Title: Demarc setup notes on SuSE
Subject: demarc is an IDS and monitor which uses mysql, snort and apache
############################################
# Snort wiht mysql install on suse 7.2
############################################
# Use rpm to install all but snort.
# If snort is on system, remove.
root /home/jstile 510--> rpm -qa | egrep "flex|libnet|mysql|libpcap|bison|snort"
flex-2.5.4-353
mysql-shared-3.23.37-24
bison-1.28-87
kmysql-1.2.1-196
libpcapn-0.4a6-343
snort-1.8.1-16
mysql-navigator-0.6.1-60
mysql-client-3.23.37-24
mysql-devel-3.23.37-24
mysql-3.23.37-24
mysql-bench-3.23.37-24
libnet-1.0.2a-50
tar -zxvpf snort-1.8.3.tar.gz
cd snort-1.8.3
./configure --with-mysql=/usr/include/mysql
make
make install
mkdir /var/log/snort
snort -T
################################################
echo "Creating the group for demarc: demarc"
/usr/sbin/groupadd -g 497 demarc
################################################
echo "Create the dearc user: demarc"
useradd -u 497 \
-g demarc \
-d /home/demarc \
-c "Demarc 1.05 - Stable" \
-s /bin/bash \
demarc -m
#################################################
echo "Move downloaded file into home dir of demarc"
mv demarc-1.05-stable.tar.gz ~demarc/
#################################################
echo "Unpacking The Stuff"
cd ~demarc/
tar -zxvpf demarc-1.05-stable.tar.gz
ln -s demarc-1.05-stable demarc
cd demarc
#################################################
echo "Fix permissions on tmp file such that "
echo "apache user can edit the directory"
chown nobody ~demarc/demarc/tmp
chmod 777 ~demarc/demarc/tmp
##################################################
echo "check if perl is in the right place"
perl_files='demarc/bin/demarcd demarc/cgi/demarc demarc/install/dm_load_db.pl demarc/install/check_pms.pl'
for file in $perl_files
do
grep \/usr\/bin\/perl $file
done
##################################################
echo "Create the empty databse"
# user must have INSERT, SELECT, DELETE, and UPDATE.
mysqladmin create snort
grant UPDATE,DELETE,INSERT,SELECT on snort.* to snort
identified by 'your_password';
grant UPDATE,DELETE,INSERT,SELECT on snort.* to snort@192.12.0.1
identified by 'your_password';
FLUSH PRIVILEGES;
exit ;
INSERT INTO user SET host = 'localhost', \
user = 'snort',\
password = PASSWORD('snort'), \
Select_priv = 'Y', \
Insert_priv = 'Y', \
Update_priv = 'Y',\
Delete_priv = 'Y', \
Create_priv = 'Y', \
Drop_priv = 'Y', \
Reload_priv = 'Y', \
Shutdown_priv = 'Y', \
Process_priv = 'Y', \
File_priv = 'Y', \
Grant_priv = 'Y', \
References_priv = 'Y', \
Index_priv = 'Y', \
Alter_priv = 'Y'
###################################################
# I think some perl
perl -MCPAN -e'install "Bundle::CPAN"'
perl -MCPAN -e'install "GD"'
###################################################
echo "Populate the mysql database"
cd install/
./dm_load_db.pl
DB USER? >snort
DB PASSWORD? >your_password
DB HOST? >localhost
DB NAME? >snort
press return:
User: snort
Password: your_password
Host: localhost
Name: snort
Is this correct?[Y/n] y
# I had to restart the mysql db after adding the user=snort and passwd=snort for the script to work.
###################################################
echo ""
ln -s /home/demarc/demarc/cgi /usr/local/httpd/htdocs/dm
ln -s /home/demarc/demarc/images /usr/local/httpd/htdocs/dm_images
chmod 644 ~demarc/demarc/cgi/DEMARC_config.pm
chmod 644 ~demarc/demarc/cgi/StaticServices.pm
chmod 755 ~demarc/demarc/cgi/demarc
chmod -R 644 ~demarc/demarc/cgi/templates
chmod 755 ~demarc/demarc/cgi/templates
vi ~demarc/demarc/cgi/DEMARC_config.pm
#insert your database information
# change the value for "monitor_sid" to the snort SID that the monitor is being run from
#
#
###################################################
ehco "fix apache with the mod_perl method"
Alias /dm /home/demarc/demarc/cgi
SetHandler perl-script
PerlHandler Apache::Registry
Options ExecCGI
#allow from all
PerlSendHeader On
DirectoryIndex demarc
###################################################
# Login.
http://localhost/dm/
username = admin
password = my_DEMARC
THIS WILL ATTEMPT TO INSTALL A NEW SNORT SENSOR
Continue ? [Yn] y
####################################################
vi /home/demarc/demarc/cgi/demarc
replace /usr/local/demarc
vi /home/demarc/demarc/bin/demarcd
my $config_file = $opts{'f'} || "/home/demarc/demarc/conf/demarcd.conf";
# Path/filename of logfile
my $logfile = &get_config_value("logfile") || "/home/demarc/demarc/log/demarcd_log";
##########
##########
# Path/filename of allowed commands file
my $cmdfile = &get_config_value("cmdfile") || "/home/demarc/demarc/conf/regen.cmds";
/usr/local/demarc/conf/snort.conf
./bin/demarcd -I
As root, run--> ~demarc/demarc/bin/demarcd -I
Database Username snort should use [snort]: snort
Database Password snort should use: snort
Database Host snort should connect to (please use IP address, even 127.0.0.1 for localhost) [127.0.0.1]: localhost
Database name snort should use [snort]: snort
Name of this sensor (should contain no spaces): johns2
Continue (you'll have to have lynx and tar installed for this to work) ? [yN] y
Don't forget, your new SID is 1
Please proceed to edit conf/demarcd.conf to insert your SID (1) for this sensor and customize other options (remember, there should only be ONE main_monitor, and this is specified in demarcd.conf).
###################################
/etc/init.d/snort start
su - demarc -c "cd ~/;./bin/demarc -I"
cd /home/demarc/demarc;./bin/demarcd -I
#####################################################
# Move the mysql data to another machine
#####################################################
mysqldump --opt snort -u root -p > snort-file.sql
scp snort-file.sql jstile@parallel.corp:~/
mysql snort -u root -p < snort-file.sql
###################################################
# turn off ssl lockout
/home/demarc/demarc/cgi/DEMARC_config.pm
###################################################
# set proper path to programs
grep -C10 ping cgi/DEMARC_config.pm
###################################################
# register as sid 2
vi conf/demarcd.conf