CCTDE - Covert Channels and Tunnels Detection Engine v0.1 - README
Copyright (C) 2003, 2004 Simon Castro - scastro@entreelibre.com

===============================================================================
This file is part of CCTDE - Covert Channels and Tunnels Detection Engine  v0.1
(C) Simon Castro <scastro [at] entreelibre.com>
CCTDE is free software; you can redistribute it  and/or  modify  it  under  the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.
CCTDE is distributed in the  hope  that  it  will  be  useful, but WITHOUT  ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General  Public  License  along with
CCTDE; if not, write to the Free Software  Foundation,  Inc., 59 Temple  Place,
Suite 330, Boston, MA  02111-1307  USA
===============================================================================

===============================================================================

GRAY-WORLD.NET / CCTDE
======================

  The CCTDE program is part of the Gray-World.net projects.

  Our Gray-World Team uses the http://gray-world.net  website  to  present  the
projects and publications we are working at. Our activity dwells  in  the  NACS
(Network Access Control System) bypassing research  field  and  is  related  to
computer and network security topics.

===============================================================================

CCTDE
======

CCTDE is a first implementation  of  the  Gray-World.net  'Covert  Channel  and
Tunneling over the HTTP  protocol  Detection :  GW  implementation  theoretical
design' paper [1] (the last working version of this paper is also available  in
the doc/cctde_tmp-06122003.txt.gz file).

The main goal of this project is to provide a  way  to  register  and  disclose
informations leading to  the  detection  of  unauthorized  tunnels  and  covert
channels embedded into the HTTP protocol but the concepts could also be applied
to the detection of arbitrary data flows inside other high level protocols.

Located between a mandatory http proxy server and the http clients  (or  before
the NACS if no proxy exists), CCTDE is trying  to  detect  if  someone  on  the
internal located network is using a CC|T (Covert Channel OR Tunneling) tool  to
bypass the NACS.

[doc/html/cctde1.gif]

Located in front of corporate servers in DMZ, CCTDE  is  trying  to  detect  if
someone located on the Internet is using server side tools such as WebShell [2]
or Firepass [3] to run across the NACS boundaries.

[doc/html/cctde2.gif]

CCTDE can also be used as a convenient way to fingerprint CC&T (Covert  Channel
AND Tunneling) tools.

NOTES
=====

As a concept tool, there is no click-and-play installation documentation. CCTDE
is actually designed for research purpose so I suggest you to read  the  source
code and to play with it until it feeds your needs (if it ever manages to).

At this time, CCTDE watches the OSI 3th and 4th layers but as my  first  target
is to detect abnormal data streams embedded in  the  HTTP  protocol,  recording
informations about HTTP requests/responses is on the top of my TODO list.

If you have any question, don't hesitate to send me a mail or to post a message
on the CCTDE board.

  A) DESIGN
  ---------

  CCTDE is currently designed as an analysis back-end for the  Snort  NIDS  [4]
  tool. Its main goal focuses on detecting suspicious or abnormal network flows
  using less or more statistical based methods.

  Snort acts as a network sensor - recording data streams  or  not  in  tcpdump
  format binary files - and communicates with the  CCTDE  part  using  an  Unix
  socket.

  CCTDE reads Snort alerts and pcap packets from the Unix socket and store them
  into memory. It is then possible to  correlate  recorded  data  in  order  to
  detect specific network activities.

  B) HOW TO USE IT
  ----------------

    1. Build from sources
    ---------------------

    Download the snort sources and untar them in a directory, then:
    cd cctde-0.1
    ./configure --with-snort-include={PATH_TO}/snort-2.1.0
    make

    The binary is src/cctde and configuration files are in conf/.

    2. Snort Configuration
    ----------------------

    The Snort configuration is located in the snort_conf directory.  There  are
    two Snort standard config files (config + rules) and a few starting scripts
    allowing to run Snort in logging mode and to process a tpcdump logfile.

    3. CCTDE Configuration
    ----------------------

    The CCTDE configuration is located in conf/cctde.conf. If you kill  -SIGHUP
    the CCTDE process, the configuration file will be reloaded  and  directives
    starting with A_ will be updated.

    4. Signals
    ----------

    SIGHUP  - Reload configuration file.
    SIGUSR1 - call the display_cctde_function().
    SIGUSR2 - Use the A_COMMAND_FILE command file set in the conf/cctde.conf to
    execute commands.

  C) SUSPECT FLOW DETECTION
  -------------------------

    1. Openned connections
    ----------------------

    CCTDE is able to raise alerts if some monitored connections  values  exceed
    certain thresholds. The monitored values for openned connections are:

      o The connection uptime (in seconds);
      o The number of packets received and/or sent;
      o The number of bytes received and/or sent;

    To set your thresholds, edit the A_MAX_UPCON directives in the config file.

    2. Stored connections infos
    ---------------------------

    The stored connections infos can be used against several defined threshold.

