overflows can be written to one database, while scan alerts can be written to another. Then load two different versions of BASE, each pointing to a different instance of the database.
- With manual intervention Alert Groups (AG) can be used to assign priority. Essentially, this strategy entails creating an AG for each severity level and manually moving the alerts as they arrive into the appropriate group.