First you must check to see if you have the
necessary perl modules.  There is an included
"configure" script that can help you determine
which modules you need and even help you install
those for you through CPAN (accessible on
the www at http://www.cpan.org).

After that it's just a matter of adding a few lines
in your web server's configuration file, and copying
the scripts and supporting files to their proper
directories.


What You Will Need:
1)The location of your web server's cgi-bin directory.
2)The location of your document root for your web server:
  (ie where your website pages are stored)
3)r00t permission.
4)A working copy of Snort 1.8 (Very important that it
  is 1.8 and NOT 1.7, as the DB plugin has changed.
5)A working mysql server and an valid username/password
  that has permission to create databases and tables.


Now that you've got all the perl modules installed...
the rest is easy!

Simply insert the following lines into your Apache httpd.conf
file (other servers will require a different syntax):

# FOR REGULAR PERL:
ScriptAlias /dm/ "/usr/local/www/dm/"


# FOR MOD_PERL:
    PerlModule Apache::Registry
    KeepAlive Off

    Alias /dm/ /usr/local/www/dm/
    <Location /dm>
      SetHandler perl-script
      PerlHandler Apache::Registry
      Options ExecCGI
      allow from all
      PerlSendHeader On
    </Location>


You do NOT need both groupings of directives above,
simply determine whether you are going to use mod_perl
or regular perl and copy the relevant lines into the
conf file, replacing the "/usr/local/www/dm/" path with
the path you wish to store your DEMARC cgi scripts in.


Then simply copy the dm directory (should be a sub-directory
of the one you ran this script from) to your "/usr/local/www"
directory... or whatever you chose on your system.

NOTE: it is VERY important to copy the entire directory's
content, including the templates subdirectory.  On most systems
this can be accomplished by issuing :

cp -Rp dm /usr/local/www/



Now make sure the demarc script in the new directory is executable
by the user the webserver runs as... if in doubt, just issue:

chmod 755 /usr/local/www/dm/demarc




Now you must copy the DEMARC Client program into a target directory.
The actual directory you copy it to does not matter, but for the
sake of easily finding it (in your path), we suggest copying it
to /usr/local/bin/

To do this issue:

cp client/demarc_c.pl /usr/local/bin/

and make sure it is owned by root and only executable by root
by issuing the following 2 commands:

chown root /usr/local/bin/demarc_c.pl
chmod 700 /usr/local/bin/demarc_c.pl






The only thing left to copy is the images directory.

Assuming your DocumentRoot of your webserver is
"/usr/local/www/htdocs", the command would be:

cp -Rp images /usr/local/www/htdocs/





Now you must create the database schema for Snort/DEMARC to use.

If you already have the current 1.8 schema in place, it is still
suggested that you drop the current db (by issuing "DROP DATABASE snort"
from a mysql command line), and recreate it using the included schema.

The included schema not only adds several tables specific to DEMARC, but
it also adds a few indexes that allow the Snort tables to run faster
through the DEMARC interface.

To do this, follow these simple instructions:

(these instructions assume a database name of "snort", a database user
of "snort_user" and a password of "snort_password", with the database
running on the local machine)

mysql -u snort_user -h 127.0.0.1 -p
[then enter passord when prompted]
mysql> create database snort;

mysql> exit;

Now to load the schema:
from the schema subdirectory which should contain the
"create_mysql_demarc" file-

mysql -u snort_user -h 127.0.0.1 -p < create_mysql_demarc
[then enter passord when prompted]

and that's it... assuming there were no error messages, your
new Snort/DEMARC database schema has been created.


Now the final step is to edit the scripts and change the
varaiables to match your own network/system.

The top part of the /usr/local/www/dm/demarc and
/usr/local/bin/demarc_c.pl scripts should be self-
explainitory, however, please make SURE to change
at least the following variables:

###############
in "demarc":

#change these to match your db credentials:
my $db_user                = "your_username";
my $db_password            = "your_password";
my $db_host                = "127.0.0.1";
my $db_name                = "snort_db_name";

#verify that these are the correct paths on your system
my $whois_command          = "/usr/bin/whois";
my $traceroute_command     = "/usr/sbin/traceroute";
my $nslookup_command       = "/usr/sbin/nslookup";
my $ping_command           = "/usr/sbin/ping";

# this is the virtual path of your images directory,
# it can be in the form of http://yourdomain.com/images
# OR simply /images ...
# by default it references back to demarc.org, which
# allows you to make sure the rest of the program is
# working correctly before adjusting the images path,
# however this SHOULD be changed to point to your
# own webserver.
my $v_graphics_path = "http://demarc.org/pub-images";#NO trailing slash

# You shouldn't have to change this UNLESS you did not
# use the suggested ScriptAlias above in your httpd.comf
my $v_base_path      = "/dm";#

# change this to reflect the base path where the "demarc"
# script resides:
my $base_path        = "/usr/local/www/dm";


################
in "demarc.pl":

#change these to match your db credentials:
my $db_user                = "your_username";
my $db_password            = "your_password";
my $db_host                = "127.0.0.1";
my $db_name                = "snort_db_name";

# SID for this host (leave as 1 if this is the FIRST
# Snort client you are bringing online, increment by
# one for each additional client
my $sid                       = 1;

# Is this the MAIN monitor - should only be one per instalation
# 0 if this is NOT the client on the main monitoring machine
# usually this is the first client which is on the same
# box as the mysql server
my $this_is_the_main_client   = 1;

# Verify the paths to system binaries and Snort Options
my $snort_binary_path      = "/usr/local/bin/snort";
my $snort_conf_file        = "/usr/local/etc/snort/snort.conf";
my $options                = "-o -D -q";#Special options for snort
my $ps_binary              = "/bin/ps";
my $grep_binary            = "/usr/bin/grep";
my $w_binary               = "/usr/bin/w";
my $ping_program           = "/sbin/ping";
my $mailprog               = "/usr/sbin/sendmail";
my $ps_binary              = "/bin/ps";
my $df_binary              = "/bin/df";

#############

The rest of the variables can be changed as needed.




Now you can go to your webpage... probably
https://your_domain.com/dm/demarc

and make sure the program is working correctly

The default login is admin/my_DEMARC


NOTE: Please Please Please... run the site on a HTTPS
server.  DEMARC provides  a lot of power in controlling
your remote systems, and there is a powerful session
based password control system in place that can easily
be undermined by only using HTTP.  All passwords for the
DEMARC system can be sniffed if you use HTTP.  If that is
not enough to convince you,  any triggers that get logged
by snort on port 80 will get logged again each time you
view the payload if you use HTTP.  Yah, we could have
coded around that, but if it makes a few of you change your
mind and use HTTPS instead, then it is most definitely a
"feature"!

fyi - You do NOT have to buy a ssl cert to run a https server,
you can simply create a self-signed cert that will work the
same for internal viewing.  the encryption is the same, the
only difference is that the trust relationship is not there
for external viewers.


Another NOTE:  There is an anonymous access switch you can
toggle ON in the "demarc" script.  It is OFF by default,
but if you would like to let anyone view the site (they
can NOT admin it though) change the "$allow_anonymous_access"
variable to "1" near the top of the script.

The client can be started by "demarc_c.pl&"


And - Yes, we know that there needs to be more thorough
documentation on the installation and use of DEMARC,
but we felt the functionality was more important for now.

Prepare for fmous last words...
"More thorough docs are on the way!"

Good luck, and please email us with your questions/comments/
success stories to info@demarc.org .  We'd love to hear from you!

-The DEMARC Team

