CCTDE - Covert Channels and Tunnels Detection Engine
Version 0.2 |
A_TIMELINE_PERIOD=300 A_KEEP_TIMELINE=0 A_DISPLAY_TCP_CONNECTION=1 A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_CURRENT=1 A_MAX_UPCON=uptime;30 | |
We start Snort using RunAndLog.sh and Cctde using :
./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -R 15
{15 seconds after start time, we have a first resume}
CCTDE [19365] started the 21/02/2004 14:45:07
o Processed 0 connections and 0 bytes (0 packets) in 15 seconds (0 desync packets).
o First packet : 01/01/1970 01:00:00 / Last packet : 01/01/1970 01:00:00 (0 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 0 recorded client(s) in main view (0 timeline(s)).
{64144 is a standard wget connection while 65340 is a netcat connection I keep up}
[ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
[ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80
[ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469
CCTDE [19365] started the 21/02/2004 14:45:07
o Processed 2 connections and 1833 bytes (15 packets) in 30 seconds (0 desync packets).
o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds).
o 0 alert rule(s)
o 1 connection(s) UP.
# 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected)
packets rx=1 tx=2, bytes rx=0 tx=0, uptime=13
o 1 recorded client(s) in main view (0 timeline(s)).
CCTDE [19365] started the 21/02/2004 14:45:07
o Processed 2 connections and 1833 bytes (15 packets) in 45 seconds (0 desync packets).
o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds).
o 0 alert rule(s)
o 1 connection(s) UP.
# 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected)
packets rx=1 tx=2, bytes rx=0 tx=0, uptime=28
o 1 recorded client(s) in main view (0 timeline(s)).
{Alerts are coming}
CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (31 seconds).
CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (32 seconds).
CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (33 seconds).
CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).
{I'm closing the netcat connection}
[ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).
CCTDE [19365] started the 21/02/2004 14:45:07
o Processed 2 connections and 1833 bytes (18 packets) in 55 seconds (0 desync packets).
o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 1 recorded client(s) in main view (0 timeline(s)).
SigTERM ... Exiting!
| |
We can analyze already recorded tcpdump files.
We use the next script to get the start time of the 1. example tcpdump logfile :
./display_time_infos.sh ../logs/cctde_alert_ex1.tcpdump.log First is at 1077371124 Last is at 1077371158 Delay is 34 seconds | |
We start CCTDE :
./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1077371124 | |
We run Snort using :
./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log
[ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
[ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80
[ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469
CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).
[ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).
CCTDE [19387] started the 21/02/2004 14:51:46 (Pcap start : 21/02/2004 14:45:24)
o Processed 2 connections and 1833 bytes (18 packets) in 16 seconds.
(0 desync packets) (0 tmout connections) (Pcap delay : 34).
o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 1 recorded client(s) in main view (0 timeline(s)).
SigTERM ... Exiting!
| |
cctde.conf :
# Setting the timelines parameters A_TIMELINE_PERIOD=10 A_KEEP_TIMELINE=2 A_FLUSH_TIMELINE=1 # Setting resume messages A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_TIMELINE_NO_CLIENT=1 A_DISPLAY_CURRENT=1 | |
We get informations from the tcpdump capture :
./display_time_infos.sh ../logs/cctde_alert_ex3.tcpdump.log First is at 1075234136 Last is at 1075234167 Delay is 31 seconds | |
We start CCTDE :
./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075234136 | |
We run Snort using :
./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log
{This timeline is the first created and is flushed from memory when the third
timeline is created}
o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients.
Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454
0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
# 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
alerts=0
$ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
{Ctrl-C : cctde displays informations : We have two recorded timelines without any
client because the capture owns a single client who openned its connection during the
first timeline.
CCTDE [19407] started the 21/02/2004 15:03:48 (Pcap start : 27/01/2004 21:08:56)
o Processed 1 connections and 2411 bytes (38 packets) in 5 seconds.
