CCTDE - Covert Channels and Tunnels Detection Engine v0.2 Copyright (C) 2003, 2004 Simon Castro - scastro@entreelibre.com =============================================================================== This file is part of CCTDE - Covert Channels and Tunnels Detection Engine v0.2 (C) Simon Castro CCTDE is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. CCTDE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with CCTDE; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA =============================================================================== ########### Summary ### ########### Some notes 1. Monitoring openned connections in real time 2. Monitoring openned connections in replay mode 3. Playing with timelines 4. Using signals and commands 5. Writing and playing with alerts 6. Using TopX clients and servers 7. Statistics backup/restore ############## Some notes ### ############## o Some of next examples are real captures you can find in the log directory some other are anonymized but all of them are not (of course ?) real world evidences. o 10.1.1.1:80 is a webserver while 10.1.1.2, 10.1.1.77, 10.1.1.42 are workstations. o The snort and cctde processes are running on 10.1.1.1. o between {} are some comments. o Next is only a short overview of what you can trace with CCTDE, so ... o I sometime reduced the output when displayed infos weren't accurate. ################################################## 1. Monitoring openned connections in real time ### ################################################## cctde.conf : A_TIMELINE_PERIOD=300 A_KEEP_TIMELINE=0 A_DISPLAY_TCP_CONNECTION=1 A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_CURRENT=1 A_MAX_UPCON=uptime;30 We start Snort using RunAndLog.sh and Cctde using : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -R 15 {15 seconds after start time, we have a first resume} CCTDE [19365] started the 21/02/2004 14:45:07 o Processed 0 connections and 0 bytes (0 packets) in 15 seconds (0 desync packets). o First packet : 01/01/1970 01:00:00 / Last packet : 01/01/1970 01:00:00 (0 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 0 recorded client(s) in main view (0 timeline(s)). {64144 is a standard wget connection while 65340 is a netcat connection I keep up} [ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80 [ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80 [ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469 CCTDE [19365] started the 21/02/2004 14:45:07 o Processed 2 connections and 1833 bytes (15 packets) in 30 seconds (0 desync packets). o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds). o 0 alert rule(s) o 1 connection(s) UP. # 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected) packets rx=1 tx=2, bytes rx=0 tx=0, uptime=13 o 1 recorded client(s) in main view (0 timeline(s)). CCTDE [19365] started the 21/02/2004 14:45:07 o Processed 2 connections and 1833 bytes (15 packets) in 45 seconds (0 desync packets). o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:26 (2 seconds). o 0 alert rule(s) o 1 connection(s) UP. # 10.1.1.2:2761->10.1.1.1:80 (65340 / state : Connected) packets rx=1 tx=2, bytes rx=0 tx=0, uptime=28 o 1 recorded client(s) in main view (0 timeline(s)). {Alerts are coming} CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (31 seconds). CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (32 seconds). CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (33 seconds). CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds). {I'm closing the netcat connection} [ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds). CCTDE [19365] started the 21/02/2004 14:45:07 o Processed 2 connections and 1833 bytes (18 packets) in 55 seconds (0 desync packets). o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 1 recorded client(s) in main view (0 timeline(s)). SigTERM ... Exiting! #################################################### 2. Monitoring openned connections in replay mode ### #################################################### We can analyze already recorded tcpdump files. We use the next script to get the start time of the 1. example tcpdump logfile : ./display_time_infos.sh ../logs/cctde_alert_ex1.tcpdump.log First is at 1077371124 Last is at 1077371158 Delay is 34 seconds We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1077371124 We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log [ 02/21/04-14:45:24.986973 ] : SYN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80 [ 02/21/04-14:45:26.733097 ] : SYN TCP packet [64144] : 10.1.1.2:1469->10.1.1.1:80 [ 02/21/04-14:45:26.793593 ] : FIN TCP packet [64144] : 10.1.1.1:80->10.1.1.2:1469 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds). [ 02/21/04-14:45:58.006771 ] : FIN TCP packet [65340] : 10.1.1.2:2761->10.1.1.1:80 CCTDE : Con created more than 30 seconds ago : 10.1.1.2:2761->10.1.1.1:80 (34 seconds). CCTDE [19387] started the 21/02/2004 14:51:46 (Pcap start : 21/02/2004 14:45:24) o Processed 2 connections and 1833 bytes (18 packets) in 16 seconds. (0 desync packets) (0 tmout connections) (Pcap delay : 34). o First packet : 21/02/2004 14:45:24 / Last packet : 21/02/2004 14:45:58 (34 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 1 recorded client(s) in main view (0 timeline(s)). SigTERM ... Exiting! ############################# 3. Playing with timelines ### ############################# cctde.conf : # Setting the timelines parameters A_TIMELINE_PERIOD=10 A_KEEP_TIMELINE=2 A_FLUSH_TIMELINE=1 # Setting resume messages A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_TIMELINE_NO_CLIENT=1 A_DISPLAY_CURRENT=1 We get informations from the tcpdump capture : ./display_time_infos.sh ../logs/cctde_alert_ex3.tcpdump.log First is at 1075234136 Last is at 1075234167 Delay is 31 seconds We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075234136 We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log {This timeline is the first created and is flushed from memory when the third timeline is created} o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients. Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454 0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines. # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31 alerts=0 $ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31 {Ctrl-C : cctde displays informations : We have two recorded timelines without any client because the capture owns a single client who openned its connection during the first timeline. CCTDE [19407] started the 21/02/2004 15:03:48 (Pcap start : 27/01/2004 21:08:56) o Processed 1 connections and 2411 bytes (38 packets) in 5 seconds. (0 desync packets) (0 tmout connections) (Pcap delay : 31). o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 0 recorded client(s) in main view (2 timeline(s)). o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients. Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0 0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines. o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients. Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0 0 Desync packet - 0 Upcon - 0 TmoutCon - 2 timelines. SigTERM ... Exiting! ################################# 4. Using signals and commands ### ################################# cctde.conf : # Setting the timelines parameters A_TIMELINE_PERIOD=10 # Setting resume messages A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_TIMELINE_NO_CLIENT=1 A_DISPLAY_CURRENT=1 # The command file A_COMMAND_FILE=conf/cctde.cmd cctde.cmd : display_clients_infos display_servers_infos We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 & We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log {We tell cctde to display the resume} ./test_sigusr1.sh CCTDE [19425] started the 21/02/2004 15:19:30 (Pcap start : 27/01/2004 21:08:56) o Processed 1 connections and 2411 bytes (38 packets) in 8 seconds. (0 desync packets) (0 tmout connections) (Pcap delay : 31). o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27 (31 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 0 recorded client(s) in main view (3 timeline(s)). o Time list created the 27/01/2004 21:09:16 and is 10 secs long with 0 clients. Main infos the 27/01/2004 21:09:26 : Tcp connections : 0, Packets : 0, Bytes: 0 0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines. o Time list created the 27/01/2004 21:09:06 and is 10 secs long with 0 clients. Main infos the 27/01/2004 21:09:16 : Tcp connections : 0, Packets : 0, Bytes: 0 0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines. o Time list created the 27/01/2004 21:08:56 and is 10 secs long with 1 clients. Main infos the 27/01/2004 21:09:06 : Tcp connections : 1, Packets : 20, Bytes: 454 0 Desync packet - 0 Upcon - 0 TmoutCon - 3 timelines. # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31 alerts=0 $ 10.1.1.1:80 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ] conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31 OK {We tell cctde to execute the commands from cctde.cmd} ./test_sigusr2.sh OK {There is no client recorded in the main list} display_clients_infos : (null) o 0 recorded client(s). {But as we are keeping all timelines in memory, the server informations are still recorded} display_servers_infos : (null) o 1 recorded server(s). # 10.1.1.1:80 [01/27/04-21:09:27.017588 - 01/27/04-21:09:27.361352 ] conn=1, packets rx=4 tx=3, bytes rx=1738 tx=0, Uptime global=31 alerts=0 [...] ###################################### 5. Writing and playing with alerts ### ###################################### cctde.conf : # Setting the timelines parameters A_TIMELINE_PERIOD=300 # Setting resume messages A_DISPLAY_RESUME=1 A_DISPLAY_ALERT_RULES=1 A_DISPLAY_TIMELINE=1 A_DISPLAY_TIMELINE_NO_CLIENT=1 A_DISPLAY_CURRENT=1 # The command file A_COMMAND_FILE=conf/cctde.cmd # Our alerts ALERT_MAX_SRV=2;uptime;30;3;50;0;1 ALERT_MAX_CL=1;prx;8;3;50;0;1 We start CCTDE : ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s 1075234136 & {We display the resume to look at the alerts we configured} ./test_sigusr1.sh CCTDE [439] started the 21/02/2004 15:40:44 (Pcap start : 27/01/2004 20:08:56) o Processed 0 connections and 0 bytes (0 packets) in 9 seconds. (0 desync packets) (0 tmout connections) (Pcap delay : 0). o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds). o 2 alert rule(s) # Alert #1 for clients (Max : prx > 8 ?) dal: 3, pal: 50 - silent for 0 alerts, weight: 1 # Alert #2 for servers (Max : uptime > 30 ?) dal: 3, pal: 50 - silent for 0 alerts, weight: 1 o 0 connection(s) UP. o 0 recorded client(s) in main view (0 timeline(s)). OK We run Snort using : ./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log {Alerts and reminders are raised to operator} [20:09:14] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 8 packets. [20:09:17] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 9 packets (rem. 3 secs). [20:09:21] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 10 packets (rem. 3 secs). [20:09:22] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 12 packets (rem. 50%). [20:09:26] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 13 packets (rem. 3 secs). [20:09:27] CCTDE - Cl #1 (Max) : Prx reached 8 : 10.1.1.77 received 18 packets (rem. 50%). [20:09:27] CCTDE - Srv #2 (Max) : Global uptime reached 30 secs : 10.1.1.1 stood up for 31 secs. We edit the command file : remove_alert_rules=1 {We remove the alert #1} ./test_sigusr2.sh remove_alert_rules : 1 Alert rule #1 removed. OK We edit the command file : ALERT_MAX_CL=3;prx;2;3;50;0;1 display_alert_rules ./test_sigusr2.sh {We add the new alert} ALERT_MAX_CL : 3;prx;2;3;50;0;1 {We display the stored alerts} display_alert_rules : (null) o 2 alert rule(s) # Alert #3 for clients (Max : prx > 2 ?) dal: 3, pal: 50 - silent for 0 alerts, weight: 1 # Alert #2 for servers (Max : uptime > 30 ?) dal: 3, pal: 50 - silent for 0 