    MAX_ - Basic check based on a maximal value:
    --------------------------------------------

    The MAX_ thresholds may be defined for  clients  (MAX_CL)  or  for  servers
    (MAX_SRV) in order to raise alerts if monitored values exceed:

      o A number of TCP connection;
      o A connection uptime (in seconds);
      o A number of packets received and/or sent;
      o A number of bytes received and/or sent;
    
    Each one of these thresholds may be configured to alert once  or  not  with
    the MAX_xxx_DAL or MAX_xxx_PAL directives. The _DAL  one  is  used  to  set
    alert reminder periods in seconds (one alert,  then  remind  alert  each  x
    secs) while the _PAL one is used to set  alert  reminders  on  an  increase
    percentage value (one alert, then alert again if the  increase  is  greater
    than x%).

    These MAX_ checks are done on the current period (see ROTATION PERIOD).

    ROTATION PERIOD
    ---------------

    Informations about clients and servers may be rotated on  a  periodic  time
    (See the A_TIMELINE_PERIOD). Each time the current period is over, the main
    informations structure is flushed into a specific period structure.

    You can then monitor specific values on a time line basis.

    TOP_X
    -----

    Using the A_TOP_X directives in the configuration file you can generate and
    update packet after packet a TOP X of clients and servers based on:

      o A number of TCP connection;
      o A connection uptime (in seconds);
      o A number of packets received and/or sent;
      o A number of bytes received and/or sent;

    If you start CCTDE withouth a TOP_X directive or if you want  to  change  a
    during the run time, then you can use the  build_topX_[clients|servers]  in
    the A_COMMAND_FILE.

    BACKUPING / RESTORING
    ---------------------

    You can backup your information structure (current and timelines) in a file
    using the A_BACKUP_FILE directive (when the process gets SIGTERM) or  every
    time you want using backup_stats of A_COMMAND_FILE.

    You can restore statistics from a backuped file in  a  timeline  using  the
    read_stats_from of A_COMMAND_FILE.

  And have a look on the EXAMPLES file...

  D) SYNOPSIS
  -----------

    Synopsis:
    ---------
    
      cctde -S snort_usock [-f config_file] [-p pidfilepath] [-l logfile]  [-s\
        start_time] [-R refresh] [-B not_before] [-A not_after]
      cctde -V
      cctde -h
    
    Parameters:
    -----------
    
      cctde -S snort_usock  Path to the Snort unix socket (ex: logs/snort_alert).
    
      cctde -f config_file  Use the configuration file (if NS, use DEFAULT_CONF_FILE).
      cctde -p pidfilepath  Log pid to pidfilepath/cctde.pid.
      cctde -l logfile      Log to logfile.
      cctde -s start_time   Do as if start_time was the current time (ex: 1074194932).
      cctde -R refresh      Verbose refresh period delay (in secs).
      cctde -B not_before   Don't take packet if tv_sec < not_before (ex: 1074194932).
      cctde -A not_after    Don't take packet if tv_sec > not_after (ex: 1074194932).
    
      cctde -V              Show version.
      cctde -h              Show this help.
    
    Signals:
    --------
    
      Sighup        Reload configuration file.
      Sigusr1       Call display_cctde_infos.
      Sigusr2       Execute functions from A_COMMAND_FILE.
    
  E) WARNING
  ----------

  This is a concept tool, so don't run it as root and so on...

  F) PLATFORMS
  ------------

  Well, actually it runs on my Woody box.

  G) LICENCE
  ----------

  GNU General Public License as published  by  the  Free  Software  Foundation;
  either version 2 of the License, or (at your option) any later version.
  See the COPYING file for more informations.

  H) THANKS
  ---------

  My first thanks are going to Alex for all of the things  we  are  discovering
  together each day and to the whole GW team. Next are flowing to Arun for  his
  support since the publication of the cctde paper on his fantastic E-zine.

  I also thank Fryxar for his TcpStatFlow [5] release because  he  reminded  me
  that 'code and see' was a  good  way ...  And  that  thinking,  thinking  and
  thinking is sometime not enough...

  Have a look at the ChangeLog file  for  further  informations  concerning the
  contributions.

  I) WEBOGRAPHY
  -------------

  [1] - Covert Channel and Tunneling over  the  HTTP  protocol  Detection :  GW
        implementation theoretical design - Simon Castro, July 2003.
        http://gray-world.net/projects/papers/cctde.txt

  [2] - Web Shell Project - http://gray-world.net

  [3] - Firepass Project - http://gray-world.net

  [4] - Snort Project - http://www.snort.org

  [5] - Tcpstatflow Project - http://www.geocities.com/fryxar/

===============================================================================

CCTDE RESOURCES
================

  A) Where is the latest CCTDE release
  ------------------------------------

  You can get the last CCTDE release from http://gray-world.net or  from  a  GW
  mirror :

    [France] : http://www.entreelibre.com/gray-world.net/
    [Spain]  : http://www.securitylabs.info/gray-world.net/

  B) Discussion forum
  -------------------

  You can post feature requests, bugs reports and discuss  about  CCTDE  on  an
  online forum located at :

    http://gray-world.net/board/

  C) Patches
  ----------

  Current version patches (if any) are announced on the  discussion  forum  and
  available on:

    http://gray-world.net/projects/cctde/patches/

Simon Castro - scastro@entreelibre.com
