CCTDE - Covert Channels and Tunnels Detection Engine v0.1
Copyright (C) 2003, 2004 Simon Castro - scastro@entreelibre.com

===============================================================================
This file is part of CCTDE - Covert Channels and Tunnels Detection  Engine v0.1
(C) Simon Castro.
CCTDE is free software; you can redistribute it  and/or  modify  it  under  the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.
CCTDE is distributed in the  hope  that  it  will  be  useful, but WITHOUT  ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General  Public  License  along with
CCTDE; if not, write to the Free Software  Foundation,  Inc., 59 Temple  Place,
Suite 330, Boston, MA  02111-1307  USA
===============================================================================

Some notes for next examples :

  o Some of next examples are real captures you can find in the  log  directory
    some other are anonymized but all of them are not (of course ?) real  world
    evidences.
  o 10.1.1.1:80 is a webserver and (10.1.1.77,10.1.1.42) are workstations.
  o The snort and cctde processes are running on 10.1.1.1.
  o between {} are some comments.
  o Next is only a short overview of what you can trace with CCTDE so ...

##################################################
1. Monitoring openned connections in real time ###
##################################################

  cctde.conf :
    A_TIMELINE_PERIOD=300
    A_DISPLAY_TCP_CONNECTION=1
    A_DISPLAY_CURRENT=1
    A_MAX_UPCON=uptime;30
  
  We start Snort using RunAndLog.sh and Cctde using :
  ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -R 15

  {15 seconds after start time, we have a first resume}

    CCTDE [17798] started the 27/01/2004 20:35:47
      o Processed 0 connections and 0 bytes (0 packets) in 15 seconds (0 desync packets).
      o First packet : 01/01/1970 01:00:00 / Last packet : 01/01/1970 01:00:00
      o 0 connection(s) UP.

  {24533 is a standard browser connection while 24534 is a netcat connection I keep up}

    [ 01/27/04-20:36:06.329335 ] : SYN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
    [ 01/27/04-20:36:09.237962 ] : SYN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

    CCTDE [17798] started the 27/01/2004 20:35:47
      o Processed 2 connections and 4494 bytes (21 packets) in 30 seconds (0 desync packets).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:09
      o 2 connection(s) UP.
        # 10.1.1.77:1046->10.1.1.1:80 (24533 / state : 2)
          packets rx=9 tx=9, bytes rx=2991 tx=1503, uptime=11
        # 10.1.1.77:1047->10.1.1.1:80 (24534 / state : 2)
          packets rx=1 tx=2, bytes rx=0 tx=0, uptime=8

  {No more user action for the browser, it closes the connection}

    [ 01/27/04-20:36:26.360547 ] : FIN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80

    CCTDE [17798] started the 27/01/2004 20:35:47
      o Processed 2 connections and 4494 bytes (24 packets) in 45 seconds (0 desync packets).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:26
      o 1 connection(s) UP.
        # 10.1.1.77:1047->10.1.1.1:80 (24534 / state : 2)
          packets rx=1 tx=2, bytes rx=0 tx=0, uptime=23

  {Alerts are coming}
    CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (31 seconds).
    CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (32 seconds).
    CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (33 seconds).
    CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (34 seconds).

  {I'm closing the netcat connection}
    [ 01/27/04-20:36:44.170555 ] : FIN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

    CCTDE [17798] started the 27/01/2004 20:35:47
      o Processed 2 connections and 4494 bytes (25 packets) in 60 seconds (0 desync packets).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44
      o 0 connection(s) UP.

    CCTDE [17798] started the 27/01/2004 20:35:47
      o Processed 2 connections and 4494 bytes (25 packets) in 61 seconds (0 desync packets).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44
      o 0 connection(s) UP.
    SigTERM ... Exiting!

####################################################
2. Monitoring openned connections in replay mode ###
####################################################

  We can analyze already recorded tcpdump files.

  We use the next script to get the start time of the 1. example tcpdump logfile :

    ./display_fst_record.sh ../logs/cctde_alert_ex1.tcpdump.log 
    1075232166.329335 10.1.1.77.1046 > 10.1.1.1.80: S 146707260:146707260(0) [...]

