CCTDE - Covert Channels and Tunnels Detection Engine
Examples

Version 0.2

Summary

Some notes
1. Monitoring openned connections in real time
2. Monitoring openned connections in replay mode
3. Playing with timelines
4. Using signals and commands
5. Writing and playing with alerts
6. Using TopX clients and servers
7. Statistics backup/restore


Some Notes

  • Some of next examples are real captures you can find in the log directory some other are anonymized but all of them are not (of course ?) real world evidences.
  • 10.1.1.1:80 is a webserver while 10.1.1.2, 10.1.1.77, 10.1.1.42 are workstations.
  • The snort and cctde processes are running on 10.1.1.1. o between {} are some comments.
  • Next is only a short overview of what you can trace with CCTDE, so ...
  • I sometime reduced the output when displayed infos weren't accurate.

1. Monitoring openned connections in real time

cctde.conf :

  
 A_TIMELINE_PERIOD=300
 A_KEEP_TIMELINE=0
 A_DISPLAY_TCP_CONNECTION=1 
 A_DISPLAY_RESUME=1
 A_DISPLAY_ALERT_RULES=1
 A_DISPLAY_TIMELINE=1
 A_DISPLAY_CURRENT=1
 A_MAX_UPCON=uptime;30

We start Snort using RunAndLog.sh and Cctde using :

  
 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -R 15

 {15 seconds after start time, we have a first resume}

 CCTDE [19365] started the 21/02/2004 14:45:07
   o Processed 0 connections and 0 bytes (0 packets) in 15 seconds (0 desync packets).
   o First packet : 01/01/1970 01:00:00 / Last packet : 01/01/1970 01:00:00 (0 seconds).
   o 0 alert rule(s)
   o 0 connection(s) UP.
   o 0 recorded client(s) in main view (0 timeline(s)).

 {64144 is a standard wget connection while 65340 is a netcat connection I keep up} 

 [ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
 [ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80
 [ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469

 CCTDE [19365] started the 21/02/2004 14:45:07
   o Processed 2 connections and 1833 bytes (15 packets) in 30 seconds (0 desync packets).
   o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds).
   o 0 alert rule(s)
   o 1 connection(s) UP.
     # 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected)
       packets rx=1 tx=2, bytes rx=0 tx=0, uptime=13
   o 1 recorded client(s) in main view (0 timeline(s)).

 CCTDE [19365] started the 21/02/2004 14:45:07
   o Processed 2 connections and 1833 bytes (15 packets) in 45 seconds (0 desync packets).  
   o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds).
   o 0 alert rule(s)
   o 1 connection(s) UP.
     # 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected)
       packets rx=1 tx=2, bytes rx=0 tx=0, uptime=28
   o 1 recorded client(s) in main view (0 timeline(s)).

 {Alerts are coming}

 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (31 seconds).
 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (32 seconds).
 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (33 seconds).
 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).

 {I'm closing the netcat connection}

 [ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).

 CCTDE [19365] started the 21/02/2004 14:45:07
   o Processed 2 connections and 1833 bytes (18 packets) in 55 seconds (0 desync packets).
   o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds).
   o 0 alert rule(s)
   o 0 connection(s) UP.
   o 1 recorded client(s) in main view (0 timeline(s)).
 SigTERM ... Exiting!

2. Monitoring openned connections in replay mode

We can analyze already recorded tcpdump files.

We use the next script to get the start time of the 1. example tcpdump logfile :

  
 ./display_time_infos.sh ../logs/cctde_alert_ex1.tcpdump.log 
 First is at 1077371124
 Last is  at 1077371158
 Delay is 34 seconds

We start CCTDE :

  
 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1077371124 

We run Snort using :

  
 ./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

 [ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
 [ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80
 [ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469
 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).
 [ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).

 CCTDE [19387] started the 21/02/2004 14:51:46 (Pcap start : 21/02/2004 14:45:24)
   o Processed 2 connections and 1833 bytes (18 packets) in 16 seconds.
     (0 desync packets) (0 tmout connections) (Pcap delay : 34).
   o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds). 
   o 0 alert rule(s)
   o 0 connection(s) UP.
   o 1 recorded client(s) in main view (0 timeline(s)).
 SigTERM ... Exiting!

3. Playing with timelines

cctde.conf :

  
 # Setting the timelines parameters 
 A_TIMELINE_PERIOD=10
 A_KEEP_TIMELINE=2
 A_FLUSH_TIMELINE=1
 # Setting resume messages
 A_DISPLAY_RESUME=1
 A_DISPLAY_ALERT_RULES=1
 A_DISPLAY_TIMELINE=1
 A_DISPLAY_TIMELINE_NO_CLIENT=1
 A_DISPLAY_CURRENT=1

We get informations from the tcpdump capture :

  
 ./display_time_infos.sh ../logs/cctde_alert_ex3.tcpdump.log 
 First is at 1075234136
 Last is  at 1075234167
 Delay is 31 seconds

We start CCTDE :

  
 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075234136 

We run Snort using :

  
 ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

 {This timeline is the first created and is flushed from memory when the third
  timeline is created}

     o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients.
       Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454
       0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
       # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] 
         conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
         alerts=0
         $ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
           conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31

 {Ctrl-C : cctde displays informations : We have two recorded timelines without any
  client because the capture owns a single client who openned its connection during the
  first timeline.

