2008-10-07 14:44:46

各种入侵检测系统使用的检测方法可以分为两类:基于特征码的检测方法和异常检测。使用基于特征码检测方法的系统从网络获得数据,然后从中发现以知的攻击特征。例如:在某些URL中包含一些奇怪的Unicode编码字符就是针对IIS Unicode缺陷的攻击特征。此外各种模式匹配技术的应用,提高了这种检测方法的精确性。使用异常检测的系统能够把获得的数据与一个基准进行比较,检测这些数据是否异常。   

snort是一个基于libpcap的轻量级网络入侵检测系统。它运行在一个“传感器(sensor)”主机上,监听网络数据。这台机器可能是一台简陋的运行FreeBSD系统的Pentium100 PC,并且至少有一个网卡。不过建议使用最好的机器作为进行入侵检测的主机。snort能够把网络数据和规则集进行模式匹配,从而检测可能的入侵企图;或者使用SPADE插件,使用统计学方法对网络数据进行异常检测。


该实验的参考文档有以下几篇,其中主要参考的是在Chinaunix上一篇名为《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》的文章除此之外其他的文章有:

        第一,所使用的操作系统版本比较旧(很多系统在使用的系统版本基于Red Hat 9.0),在当前生产环境上部署的话很容易出现各种兼容性问题。
        第三,《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》存在一些错误,我相信如果新手百分百按照该文档操作还是会出现一些问题。

        主机名称:localhost.localdomain                IP:                Kernel:2.6.18-53.el5xen
        在该主机上部署RHEL5.1+Snort+Apache+MySql+Php+Gd with Gd & Image_Graph,在部署之前我系统安装的包组有:
@mysql        @development-libs        @editors        @system-tools         @gnome-software-development        @text-internet
@x-software-development @virtualization @legacy-network-server @dns-server @gnome-desktop
@dialup @core @base @ftp-server @network-server @games @java @smb-server @base-x
@chinese-support @graphics @web-server @printing @mail-server @server-cfg @sound-and-video
@sql-server @admin-tools @news-server @development-tools @graphical-internet

[root@localhost Server]# rpm -qa | grep mysql

[root@localhost Server]# rpm -qa | grep php

[root@localhost ~]# echo "AddType application/x-httpd-php .php" >> /etc/httpd/conf/httpd.conf
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# service httpd start
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# service mysqld start
[root@localhost ~]# echo "" >> /var/www/html/test.php
[root@localhost Server]# mount -o username=jerrywjl // /mnt
[root@localhost Server]# cd /mnt/soft/Linux/
[root@localhost Linux]# cp snort- /usr/local/                                --snort源码包
[root@localhost Linux]# cp snortrules-pr-2.4.tar.gz /usr/local/                        --snort规则
[root@localhost Linux]# cp snort /etc/init.d/                                                        --下载获得的snort脚本
[root@localhost local]# cat /etc/init.d/snort
# chkconfig: 2345 99 82
# description: Starts and stops the snort intrusion detection system
# config: /etc/snort/snort.conf
# processname: snort

# Source function library
. /etc/rc.d/init.d/functions

INTERFACE="-i eth0"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we were called.
case "$1" in
        if [ -n "`/sbin/pidof $BASE`" ]; then
                echo -n $"$BASE: already running"
                echo ""
                exit $RETVAL
        echo -n "Starting snort service: "
        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
        sleep 1
        action "" /sbin/pidof $BASE
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        echo -n "Shutting down snort service: "
        killproc $BASE
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        $0 stop
        $0 start
        status $BASE
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1

exit $RETVAL

[root@localhost ~]# chmod 755 /etc/init.d/snort
[root@localhost ~]# chkconfig snort on
[root@localhost Linux]# cp Image_Canvas-0.3.1.tgz /usr/local/
[root@localhost Linux]# cp Image_Color-1.0.2.tgz /usr/local/
[root@localhost Linux]# cp Image_Graph-0.7.0.tar /usr/local/
[root@localhost Linux]# cp adodb480.tgz /usr/local/
[root@localhost Linux]# cp adodb480.tgz /var/www/
[root@localhost Linux]# cp base-1.2.6.tar.gz /var/www/html/
[root@localhost Linux]# cp base-1.2.6.tar.gz /usr/local/
[root@localhost Linux]# cp jpegsrc.v6b.tar.gz /usr/local/
[root@localhost local]# tar -zxf jpegsrc.v6b.tar.gz
[root@localhost local]# cd jpeg-6b/
[root@localhost jpeg-6b]# mkdir -p /usr/local/jpeg/{bin,lib,include,man,man/man1}
[root@localhost jpeg-6b]# ./configure --prefix=/usr/local/jpeg --enable-shared --enable-static
[root@localhost jpeg-6b]# make
[root@localhost jpeg-6b]# make install