(0 desync packets) (0 tmout connections) (Pcap delay : 31).
o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 0 recorded client(s) in main view (2 timeline(s)).
o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients.
Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0
0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines.
o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients.
Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0
0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines.
SigTERM ... Exiting!
| |
cctde.conf :
# Setting the timelines parameters A_TIMELINE_PERIOD=10 # Setting resume messages A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_TIMELINE_NO_CLIENT=1 A_DISPLAY_CURRENT=1 # The command file A_COMMAND_FILE=conf/cctde.cmd | |
cctde.cmd :
display_clients_infos display_servers_infos | |
We start CCTDE :
./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 & | |
We run Snort using :
./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log
{We tell cctde to display the resume}
./test_sigusr1.sh
CCTDE [19425] started the 21/02/2004 15:19:30 (Pcap start : 27/01/2004 21:08:56)
o Processed 1 connections and 2411 bytes (38 packets) in 8 seconds.
(0 desync packets) (0 tmout connections) (Pcap delay : 31).
o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 0 recorded client(s) in main view (3 timeline(s)).
o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients.
Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0
0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients.
Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0
0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients.
Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454
0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
# 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
alerts=0
$ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
OK
{We tell cctde to execute the commands from cctde.cmd}
./test_sigusr2.sh
OK
{There is no client recorded in the main list}
display_clients_infos : (null)
o 0 recorded client(s).
{But as we are keeping all timelines in memory, the server informations are still
recorded}
display_servers_infos : (null)
o 1 recorded server(s).
# 10.1.1.1:80 [01/27/04-21:09:27.017588 - 01/27/04-21:09:27.361352 ]
conn=1, packets rx=4 tx=3, bytes rx=1738 tx=0, Uptime global=31
alerts=0
[...]
| |
cctde.conf :
# Setting the timelines parameters A_TIMELINE_PERIOD=300 # Setting resume messages A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_TIMELINE_NO_CLIENT=1 A_DISPLAY_CURRENT=1 # The command file A_COMMAND_FILE=conf/cctde.cmd # Our alerts ALERT_MAX_SRV=2;uptime;30;3;50;0;1 ALERT_MAX_CL=1;prx;8;3;50;0;1 | |
We start CCTDE :
./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 &
{We display the resume to look at the alerts we configured}
./test_sigusr1.sh
CCTDE [439] started the 21/02/2004 15:40:44 (Pcap start : 27/01/2004 20:08:56)
o Processed 0 connections and 0 bytes (0 packets) in 9 seconds.
(0 desync packets) (0 tmout connections) (Pcap delay : 0).
o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
o 2 alert rule(s)
# Alert #1 for clients (Max : prx > 8 ?)
dal: 3, pal: 50 - silent for 0 alerts, weight: 1
# Alert #2 for servers (Max : uptime > 30 ?)
dal: 3, pal: 50 - silent for 0 alerts, weight: 1
o 0 connection(s) UP.
o 0 recorded client(s) in main view (0 timeline(s)).
OK
| |
We run Snort using :
./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log
{Alerts and reminders are raised to operator}
[20:09:14] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 8 packets.
[20:09:17] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 9 packets (rem. 3 secs).
[20:09:21] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 10 packets (rem. 3 secs).
[20:09:22] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 12 packets (rem. 50%).
[20:09:26] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 13 packets (rem. 3 secs).
[20:09:27] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 18 packets (rem. 50%).
[20:09:27] CCTDE - Srv #2 (Max) : Global uptime reached 30 secs : 10.1.1.1 stood up for 31 secs.
We edit the command file :
remove_alert_rules=1
{We remove the alert #1}
./test_sigusr2.sh
remove_alert_rules : 1
Alert rule #1 removed.