  We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075232166

  We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

    [ 01/27/04-20:36:06.329335 ] : SYN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
    [ 01/27/04-20:36:09.237962 ] : SYN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80
    [ 01/27/04-20:36:26.360547 ] : FIN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
    CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (35 seconds).
    [ 01/27/04-20:36:44.170555 ] : FIN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

    CCTDE [18219] started the 27/01/2004 21:05:18 (Pcap start : 27/01/2004 20:36:06)
      o Processed 2 connections and 4494 bytes (25 packets) in 5 seconds (0 desync packets).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44
      o 0 connection(s) UP.
    SigTERM ... Exiting!

####################################################
3. Monitoring Max threshold values and reminders ###
####################################################

  cctde.conf :
    A_TIMELINE_PERIOD=300
    A_DISPLAY_TCP_CONNECTION=1
    A_DISPLAY_CLIENTS_INFOS=1
    A_MAX_CL=prx;8
    A_MAX_CL_DAL=prx;3
    A_MAX_CL_PAL=prx;50

  Here we go :

    ./display_fst_record.sh ../logs/cctde_alert_ex3.tcpdump.log
    1075234136.644412 10.1.1.77.1048 > 10.1.1.1.80: S 597101825:597101825(0) [...]
    ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075234136
    ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

    [ 01/27/04-21:08:56.644412 ] : SYN TCP packet [24535] : 10.1.1.77:1048->10.1.1.1:80

    [...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 8 packets.
  {Packet rx number reached A_MAX_CL:prx}

  {Next two alerts are reminders for percentage increase set with A_MAX_CL_PAL=prx}
    [...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 12 packets (rem. 50%).
    [...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 18 packets (rem. 50%).
    [ 01/27/04-21:09:27.361352 ] : FIN TCP packet [24535] : 10.1.1.1:80->10.1.1.77:1048

  {Next two alerts are reminder for A_MAX_CL_DAL}
    [...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 19 packets (rem. 3 secs).
    [...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 19 packets (rem. 3 secs).

    CCTDE [18576] started the 27/01/2004 21:42:58 (Pcap start : 27/01/2004 21:08:56)
      o Processed 1 connections and 2411 bytes (38 packets) in 8 seconds (0 desync packets).
      o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27
      o 1 recorded client(s).
        # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
          conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
    SigTERM ... Exiting!

#################################################
4. Playing with timelines and refresh periods ###
#################################################

  cctde.conf :
    A_TIMELINE_PERIOD=2
    A_DISPLAY_TCP_CONNECTION=1

  Here we go :

    ./display_fst_record.sh ../logs/cctde_alert_ex1.tcpdump.log
    1075232166.329335 10.1.1.77.1046 > 10.1.1.1.80: S 146707260:146707260(0) [...]
    ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075232166
    ./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

    [ 01/27/04-20:36:06.329335 ] : SYN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
    [ 01/27/04-20:36:09.237962 ] : SYN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80
    [ 01/27/04-20:36:26.360547 ] : FIN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
    [ 01/27/04-20:36:44.170555 ] : FIN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

  {Here is ^C}
    CCTDE [2227] started the 27/01/2004 22:16:23 (Pcap start : 27/01/2004 20:36:06)
      o Processed 2 connections and 4494 bytes (25 packets) in 3 seconds (0 desync packets)\
        (Pcap delay : 38).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44

  {Second time list for the Netcat client}
  {Note that even if the period is 2 second long, all packet related to this connection
   belongs to this timeline}
      o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 20, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
          conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35
          $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
            conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35

  {First time list for the browser}
      o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 19, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
          conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
          $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
            conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
    SigTERM ... Exiting!

  We do it again using a 5 second refresh period. As we are in replay mode, the
  refresh period is calculated packet after packet starting with pcap_start :

    ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075232166 -R 5
    ./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

    [ 01/27/04-20:36:06.329335 ] : SYN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
    [ 01/27/04-20:36:09.237962 ] : SYN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

  {Packet is coming and its recorded time is greated than pcap_start + refresh_period}
    CCTDE [2230] started the 27/01/2004 22:21:45 (Pcap start : 27/01/2004 20:36:06)
      o Processed 2 connections and 4494 bytes (22 packets) in 2 seconds (0 desync packets)\
        (Pcap delay : 17).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:23
      o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 20, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
          conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
          $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
            conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
      o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 19, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:23.000006 ]
          conn=1, packets rx=10 tx=9, bytes rx=2991 tx=1503, Uptime global=0
          $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:23.000006 ]
            conn=1, packets rx=10 tx=9, bytes rx=2991 tx=1503, Uptime global=0

    [ 01/27/04-20:36:26.360547 ] : FIN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
    