[root@localhost ~]# cd /usr/local/
[root@localhost local]# tar -zxf snort-
[root@localhost local]# cd snort-
[root@localhost snort-]# ./configure --with-mysql --enable-dynamicplugin
[root@localhost snort-]# make
[root@localhost snort-]# make install
[root@localhost snort-]# mkdir -p /etc/snort/rules /var/log/snort 建立snort规则目录和日志目录
[root@localhost snort-]# groupadd snort                                                        --建立snort用户和组
[root@localhost snort-]# useradd -g snort snort -s /sbin/nologin
[root@localhost snort-]# cp etc/* /etc/snort/
[root@localhost local]# tar -zxf snortrules-pr-2.4.tar.gz
[root@localhost local]# cp rules/* /etc/snort/rules/

[root@localhost ~]# cp /etc/snort/snort.conf snort.conf.bak
[root@localhost ~]# vi /etc/snort/snort.conf
a.将原来的var EXTERNAL_NET any修改为var EXTERNAL_NET
b.指定规则文件位置,将原来的var RULE_PATH ../rules修改为var RULE_PATH /etc/snort/rules
c.修改output database为:
output database: log, mysql, user=root password=123456 dbname=snort host=localhost
        我在实验过程中于这个地方栽了跟头,按照网上的文章《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》所描述的,如果:
After the line that says
“preprocessor stream4_reassemble”
add a line that looks like
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433
        # Stream5 is a target-based stream engine for Snort.  Its functionality
# replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously.  Comment out the stream4 configurations
# above to use Stream5.

[root@localhost ~]# mysql               
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>  SET PASSWORD FOR root@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.07 sec)

mysql> create database snort;
Query OK, 1 row affected (0.05 sec)

mysql> grant INSERT,SELECT on root.* to snort@localhost;
Query OK, 0 rows affected (0.05 sec)

mysql> SET PASSWORD FOR snort@localhost=PASSWORD('123456');                        --源文在这里有错
Query OK, 0 rows affected (0.00 sec)                                       

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
[root@localhost ~]# mysql -u root -p < /usr/local/snort- snort
Enter password:
[root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
| Tables_in_snort  |
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
16 rows in set (0.00 sec)

[root@localhost local]# pear install Image_Color-1.0.2.tgz
install ok: channel://

[root@localhost local]# pear install Image_Canvas-0.3.1.tgz
install ok: channel://

[root@localhost local]# pear install Image_Graph-0.7.0.tar
pear/Image_Graph can optionally use package "pear/Numbers_Roman"
pear/Image_Graph can optionally use package "pear/Numbers_Words"
install ok: channel://

[root@localhost ~]# cd /var/www/
[root@localhost www]# tar -zxf adodb480.tgz
[root@localhost www]# rm -fr adodb480.tgz
[root@localhost www]# cd /var/www/html/
[root@localhost html]# tar -zxf base-1.2.6.tar.gz
[root@localhost html]# mv base-1.2.6 base
[root@localhost html]# rm -fr base-1.2.6.tar.gz
[root@localhost html]# cd base/

[root@localhost ~]# cd /var/www/html/base/
[root@localhost base]# cp base_conf.php.dist base_conf.php
[root@localhost base]# vi base_conf.php

$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "123456";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB

[root@localhost ~]# service snort start
Starting snort service:  
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:34:06 localhost snort[647]:     Alert if memcap exceeded DISABLED
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:06 localhost snort[647]: DNS config:  
Mar  5 21:34:06 localhost snort[647]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:34:06 localhost snort[647]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Ports:
Mar  5 21:34:06 localhost snort[647]:  53
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:07 localhost snort[647]: FATAL ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".
[root@localhost ~]# vi /etc/snort/rules/web-misc.rules
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;)