OK
We edit the command file :
ALERT_MAX_CL=3;prx;2;3;50;0;1
display_alert_rules
./test_sigusr2.sh
{We add the new alert}
ALERT_MAX_CL : 3;prx;2;3;50;0;1
{We display the stored alerts}
display_alert_rules : (null)
o 2 alert rule(s)
# Alert #3 for clients (Max : prx > 2 ?)
dal: 3, pal: 50 - silent for 0 alerts, weight: 1
# Alert #2 for servers (Max : uptime > 30 ?)
dal: 3, pal: 50 - silent for 0 alerts, weight: 1
{our new alert #3 is raised but dal/pal are not applied as they're updated when
packets are recorded}
[20:09:27] CCTDE - Cl #3 (Max) : Prx reached 2 : 10.1.1.77 received 19 packets.
| |
We configure Top directives in the cctde.conf file :
A_TOP_X_SRV=uptime;3 A_TOP_X_SRV=prx;3 A_TOP_X_CL=con;3 | |
[ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
[ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
[ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
[ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
[ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
[ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
[ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
[ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
[ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
[ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
[ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
[ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
[ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
[ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146
CCTDE [2254] started the 27/01/2004 22:39:25 (Pcap start : 27/01/2004 22:22:32)
o Processed 7 connections and 3356 bytes (96 packets) in 4 seconds (0 desync packets) (Pcap delay : 58).
o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30
o TOP_3_CL_CON has 2 recorded client(s).
# 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
# 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1
o TOP_3_SRV_UPTIME has 3 recorded server(s).
# a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
# a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
# a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1
o TOP_3_SRV_PRX has 3 recorded server(s).
# a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
# a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
# a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
SigTERM ... Exiting!
| |
cctde.conf :
A_DISPLAY_TCP_CONNECTION=1 A_COMMAND_FILE=conf/cctde.cmd A_BACKUP_FILE=conf/cctde.bk | |
./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &
[ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
[ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
[ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
[ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
[ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
[ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
[ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
[ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
[ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
[ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
[ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
[ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
[ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
[ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146
./test_stop.sh
CCTDE [476] started the 21/02/2004 16:04:44 (Pcap start : 27/01/2004 22:22:32)
o Processed 7 connections and 3356 bytes (96 packets) in 5 seconds.
(0 desync packets) (0 tmout connections) (Pcap delay : 58).
o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30 (58 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 2 recorded client(s) in main view (0 timeline(s)).
SigTERM ... Exiting!
| |
At this time, we have our informations backuped in the conf/cctde.bk_{date} file.
cctde.conf :
A_DISPLAY_TCP_CONNECTION=1 A_COMMAND_FILE=conf/cctde.cmd | |
cctde.cmd :
read_stats_from=conf/cctde.bk_1077379484 | |
./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &
./test_sigusr1.sh
CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32)
o Processed 0 connections and 0 bytes (0 packets) in 3 seconds.
(0 desync packets) (0 tmout connections) (Pcap delay : 0).
o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 0 recorded client(s) in main view (0 timeline(s)).
OK
./test_sigusr2.sh
read_stats_from : conf/cctde.bk_1077379484
OK
./test_sigusr1.sh
CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32)
o Processed 0 connections and 0 bytes (0 packets) in 46 seconds.
(0 desync packets) (0 tmout connections) (Pcap delay : 0).
o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
o 0 alert rule(s)
o 0 connection(s) UP.
o 0 recorded client(s) in main view (1 timeline(s)).
o Time list created the 27/01/2004 22:22:32 and is 58 secs long with 2 clients.
Main infos the 27/01/2004 22:23:30 : Tcp connections : 7, Packets : 96, Bytes: 3356
0 Desync packet - 0 Upcon - 0 TmoutCon - 1 timelines.
# 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1
$ a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
$ a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1
# 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
$ a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
$ a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
[...]
| |
You'll find here two kind of CCTDE output data graphed using the cctde_graph.pl perl script. The first one is a tcpdump capture of a browsing activity (Nothing more than something usual and no tunnel or anything) while the second one is a tcpdump capture of a small WebShell activity (including a wshput to the remote webserver).
This file is part of CCTDE - Covert Channels and Tunnels Detection Engine v0.2 (C) Simon Castro
CCTDE is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
CCTDE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with CCTDE; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Simon Castro
Last updated on the 21th of February 2004