    CCTDE [2230] started the 27/01/2004 22:21:45 (Pcap start : 27/01/2004 20:36:06)
      o Processed 2 connections and 4494 bytes (24 packets) in 2 seconds (0 desync packets)\
        (Pcap delay : 20).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:26
      o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 20, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
          conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
          $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
            conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
      o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 19, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
          conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
          $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
            conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20

    [ 01/27/04-20:36:44.170555 ] : FIN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80
        
    CCTDE [2230] started the 27/01/2004 22:21:45 (Pcap start : 27/01/2004 20:36:06)
      o Processed 2 connections and 4494 bytes (25 packets) in 2 seconds (0 desync packets)\
        (Pcap delay : 38).
      o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44
      o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 20, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
          conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35
          $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
            conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35
      o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
        Tcp connections : 2, Packets : 19, Bytes: 4494
        # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
          conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
          $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
            conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
    [...]

#####################################
5. Using TopX clients and servers ###
#####################################

  cctde.conf :
    A_DISPLAY_TCP_CONNECTION=1
    A_TOP_X_SRV=uptime;3
    A_TOP_X_SRV=prx;3
    A_TOP_X_CL=con;3

    [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
    [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
    [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
    [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
    [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
    [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
    [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
    [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
    [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
    [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
    [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
    [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146
    
    CCTDE [2254] started the 27/01/2004 22:39:25 (Pcap start : 27/01/2004 22:22:32)
      o Processed 7 connections and 3356 bytes (96 packets) in 4 seconds (0 desync packets)\
        (Pcap delay : 58).
      o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30

      o TOP_3_CL_CON has 2 recorded client(s).
        # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
          conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
        # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
          conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1

      o TOP_3_SRV_UPTIME has 3 recorded server(s).
        # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
          conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
        # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
          conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
        # a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
          conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1

      o TOP_3_SRV_PRX has 3 recorded server(s).
        # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
          conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
        # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
          conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
        # a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
          conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
    SigTERM ... Exiting!

#######################################################
6. Executing commands and statistics backup/restore ###
#######################################################

  cctde.conf :
    A_DISPLAY_TCP_CONNECTION=1
    A_COMMAND_FILE=conf/cctde.cmd
    A_BACKUP_FILE=conf/cctde.bk

  cctde.cmd :
    display_client_x=192.168.19.14

    ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

    [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
    [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
    [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
    [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
    [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
    [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
    [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
    [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
    [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
    [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
    [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
    [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
    [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146

    ./test_sigusr1.sh 
    CCTDE [2275] started the 27/01/2004 23:06:31 (Pcap start : 27/01/2004 12:22:32)
      o Processed 7 connections and 3356 bytes (96 packets) in 32 seconds (0 desync packets)\
        (Pcap delay : 58).
      o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30

    ./test_sigusr2.sh
    display_client_x : 10.1.1.77
        # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
          conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46

    ./test_stop.sh
    Stopping CCTDE (2275)
    CCTDE [2275] started the 27/01/2004 23:06:31 (Pcap start : 27/01/2004 22:22:32)
      o Processed 7 connections and 3356 bytes (96 packets) in 274 seconds (0 desync packets)\
        (Pcap delay : 58).
      o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30
    SigTERM ... Exiting!

  then,

  cctde.conf :
    A_DISPLAY_TCP_CONNECTION=1
    A_COMMAND_FILE=conf/cctde.cmd

  cctde.cmd :
    read_stats_from=conf/cctde.bk

    ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

    ./test_sigusr1.sh 
    CCTDE [2300] started the 27/01/2004 23:14:53 (Pcap start : 27/01/2004 22:22:32)
      o Processed 0 connections and 0 bytes (0 packets) in 35 seconds (0 desync packets)\
        (Pcap delay : 0).
      o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00

    ./test_sigusr2.sh 
    read_stats_from : conf/cctde.bk

    ./test_sigusr1.sh 

    CCTDE [2300] started the 27/01/2004 23:14:53 (Pcap start : 27/01/2004 22:22:32)
      o Processed 0 connections and 0 bytes (0 packets) in 43 seconds (0 desync packets)\
        (Pcap delay : 0).
      o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00
      o Time list created the 27/01/2004 22:22:32 and is 58 secs long with 2 clients.
        Tcp connections : 7, Packets : 96, Bytes: 3356
        # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
          conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1
          $ a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
            conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
          $ a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
            conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1
        # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
          conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
          $ a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
            conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
          $ a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
            conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
    [...]
