Title: Demarc setup notes on SuSE Subject: demarc is an IDS and monitor which uses mysql, snort and apache ############################################ # Snort wiht mysql install on suse 7.2 ############################################ # Use rpm to install all but snort. # If snort is on system, remove. root /home/jstile 510--> rpm -qa | egrep "flex|libnet|mysql|libpcap|bison|snort" flex-2.5.4-353 mysql-shared-3.23.37-24 bison-1.28-87 kmysql-1.2.1-196 libpcapn-0.4a6-343 snort-1.8.1-16 mysql-navigator-0.6.1-60 mysql-client-3.23.37-24 mysql-devel-3.23.37-24 mysql-3.23.37-24 mysql-bench-3.23.37-24 libnet-1.0.2a-50 tar -zxvpf snort-1.8.3.tar.gz cd snort-1.8.3 ./configure --with-mysql=/usr/include/mysql make make install mkdir /var/log/snort snort -T ################################################ echo "Creating the group for demarc: demarc" /usr/sbin/groupadd -g 497 demarc ################################################ echo "Create the dearc user: demarc" useradd -u 497 \ -g demarc \ -d /home/demarc \ -c "Demarc 1.05 - Stable" \ -s /bin/bash \ demarc -m ################################################# echo "Move downloaded file into home dir of demarc" mv demarc-1.05-stable.tar.gz ~demarc/ ################################################# echo "Unpacking The Stuff" cd ~demarc/ tar -zxvpf demarc-1.05-stable.tar.gz ln -s demarc-1.05-stable demarc cd demarc ################################################# echo "Fix permissions on tmp file such that " echo "apache user can edit the directory" chown nobody ~demarc/demarc/tmp chmod 777 ~demarc/demarc/tmp ################################################## echo "check if perl is in the right place" perl_files='demarc/bin/demarcd demarc/cgi/demarc demarc/install/dm_load_db.pl demarc/install/check_pms.pl' for file in $perl_files do grep \/usr\/bin\/perl $file done ################################################## echo "Create the empty databse" # user must have INSERT, SELECT, DELETE, and UPDATE. mysqladmin create snort grant UPDATE,DELETE,INSERT,SELECT on snort.* to snort identified by 'your_password'; grant UPDATE,DELETE,INSERT,SELECT on snort.* to snort@192.12.0.1 identified by 'your_password'; FLUSH PRIVILEGES; exit ; INSERT INTO user SET host = 'localhost', \ user = 'snort',\ password = PASSWORD('snort'), \ Select_priv = 'Y', \ Insert_priv = 'Y', \ Update_priv = 'Y',\ Delete_priv = 'Y', \ Create_priv = 'Y', \ Drop_priv = 'Y', \ Reload_priv = 'Y', \ Shutdown_priv = 'Y', \ Process_priv = 'Y', \ File_priv = 'Y', \ Grant_priv = 'Y', \ References_priv = 'Y', \ Index_priv = 'Y', \ Alter_priv = 'Y' ################################################### # I think some perl perl -MCPAN -e'install "Bundle::CPAN"' perl -MCPAN -e'install "GD"' ################################################### echo "Populate the mysql database" cd install/ ./dm_load_db.pl DB USER? >snort DB PASSWORD? >your_password DB HOST? >localhost DB NAME? >snort press return: User: snort Password: your_password Host: localhost Name: snort Is this correct?[Y/n] y # I had to restart the mysql db after adding the user=snort and passwd=snort for the script to work. ################################################### echo "" ln -s /home/demarc/demarc/cgi /usr/local/httpd/htdocs/dm ln -s /home/demarc/demarc/images /usr/local/httpd/htdocs/dm_images chmod 644 ~demarc/demarc/cgi/DEMARC_config.pm chmod 644 ~demarc/demarc/cgi/StaticServices.pm chmod 755 ~demarc/demarc/cgi/demarc chmod -R 644 ~demarc/demarc/cgi/templates chmod 755 ~demarc/demarc/cgi/templates vi ~demarc/demarc/cgi/DEMARC_config.pm #insert your database information # change the value for "monitor_sid" to the snort SID that the monitor is being run from # # ################################################### ehco "fix apache with the mod_perl method" Alias /dm /home/demarc/demarc/cgi SetHandler perl-script PerlHandler Apache::Registry Options ExecCGI #allow from all PerlSendHeader On DirectoryIndex demarc ################################################### # Login. http://localhost/dm/ username = admin password = my_DEMARC THIS WILL ATTEMPT TO INSTALL A NEW SNORT SENSOR Continue ? [Yn] y #################################################### vi /home/demarc/demarc/cgi/demarc replace /usr/local/demarc vi /home/demarc/demarc/bin/demarcd my $config_file = $opts{'f'} || "/home/demarc/demarc/conf/demarcd.conf"; # Path/filename of logfile my $logfile = &get_config_value("logfile") || "/home/demarc/demarc/log/demarcd_log"; ########## ########## # Path/filename of allowed commands file my $cmdfile = &get_config_value("cmdfile") || "/home/demarc/demarc/conf/regen.cmds"; /usr/local/demarc/conf/snort.conf ./bin/demarcd -I As root, run--> ~demarc/demarc/bin/demarcd -I Database Username snort should use [snort]: snort Database Password snort should use: snort Database Host snort should connect to (please use IP address, even 127.0.0.1 for localhost) [127.0.0.1]: localhost Database name snort should use [snort]: snort Name of this sensor (should contain no spaces): johns2 Continue (you'll have to have lynx and tar installed for this to work) ? [yN] y Don't forget, your new SID is 1 Please proceed to edit conf/demarcd.conf to insert your SID (1) for this sensor and customize other options (remember, there should only be ONE main_monitor, and this is specified in demarcd.conf). ################################### /etc/init.d/snort start su - demarc -c "cd ~/;./bin/demarc -I" cd /home/demarc/demarc;./bin/demarcd -I ##################################################### # Move the mysql data to another machine ##################################################### mysqldump --opt snort -u root -p > snort-file.sql scp snort-file.sql jstile@parallel.corp:~/ mysql snort -u root -p < snort-file.sql ################################################### # turn off ssl lockout /home/demarc/demarc/cgi/DEMARC_config.pm ################################################### # set proper path to programs grep -C10 ping cgi/DEMARC_config.pm ################################################### # register as sid 2 vi conf/demarcd.conf