[root@localhost ~]# service snort start
Starting snort service:  
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:42:37 localhost snort[707]:     Alert if memcap exceeded DISABLED
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:37 localhost snort[707]: DNS config:  
Mar  5 21:42:37 localhost snort[707]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:42:37 localhost snort[707]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Ports:
Mar  5 21:42:37 localhost snort[707]:  53
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:38 localhost snort[707]: FATAL ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi
[root@localhost ~]# vi /etc/snort/rules/web-misc.rules
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; distance:0; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3544; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-activity; sid:3545; rev:2;)

[root@localhost ~]# service snort start
Starting snort service:  735
[  OK  ]
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:46:29 localhost snort[735]: | Pattern Chars    : 97521
Mar  5 21:46:29 localhost snort[735]: | Num States       : 52738
Mar  5 21:46:29 localhost snort[735]: | Num Match States : 7558
Mar  5 21:46:29 localhost snort[735]: | Memory           :   1.40Mbytes
Mar  5 21:46:29 localhost snort[735]: |   Patterns       :   0.31M
Mar  5 21:46:29 localhost snort[735]: |   Match Lists    :   0.30M
Mar  5 21:46:29 localhost snort[735]: |   Transitions    :   0.77M
Mar  5 21:46:29 localhost snort[735]: +-------------------------------------------------
Mar  5 21:46:29 localhost snort[735]: Snort initialization completed successfully (pid=735)
Mar  5 21:46:29 localhost snort[735]: Not Using PCAP_FRAMES

Basic Analysis and Security Engine (BASE)
The underlying database snort@localhost appears to be incomplete/invalid.
The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB.
点击setup page进行安装即可。

Database ERROR:Database ERROR:Table 'snort.base_users' doesn't exist
[root@localhost base]# vi base_conf.php

** Basic Analysis and Security Engine (BASE)
** Copyright (C) 2004 BASE Project Team
** Copyright (C) 2000 Carnegie Mellon University
** (see the file "base_main.php" for license details)
** Project Leads: Kevin Johnson <[email][/email]>
** Built upon work by Roman Danyliw <[email][/email]>, <[email][/email]>
** Purpose: Vanilla Config file
** Authors:
** Kevin Johnson <[email][/email]
    $BASE_VERSION = '1.2.6 (christine)';

     Set the below to the language you would like people to use while viewing
     your install of BASE.
    $BASE_Language = 'english';

     Set the $Use_Auth_System variable to 1 if you would like to force users to
     authenticate to use the system.  Only turn this off if the system is not
     accessible to the public or the network at large.  i.e. a home user testing it

    $Use_Auth_System = 0;

     Set the base_urlpath to the url location that is the root of your BASE install.
     This must be set for BASE to function! Do not include a trailing slash!
     But also put the preceding slash. e.g. Your URL is [url][/url]
     set this to /base

    $BASE_urlpath = '/base';

    /* Unique BASE ID.  The below variable, if set, will append its value to the
     * title bar of the browser.  This is for people who manage multiple installs
     * of BASE and want a simple way to differentiate them on the task bar.

    $BASE_installID = '';

    /* Custom footer addition.  The below variable, if set, will cause
    *  base_main.php to include what ever file is specified.
    *  A sample custom footer file is in the contrib directory
   $base_custom_footer = '';

    /* Path to the DB abstraction library
     *  (Note: DO NOT include a trailing backslash after the directory)
     *   e.g. $foo = '/tmp'      [OK]
     *        $foo = '/tmp/'     [OK]
     *        $foo = 'c:\tmp'    [OK]
     *        $foo = 'c:\tmp\'   [WRONG]
    $DBlib_path = '/var/www/adodb';

    /* The type of underlying alert database
     *  MySQL       : 'mysql'
     *  PostgresSQL : 'postgres'
     *  MS SQL Server : 'mssql'
     *  Oracle      : 'oci8'
    $DBtype = 'mysql';