   CCTDE [19407] started the 21/02/2004 15:03:48 (Pcap start : 27/01/2004 21:08:56)
     o Processed 1 connections and 2411 bytes (38 packets) in 5 seconds.
       (0 desync packets) (0 tmout connections) (Pcap delay : 31).
     o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds). 
     o 0 alert rule(s)
     o 0 connection(s) UP.
     o 0 recorded client(s) in main view (2 timeline(s)).
   
     o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients.
       Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0
       0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines.
   
     o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients.
       Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0
       0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines.
   SigTERM ... Exiting!

4. 4. Using signals and commands

cctde.conf :

  
 # Setting the timelines parameters 
 A_TIMELINE_PERIOD=10
 # Setting resume messages
 A_DISPLAY_RESUME=1
 A_DISPLAY_ALERT_RULES=1
 A_DISPLAY_TIMELINE=1
 A_DISPLAY_TIMELINE_NO_CLIENT=1
 A_DISPLAY_CURRENT=1
 # The command file
 A_COMMAND_FILE=conf/cctde.cmd

cctde.cmd :

  
 display_clients_infos 
 display_servers_infos

We start CCTDE :

  
 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 & 

We run Snort using :

  
 ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

 {We tell cctde to display the resume}

   ./test_sigusr1.sh 
   
   CCTDE [19425] started the 21/02/2004 15:19:30 (Pcap start : 27/01/2004 21:08:56)
     o Processed 1 connections and 2411 bytes (38 packets) in 8 seconds.
       (0 desync packets) (0 tmout connections) (Pcap delay : 31).
     o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds). 
     o 0 alert rule(s)
     o 0 connection(s) UP.
     o 0 recorded client(s) in main view (3 timeline(s)).
   
     o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients.
       Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0
       0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
   
     o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients.
       Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0
       0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
   
     o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients.
       Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454
       0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
       # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] 
         conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
         alerts=0
         $ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
           conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
   OK
   
 {We tell cctde to execute the commands from cctde.cmd}

   ./test_sigusr2.sh 
   OK

 {There is no client recorded in the main list}

   display_clients_infos : (null)
     o 0 recorded client(s).

 {But as we are keeping all timelines in memory, the server informations are still
  recorded}

   display_servers_infos : (null)
     o 1 recorded server(s).
       # 10.1.1.1:80 [01/27/04-21:09:27.017588 - 01/27/04-21:09:27.361352 ]
         conn=1, packets rx=4 tx=3, bytes rx=1738 tx=0, Uptime global=31
         alerts=0
   
   [...]

5. Writing and playing with alerts

cctde.conf :

  
 # Setting the timelines parameters
 A_TIMELINE_PERIOD=300
 # Setting resume messages
 A_DISPLAY_RESUME=1
 A_DISPLAY_ALERT_RULES=1
 A_DISPLAY_TIMELINE=1
 A_DISPLAY_TIMELINE_NO_CLIENT=1
 A_DISPLAY_CURRENT=1
 # The command file
 A_COMMAND_FILE=conf/cctde.cmd
 # Our alerts
 ALERT_MAX_SRV=2;uptime;30;3;50;0;1 
 ALERT_MAX_CL=1;prx;8;3;50;0;1

We start CCTDE :

  
 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 &

 {We display the resume to look at the alerts we configured}

 ./test_sigusr1.sh 

   CCTDE [439] started the 21/02/2004 15:40:44 (Pcap start : 27/01/2004 20:08:56)
     o Processed 0 connections and 0 bytes (0 packets) in 9 seconds.
       (0 desync packets) (0 tmout connections) (Pcap delay : 0).
     o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds). 
     o 2 alert rule(s)
       # Alert #1 for clients (Max : prx > 8 ?)
         dal: 3, pal: 50 - silent for 0 alerts, weight: 1
       # Alert #2 for servers (Max : uptime > 30 ?)
         dal: 3, pal: 50 - silent for 0 alerts, weight: 1
     o 0 connection(s) UP.
     o 0 recorded client(s) in main view (0 timeline(s)).
   OK

We run Snort using :

  
 ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

 {Alerts and reminders are raised to operator}

   [20:09:14] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 8 packets.
   [20:09:17] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 9 packets (rem. 3 secs).
   [20:09:21] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 10 packets (rem. 3 secs).
   [20:09:22] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 12 packets (rem. 50%).
   [20:09:26] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 13 packets (rem. 3 secs).
   [20:09:27] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 18 packets (rem. 50%).
   [20:09:27] CCTDE - Srv #2 (Max) : Global uptime reached 30 secs : 10.1.1.1 stood up for 31 secs. 