alerts, weight: 1 {our new alert #3 is raised but dal/pal are not applied as they're updated when packets are recorded} [20:09:27] CCTDE - Cl #3 (Max) : Prx reached 2 : 10.1.1.77 received 19 packets. ##################################### 6. Using TopX clients and servers ### ##################################### We configure Top directives in the cctde.conf file : A_TOP_X_SRV=uptime;3 A_TOP_X_SRV=prx;3 A_TOP_X_CL=con;3 [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80 [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142 [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80 [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143 [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80 [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80 [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80 [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80 [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900 [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144 [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80 [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145 [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80 [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146 CCTDE [2254] started the 27/01/2004 22:39:25 (Pcap start : 27/01/2004 22:22:32) o Processed 7 connections and 3356 bytes (96 packets) in 4 seconds (0 desync packets)\ (Pcap delay : 58). o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30 o TOP_3_CL_CON has 2 recorded client(s). # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ] conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46 # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ] conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1 o TOP_3_SRV_UPTIME has 3 recorded server(s). # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ] conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26 # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ] conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20 # a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ] conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1 o TOP_3_SRV_PRX has 3 recorded server(s). # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ] conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26 # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ] conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20 # a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ] conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0 SigTERM ... Exiting! ################################ 7. Statistics backup/restore ### ################################ cctde.conf : A_DISPLAY_TCP_CONNECTION=1 A_COMMAND_FILE=conf/cctde.cmd A_BACKUP_FILE=conf/cctde.bk ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... & [ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80 [ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142 [ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80 [ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143 [ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80 [ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80 [ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80 [ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80 [ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900 [ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144 [ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80 [ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145 [ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80 [ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146 ./test_stop.sh CCTDE [476] started the 21/02/2004 16:04:44 (Pcap start : 27/01/2004 22:22:32) o Processed 7 connections and 3356 bytes (96 packets) in 5 seconds. (0 desync packets) (0 tmout connections) (Pcap delay : 58). o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30 (58 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 2 recorded client(s) in main view (0 timeline(s)). SigTERM ... Exiting! At this time, we have our informations backuped in the conf/cctde.bk_{date} file. cctde.conf : A_DISPLAY_TCP_CONNECTION=1 A_COMMAND_FILE=conf/cctde.cmd cctde.cmd : read_stats_from=conf/cctde.bk_1077379484 ./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... & ./test_sigusr1.sh CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32) o Processed 0 connections and 0 bytes (0 packets) in 3 seconds. (0 desync packets) (0 tmout connections) (Pcap delay : 0). o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 0 recorded client(s) in main view (0 timeline(s)). OK ./test_sigusr2.sh read_stats_from : conf/cctde.bk_1077379484 OK ./test_sigusr1.sh CCTDE [484] started the 21/02/2004 16:08:04 (Pcap start : 27/01/2004 22:22:32) o Processed 0 connections and 0 bytes (0 packets) in 46 seconds. (0 desync packets) (0 tmout connections) (Pcap delay : 0). o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00 (0 seconds). o 0 alert rule(s) o 0 connection(s) UP. o 0 recorded client(s) in main view (1 timeline(s)). o Time list created the 27/01/2004 22:22:32 and is 58 secs long with 2 clients. Main infos the 27/01/2004 22:23:30 : Tcp connections : 7, Packets : 96, Bytes: 3356 0 Desync packet - 0 Upcon - 0 TmoutCon - 1 timelines. # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ] conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1 $ a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ] conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0 $ a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ] conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1 # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ] conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46 $ a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ] conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20 $ a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ] conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26 [...]