    /* Alert DB connection parameters
     *   - $alert_dbname   : MySQL database name of Snort alert DB
     *   - $alert_host     : host on which the DB is stored
     *   - $alert_port     : port on which to access the DB
     *   - $alert_user     : login to the database with this user
     *   - $alert_password : password of the DB user
     *  This information can be gleaned from the Snort database
     *  output plugin configuration.
    $alert_dbname   = 'snort';
    $alert_host     = 'localhost';
    $alert_port     = '';
    $alert_user     = 'snort';
    $alert_password = '123456';

    /* Archive DB connection parameters */
    $archive_exists   = ''; # Set this to 1 if you have an archive DB
    $archive_dbname   = '';
    $archive_host     = '';
    $archive_port     = '';
    $archive_user     = '';
    $archive_password = '';

    /* Type of DB connection to use
     *   1  : use a persistant connection (pconnect)
     *   2  : use a normal connection (connect)
    $db_connect_method = 1;

    /* Use referential integrity
     *   1  : use
     *   0  : ignore (not installed)
     * Note: Only PostgreSQL and MS-SQL Server databases support
     *       referential integrity.  Use the associated
     *       create_acid_tbls_?_extra.sql script to add this
     *       functionality to the database.
     *       Referential integrity will greatly improve the
     *       speed of record deletion, but also slow record
     *       insertion.
    $use_referential_integrity = 0;

    /* Variable to start the ability to handle themes... */
    $base_style = 'base_style.css';

    /* File format of charts (png, jpeg, gif) */
    $chart_file_format = 'png';

    /* Chart default colors - (red, green, blue)
     *    - $chart_bg_color_default    : background color of chart
     *    - $chart_lgrid_color_default : gridline color of chart
     *    - $chart_bar_color_default   : bar/line color of chart
    $chart_bg_color_default     = array(255,255,255);
    $chart_lgrid_color_default  = array(205,205,205);
    $chart_bar_color_default    = array(190, 5, 5);

    /* Maximum number of rows per criteria element */
    $MAX_ROWS = 10;

    /* Number of rows to display for any query results */
    $show_rows = 48;

    /* Number of items to return during a snapshot
     *  Last _X_ # of alerts/unique alerts/ports/IP
    $last_num_alerts = 15;
    $last_num_ualerts = 15;
    $last_num_uports = 15;
    $last_num_uaddr = 15;

    /* Number of items to return during a snapshot
     *  Most Frequent unique alerts/IPs/ports
    $freq_num_alerts = 5;
    $freq_num_uaddr = 15;
    $freq_num_uports = 15;

    /* Number of scroll buttons to use when displaying query results */
    $max_scroll_buttons = 12;

    /* Debug mode     - how much debugging information should be shown
     * Timing mode    - display timing information
     * SQL trace mode - log SQL statements
     *   0 : no extra information
     *   1 : debugging information
     *   2 : extended debugging information
     * HTML no cache - whether a no-cache directive should be sent
     *                 to the browser (should be = 1 for IE)
     * SQL trace file - file to log SQL traces
    $debug_mode = 0;
    $debug_time_mode = 1;
    $html_no_cache = 1;
    $sql_trace_mode = 0;
    $sql_trace_file = '';

    /* Auto-Screen refresh
     * - Refresh_Stat_Page - Should certain statistics pages refresh?
     * - Stat_Page_Refresh_Time - refresh interval (in seconds)
    $refresh_stat_page = 1;
    $stat_page_refresh_time = 180;

    /* Display First/Previous/Last timestamps for alerts or
     * just First/Last on the Unique Alert listing.
     *    1: yes
     *    0: no
    $show_previous_alert = 0;

    /* Sets maximum execution time (in seconds) of any particular page.
     * Note: this overrides the PHP configuration file variable
     *       max_execution_time.  Thus script can run for a total of
     *       ($max_script_runtime + max_execution_time) seconds
    $max_script_runtime = 180;

    /* How should the IP address criteria be entered in the Search screen?
     *   1 : each octet is a separate field
     *   2 : entire address is as a single field
    $ip_address_input = 2;

    /* Should a combo box with possible signatures be displayed on the
     * search form. (Requires Javascript)
     *   0 : disabled
     *   1 : show only non pre-processor signatures (e.g., ignore portscans)
     *   2 : show all signatures
    $use_sig_list = 0;

