CCTDE - Covert Channels and Tunnels Detection Engine v0.2
Copyright (C) 2003, 2004 Simon Castro - scastro@entreelibre.com

===============================================================================
This file is part of CCTDE - Covert Channels and Tunnels Detection Engine  v0.2
(C) Simon Castro <scastro [at] entreelibre.com>
CCTDE is free software; you can redistribute it  and/or  modify  it  under  the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.
CCTDE is distributed in the  hope  that  it  will  be  useful, but WITHOUT  ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General  Public  License  along with
CCTDE; if not, write to the Free Software  Foundation,  Inc., 59 Temple  Place,
Suite 330, Boston, MA  02111-1307  USA
===============================================================================

###########
Summary ###
###########

  Some notes
  1. Monitoring openned connections in real time
  2. Monitoring openned connections in replay mode
  3. Playing with timelines
  4. Using signals and commands
  5. Writing and playing with alerts
  6. Using TopX clients and servers
  7. Statistics backup/restore

##############
Some notes ###
##############

  o Some of next examples are real captures you can find in the  log  directory
    some other are anonymized but all of them are not (of course ?) real  world
    evidences.
  o 10.1.1.1:80  is  a  webserver  while  10.1.1.2,  10.1.1.77,  10.1.1.42  are
    workstations.
  o The snort and cctde processes are running on 10.1.1.1.
  o between {} are some comments.
  o Next is only a short overview of what you can trace with CCTDE, so ...
  o I sometime reduced the output when displayed infos weren't accurate.

##################################################
1. Monitoring openned connections in real time ###
##################################################

  cctde.conf :
    A_TIMELINE_PERIOD=300
    A_KEEP_TIMELINE=0
    A_DISPLAY_TCP_CONNECTION=1
    A_DISPLAY_RESUME=1
    A_DISPLAY_ALERT_RULES=1
    A_DISPLAY_TIMELINE=1
    A_DISPLAY_CURRENT=1
    A_MAX_UPCON=uptime;30

  We start Snort using RunAndLog.sh and Cctde using :
  ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -R 15

  {15 seconds after start time, we have a first resume}

  CCTDE [19365] started the 21/02/2004 14:45:07
    o Processed 0 connections and 0 bytes (0 packets) in 15 seconds (0 desync packets).
    o First packet : 01/01/1970 01:00:00 / Last packet : 01/01/1970 01:00:00 (0 seconds).
    o 0 alert rule(s)
    o 0 connection(s) UP.
    o 0 recorded client(s) in main view (0 timeline(s)).

  {64144 is a standard wget connection while 65340 is a netcat connection I keep up}

  [ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
  [ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80
  [ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469

  CCTDE [19365] started the 21/02/2004 14:45:07
    o Processed 2 connections and 1833 bytes (15 packets) in 30 seconds (0 desync packets).
    o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds).
    o 0 alert rule(s)
    o 1 connection(s) UP.
      # 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected)
        packets rx=1 tx=2, bytes rx=0 tx=0, uptime=13
    o 1 recorded client(s) in main view (0 timeline(s)).

  CCTDE [19365] started the 21/02/2004 14:45:07
    o Processed 2 connections and 1833 bytes (15 packets) in 45 seconds (0 desync packets).
    o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds).
    o 0 alert rule(s)
    o 1 connection(s) UP.
      # 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected)
        packets rx=1 tx=2, bytes rx=0 tx=0, uptime=28
    o 1 recorded client(s) in main view (0 timeline(s)).

  {Alerts are coming}

  CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (31 seconds).
  CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (32 seconds).
  CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (33 seconds).
  CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).

  {I'm closing the netcat connection}

  [ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
  CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).

  CCTDE [19365] started the 21/02/2004 14:45:07
    o Processed 2 connections and 1833 bytes (18 packets) in 55 seconds (0 desync packets).
    o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds).
    o 0 alert rule(s)
    o 0 connection(s) UP.
    o 1 recorded client(s) in main view (0 timeline(s)).
  SigTERM ... Exiting!

####################################################
2. Monitoring openned connections in replay mode ###
####################################################

  We can analyze already recorded tcpdump files.

  We use the next script to get the start time of the 1. example tcpdump logfile :

    ./display_time_infos.sh ../logs/cctde_alert_ex1.tcpdump.log 
    First is at 1077371124
    Last is  at 1077371158
    Delay is 34 seconds

  We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1077371124

  We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

  [ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
  [ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80
  [ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469
  CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).
  [ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80
  CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds).

  CCTDE [19387] started the 21/02/2004 14:51:46 (Pcap start : 21/02/2004 14:45:24)
    o Processed 2 connections and 1833 bytes (18 packets) in 16 seconds.
      (0 desync packets) (0 tmout connections) (Pcap delay : 34).
    o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds).
    o 0 alert rule(s)
    o 0 connection(s) UP.
    o 1 recorded client(s) in main view (0 timeline(s)).
  SigTERM ... Exiting!

