 You'll need to untar/gz the demarc-<current_version>.tar.gz file on each host
 you wish to place a sensor. Then, as was done on the main sensor, execute the
 following command:

# mv demarc-<current_version> /usr/local/demarc

Note: This has already been done it for the first sensor.

 The following directories can optionally be removed on all but the main client:
  /usr/local/demarc/cgi
  /usr/local/demarc/images
  /usr/local/demarc/install

  ---------------

 Softlink demarcd over to make it easier to access from any directory.

  In your shell:
  ---------------
 # ln -s /usr/local/demarc/bin/demarcd /usr/sbin/
  ---------------

 You should then view all of the available options in demarcd.

  In your shell:
  ---------------
 # demarcd -?
  ---------------

 If snort has not yet been run on this computer, you'll probably need to create
 the logging directory for snort before attempting to install the DEMARC Client.
 although this directory won't be used for most configurations, it still needs 
 to exist.

  In your shell:
  ---------------
 # mkdir /var/log/snort
  ---------------

  Next you'll want to bring your sensor online.

 IMPORTANT NOTE:  Because of the way snort registers with the database, before
 you run the following command you must decide if you are going to bind demarcd
 to a particular interface.  If you do not have more then one interface on this 
 machine, then you will not have to worry about this detail, but if you do, the 
 golden rule is that you must do both the following installation, and ALL 
 subsequent startups of demarcd with the "-i <inteface>" flag.  If you do not, 
 snort will most likely create rogue SIDs, and which SID Snort decides to logs
 to can be unpredictable.

  In your shell:
  ---------------
 # demarcd -I
  OR
 # demarcd -i <interface> -I
  ---------------

 You will be prompted for some information about the database and about the
 sensor you're about to bring online.  Please make a note of the SID this new
 sensor receives, the script will tell you what this number is in a line like this:

"This sensor has received SID # 1"

 If you have lynx and tar working on your system, you will be able to download 
 and install the latest snort rules from the http://snort.sourcefire.com/ website.
 

 Now you must edit your demarcd.conf file (in "/usr/local/demarc/conf/") and enter
 the SID you received above as the following variable (SID # "1" in this example):

sid = 1

 You must also change the database credentials in this file to match the correct
 credentials for your database.

* Other variables that you'll want to check/change in demarcd.conf: 

 main_monitor_sid = 1
      replace the "1" with the SID of the main monitor sensor if it is not SID 1

 this_is_the_main_client = "yes"
      change this to "no" if this is not the main sensor.  Note: there should only 
      by one main client.

 


 -------------------------

 Next start demarcd for the first time:

 If you only have one interface on this machine, you can simply start the client
 with the following command:

 # demarcd

 If you have more than one interface on this machine, you can specify which interface 
 snort should run on with the "-i" flag as follows:

 # demarcd -i <interface>

 If you have multiple interfaces on your machine and wish to have demarcd/snort running
 on each interface, you can use the following syntax.  Please note that in this example
 this machine is the main client however *only one* demarcd client should be run as
 the main client.  To do this without having to specify different demarcd.conf files, we 
 can use the "-s" and "-m" flags to specify the SID for that interface and whether or 
 not it will be run as the main client.

 # demarcd -i eth0 -m yes -s 1
 # demarcd -i eth1 -m no  -s 2
 # demarcd -i eth2 -m no  -s 3

 Note on the last example that each interface has a different SID.  In order to install
 the demarcd clients in this manner you would have had to run the "demarcd -I" function 
 three times as follows:

 # demarcd -i eth0 -I
 # demarcd -i eth1 -I
 # demarcd -i eth2 -I

 --------------------------

 You can type "demarcd -g" again to make sure that it is running. If all went well
 it will show you the demarc and snort processes that are running.

 If you should need to stop the client simply type "demarcd -k" in your shell 
 (or "demarcd -i <interface> -k" to kill demarcd that was started on a specific 
 interface).