    /* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
    $resolve_IP = 0;

    /* Should summary stats be calculated on every Query Results page
     * (Enabling this option will slow page loading time)
    $show_summary_stats = 0;

    /* DNS cache lifetime (in minutes) */
    $dns_cache_lifetime = 20160;

    /* Whois information cache lifetime (in minutes) */
    $whois_cache_lifetime = 40320;

    /* Snort spp_portscan log file */
    $portscan_file = '';

    /* Show part of portscan payload in signature */
    $portscan_payload_in_signature = '1';

    /* Event cache Auto-update
     *  Should the event cache be verified and updated on every
     *  page log?  Otherwise, the cache will have to be explicitly
     *  updated from the 'cache and status' page.
     *  Note: enabling this option could substantially slow down
     *  the page loading time when there are many uncached alerts.
     *  However, this is only a one-time penalty.
     *   1 : yes
     *   0 : no
    $event_cache_auto_update = 1;

    /* Maintain a history of the visited pages so that the 'Back'
     * button can be used.
     * Note: Enabling this option will cause the PHP-session to
     * grow substantially after many pages have been viewed causing
     * a slow down in page loading time. Periodically return to the
     * main page to clear the history.
     *   1 : yes
     *   0 : no
    $maintain_history = 1;

    /* Level of detail to display on the main page.
     * Note: The presence of summary statistics will slow page loading time
     *   1 : show both the links and summary statistics
     *   0 : show only the links and a count of the number of alerts
    $main_page_detail = 1;

    /* avoid count(*) whenever possible
     * Note: On some databases (e.g., postgres) this can greatly increase
     * performance if you have a large number of events. On other databases
     * (e.g., mysql) this will have little to no effect. Enabling this
     * option will prevent the number of events in the database from being
     * shown on the main screen and will remove the percentages associated
     * with the number of events on the alert screen.
    $avoid_counts = 0;

    /* show links to first/last/previous event on alert screen
     * Note: Enabling this can slow down loading of the alert screen on large
     * databases
    $show_first_last_links = 0;

     * External URLs

    /* Whois query */
    $external_whois_link = '';

     /* DNS query */
    $external_dns_link = '';

    /* SamSpade 'all' query */
    $external_all_link = '';

    /* TCP/UDP port database */
    $external_port_link = array('sans'     => '',
                                'portsdb'  => '',
                                'tantalo'  => '',
                                'sstats'   => '');

    /* Signature references */
    $external_sig_link = array('bugtraq'   => array('', ''),
                               'snort'     => array('', ''),
                               'cve'       => array('', ''),
                               'arachnids' => array('', ''),
                               'mcafee'    => array('', '.htm'),
                               'icat'      => array('', ''),
                               'nessus'    => array('', ''),
                               'url'       => array('http://', ''),
                               'local' => array('signatures/', '.txt'));

    /* Email Alert action
     * - action_email_from : email address to use in the FROM field of the mail message
     * - action_email_subject : subject to use for the mail message
     * - action_email_msg : additional text to include in the body of the mail message
     * - action_email_mode : specifies how the alert information should be enclosed
     *     0 : alerts should be in the body of the message
     *     1 : alerts should be enclosed in an attachment
    $action_email_from = 'BASE Alert ';
    $action_email_subject = 'BASE Incident Report';
    $action_email_msg = '';
    $action_email_mode = 0;

    /* Custom (user) PHP session handlers
     * - use_user_session : sets whether user PHP session can be used (configured
     *                      with the session.save_handler variable in php.ini)
     *      0 : no
     *      1 : yes (assuming that 'user_session_path' and 'user_session_function'
     *               are configured correctly)
     * - user_session_path : file to include that implements the custom PHP session
     *                       handler
     * - user_session_function : function to invoke in the custom session
     *                           implementation that will register the session handler
     *                           functions
    $use_user_session = 0;
    $user_session_path = '';
    $user_session_function = '';

     The below line should not be changed!
    $BASE_path = dirname(__FILE__);

    // _BASE_INC is a variable set to prevent direct access to certain include files....
    define( '_BASE_INC', 1 );

    // Include for languages
"base_conf.php" [New] 364L, 13299C written