 We edit the command file :
   remove_alert_rules=1

 {We remove the alert #1}

   ./test_sigusr2.sh 
   remove_alert_rules : 1
     Alert rule #1 removed.
   OK

 We edit the command file :
   ALERT_MAX_CL=3;prx;2;3;50;0;1
   display_alert_rules

 ./test_sigusr2.sh 

 {We add the new alert}

   ALERT_MAX_CL : 3;prx;2;3;50;0;1

 {We display the stored alerts}

   display_alert_rules : (null)
     o 2 alert rule(s)
       # Alert #3 for clients (Max : prx > 2 ?)
         dal: 3, pal: 50 - silent for 0 alerts, weight: 1
       # Alert #2 for servers (Max : uptime > 30 ?)
         dal: 3, pal: 50 - silent for 0 alerts, weight: 1

 {our new alert #3 is raised but dal/pal are not applied as they're updated when
  packets are recorded}

   [20:09:27] CCTDE - Cl #3 (Max) : Prx reached 2 : 10.1.1.77 received 19 packets.

6. Using TopX clients and servers

We configure Top directives in the cctde.conf file :

  
 A_TOP_X_SRV=uptime;3 
 A_TOP_X_SRV=prx;3
 A_TOP_X_CL=con;3
  
 [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
 [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
 [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
 [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
 [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
 [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
 [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
 [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
 [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
 [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
 [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
 [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
 [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
 [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146
 
 CCTDE [2254] started the 27/01/2004 22:39:25 (Pcap start : 27/01/2004 22:22:32)
   o Processed 7 connections and 3356 bytes (96 packets) in 4 seconds (0 desync packets) (Pcap delay : 58). 
   o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30

   o TOP_3_CL_CON has 2 recorded client(s).
     # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
       conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
     # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
       conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1

   o TOP_3_SRV_UPTIME has 3 recorded server(s).
     # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
       conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
     # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
       conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
     # a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
       conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1

   o TOP_3_SRV_PRX has 3 recorded server(s).
     # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
       conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
     # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
       conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
     # a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
       conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
 SigTERM ... Exiting!

7. Statistics backup/restore

cctde.conf :

  
 A_DISPLAY_TCP_CONNECTION=1
 A_COMMAND_FILE=conf/cctde.cmd 
 A_BACKUP_FILE=conf/cctde.bk
  
 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

 [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
 [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
 [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
 [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
 [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
 [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
 [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
 [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
 [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
 [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
 [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
 [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
 [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
 [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146

 ./test_stop.sh
 CCTDE [476] started the 21/02/2004 16:04:44 (Pcap start : 27/01/2004 22:22:32)
   o Processed 7 connections and 3356 bytes (96 packets) in 5 seconds.
     (0 desync packets) (0 tmout connections) (Pcap delay : 58).
   o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30 (58 seconds). 
   o 0 alert rule(s)
   o 0 connection(s) UP.
   o 2 recorded client(s) in main view (0 timeline(s)).
 SigTERM ... Exiting!

At this time, we have our informations backuped in the conf/cctde.bk_{date} file.

cctde.conf :

  
 A_DISPLAY_TCP_CONNECTION=1
 A_COMMAND_FILE=conf/cctde.cmd 

cctde.cmd :

  
 read_stats_from=conf/cctde.bk_1077379484 
  
 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

 ./test_sigusr1.sh 

 CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32)
   o Processed 0 connections and 0 bytes (0 packets) in 3 seconds.
     (0 desync packets) (0 tmout connections) (Pcap delay : 0).
   o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
   o 0 alert rule(s)
   o 0 connection(s) UP.
   o 0 recorded client(s) in main view (0 timeline(s)).
 OK

 ./test_sigusr2.sh 
 read_stats_from : conf/cctde.bk_1077379484
 OK

 ./test_sigusr1.sh 

 CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32)
   o Processed 0 connections and 0 bytes (0 packets) in 46 seconds.
     (0 desync packets) (0 tmout connections) (Pcap delay : 0).
   o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
   o 0 alert rule(s)
   o 0 connection(s) UP.
   o 0 recorded client(s) in main view (1 timeline(s)).

   o Time list created the 27/01/2004 22:22:32 and is 58 secs long with 2 clients.
     Main infos the 27/01/2004 22:23:30 : Tcp connections : 7, Packets : 96, Bytes: 3356 
     0 Desync packet - 0 Upcon - 0 TmoutCon - 1 timelines.
     # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
       conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1
       $ a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
         conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
       $ a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
         conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1
     # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
       conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
       $ a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
         conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
       $ a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
         conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
 [...]


CCTDE - Graphing Examples

You'll find here two kind of CCTDE output data graphed using the cctde_graph.pl perl script. The first one is a tcpdump capture of a browsing activity (Nothing more than something usual and no tunnel or anything) while the second one is a tcpdump capture of a small WebShell activity (including a wshput to the remote webserver).

  • Browing (Timeperiod=300 seconds)
  • Browing (Timeperiod=120 seconds)

  • WebShell (Timeperiod=60 seconds)
  • WebShell (Timeperiod=15 seconds)


  • License :

    This file is part of CCTDE - Covert Channels and Tunnels Detection Engine v0.2 (C) Simon Castro .
    CCTDE is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
    CCTDE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
    You should have received a copy of the GNU General Public License along with CCTDE; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

    Simon Castro
    Last updated on the 21th of February 2004