#############################
3. Playing with timelines ###
#############################

  cctde.conf :
    # Setting the timelines parameters
    A_TIMELINE_PERIOD=10
    A_KEEP_TIMELINE=2
    A_FLUSH_TIMELINE=1
    # Setting resume messages
    A_DISPLAY_RESUME=1
    A_DISPLAY_ALERT_RULES=1
    A_DISPLAY_TIMELINE=1
    A_DISPLAY_TIMELINE_NO_CLIENT=1
    A_DISPLAY_CURRENT=1

  We get informations from the tcpdump capture :

    ./display_time_infos.sh ../logs/cctde_alert_ex3.tcpdump.log 
    First is at 1075234136
    Last is  at 1075234167
    Delay is 31 seconds

  We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075234136

  We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

  {This timeline is the first created and is flushed from memory when the third
   timeline is created}

      o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients.
        Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454
        0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
        # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] 
          conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
          alerts=0
          $ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
            conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31

  {Ctrl-C : cctde displays informations : We have two recorded timelines without any
   client because the capture owns a single client who openned its connection during the
   first timeline.

    CCTDE [19407] started the 21/02/2004 15:03:48 (Pcap start : 27/01/2004 21:08:56)
      o Processed 1 connections and 2411 bytes (38 packets) in 5 seconds.
        (0 desync packets) (0 tmout connections) (Pcap delay : 31).
      o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds).
      o 0 alert rule(s)
      o 0 connection(s) UP.
      o 0 recorded client(s) in main view (2 timeline(s)).
    
      o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients.
        Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0
        0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines.
    
      o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients.
        Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0
        0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines.
    SigTERM ... Exiting!

#################################
4. Using signals and commands ###
#################################

  cctde.conf :
    # Setting the timelines parameters
    A_TIMELINE_PERIOD=10
    # Setting resume messages
    A_DISPLAY_RESUME=1
    A_DISPLAY_ALERT_RULES=1
    A_DISPLAY_TIMELINE=1
    A_DISPLAY_TIMELINE_NO_CLIENT=1
    A_DISPLAY_CURRENT=1
    # The command file
    A_COMMAND_FILE=conf/cctde.cmd

  cctde.cmd :
    display_clients_infos
    display_servers_infos

  We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 &

  We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

  {We tell cctde to display the resume}

    ./test_sigusr1.sh 
    
    CCTDE [19425] started the 21/02/2004 15:19:30 (Pcap start : 27/01/2004 21:08:56)
      o Processed 1 connections and 2411 bytes (38 packets) in 8 seconds.
        (0 desync packets) (0 tmout connections) (Pcap delay : 31).
      o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds).
      o 0 alert rule(s)
      o 0 connection(s) UP.
      o 0 recorded client(s) in main view (3 timeline(s)).
    
      o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients.
        Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0
        0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
    
      o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients.
        Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0
        0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
    
      o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients.
        Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454
        0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines.
        # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] 
          conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
          alerts=0
          $ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
            conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
    OK
    
  {We tell cctde to execute the commands from cctde.cmd}

    ./test_sigusr2.sh 
    OK

  {There is no client recorded in the main list}

    display_clients_infos : (null)
      o 0 recorded client(s).

  {But as we are keeping all timelines in memory, the server informations are still
   recorded}

    display_servers_infos : (null)
      o 1 recorded server(s).
        # 10.1.1.1:80 [01/27/04-21:09:27.017588 - 01/27/04-21:09:27.361352 ]
          conn=1, packets rx=4 tx=3, bytes rx=1738 tx=0, Uptime global=31
          alerts=0
    
    [...]

######################################
5. Writing and playing with alerts ###
######################################

  cctde.conf :
    # Setting the timelines parameters
    A_TIMELINE_PERIOD=300
    # Setting resume messages
    A_DISPLAY_RESUME=1
    A_DISPLAY_ALERT_RULES=1
    A_DISPLAY_TIMELINE=1
    A_DISPLAY_TIMELINE_NO_CLIENT=1
    A_DISPLAY_CURRENT=1
    # The command file
    A_COMMAND_FILE=conf/cctde.cmd
    # Our alerts
    ALERT_MAX_SRV=2;uptime;30;3;50;0;1
    ALERT_MAX_CL=1;prx;8;3;50;0;1

  We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 &

  {We display the resume to look at the alerts we configured}

  ./test_sigusr1.sh 

    CCTDE [439] started the 21/02/2004 15:40:44 (Pcap start : 27/01/2004 20:08:56)
      o Processed 0 connections and 0 bytes (0 packets) in 9 seconds.
        (0 desync packets) (0 tmout connections) (Pcap delay : 0).
      o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
      o 2 alert rule(s)
        # Alert #1 for clients (Max : prx > 8 ?)
          dal: 3, pal: 50 - silent for 0 alerts, weight: 1
        # Alert #2 for servers (Max : uptime > 30 ?)
          dal: 3, pal: 50 - silent for 0 alerts, weight: 1
      o 0 connection(s) UP.
      o 0 recorded client(s) in main view (0 timeline(s)).
    OK
    
  We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

  {Alerts and reminders are raised to operator}

    [20:09:14] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 8 packets.
    [20:09:17] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 9 packets (rem. 3 secs).
    [20:09:21] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 10 packets (rem. 3 secs).
    [20:09:22] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 12 packets (rem. 50%).
    [20:09:26] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 13 packets (rem. 3 secs).
    [20:09:27] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 18 packets (rem. 50%).
    [20:09:27] CCTDE - Srv #2 (Max) : Global uptime reached 30 secs : 10.1.1.1 stood up for 31 secs.

  We edit the command file :
    remove_alert_rules=1

  {We remove the alert #1}

    ./test_sigusr2.sh 
    remove_alert_rules : 1
      Alert rule #1 removed.
    OK

  We edit the command file :
    ALERT_MAX_CL=3;prx;2;3;50;0;1
    display_alert_rules

    ./test_sigusr2.sh 

  {We add the new alert}

    ALERT_MAX_CL : 3;prx;2;3;50;0;1

  {We display the stored alerts}

    display_alert_rules : (null)
      o 2 alert rule(s)
        # Alert #3 for clients (Max : prx > 2 ?)
          dal: 3, pal: 50 - silent for 0 alerts, weight: 1
        # Alert #2 for servers (Max : uptime > 30 ?)
          dal: 3, pal: 50 - silent for 0 alerts, weight: 1

  {our new alert #3 is raised but dal/pal are not applied as they're updated when
   packets are recorded}

    [20:09:27] CCTDE - Cl #3 (Max) : Prx reached 2 : 10.1.1.77 received 19 packets.

#####################################
6. Using TopX clients and servers ###
#####################################

  We configure Top directives in the cctde.conf file :
    A_TOP_X_SRV=uptime;3
    A_TOP_X_SRV=prx;3
    A_TOP_X_CL=con;3

    [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
    [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
    [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
    [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
    [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
    [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
    [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
    [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
    [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
    [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
    [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
    [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146
    
    CCTDE [2254] started the 27/01/2004 22:39:25 (Pcap start : 27/01/2004 22:22:32)
      o Processed 7 connections and 3356 bytes (96 packets) in 4 seconds (0 desync packets)\
        (Pcap delay : 58).
      o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30

      o TOP_3_CL_CON has 2 recorded client(s).
        # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
          conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
        # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
          conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1

      o TOP_3_SRV_UPTIME has 3 recorded server(s).
        # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
          conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
        # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
          conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
        # a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
          conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1

      o TOP_3_SRV_PRX has 3 recorded server(s).
        # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
          conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
        # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
          conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
        # a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
          conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
    SigTERM ... Exiting!

################################
7. Statistics backup/restore ###
################################

  cctde.conf :
    A_DISPLAY_TCP_CONNECTION=1
    A_COMMAND_FILE=conf/cctde.cmd
    A_BACKUP_FILE=conf/cctde.bk

    ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

    [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
    [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
    [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
    [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
    [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
    [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
    [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
    [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
    [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
    [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
    [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
    [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146

    ./test_stop.sh
    CCTDE [476] started the 21/02/2004 16:04:44 (Pcap start : 27/01/2004 22:22:32)
      o Processed 7 connections and 3356 bytes (96 packets) in 5 seconds.
        (0 desync packets) (0 tmout connections) (Pcap delay : 58).
      o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30 (58 seconds).
      o 0 alert rule(s)
      o 0 connection(s) UP.
      o 2 recorded client(s) in main view (0 timeline(s)).
    SigTERM ... Exiting!

  At this time, we have our informations backuped in the conf/cctde.bk_{date} file.

  cctde.conf :
    A_DISPLAY_TCP_CONNECTION=1
    A_COMMAND_FILE=conf/cctde.cmd

  cctde.cmd :
    read_stats_from=conf/cctde.bk_1077379484

    ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

    ./test_sigusr1.sh 

    CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32)
      o Processed 0 connections and 0 bytes (0 packets) in 3 seconds.
        (0 desync packets) (0 tmout connections) (Pcap delay : 0).
      o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
      o 0 alert rule(s)
      o 0 connection(s) UP.
      o 0 recorded client(s) in main view (0 timeline(s)).
    OK

    ./test_sigusr2.sh 
    read_stats_from : conf/cctde.bk_1077379484
    OK

    ./test_sigusr1.sh 

    CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32)
      o Processed 0 connections and 0 bytes (0 packets) in 46 seconds.
        (0 desync packets) (0 tmout connections) (Pcap delay : 0).
      o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds).
      o 0 alert rule(s)
      o 0 connection(s) UP.
      o 0 recorded client(s) in main view (1 timeline(s)).

      o Time list created the 27/01/2004 22:22:32 and is 58 secs long with 2 clients.
        Main infos the 27/01/2004 22:23:30 : Tcp connections : 7, Packets : 96, Bytes: 3356
        0 Desync packet - 0 Upcon - 0 TmoutCon - 1 timelines.
        # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
          conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1
          $ a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
            conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
          $ a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
            conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1
        # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
          conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
          $ a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
            conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
          $ a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
            conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
    [...]
