CCTDE - Covert Channels and Tunnels Detection Engine v0.1

CCTDE - Covert Channels and Tunnels Detection Engine
Examples

Version 0.1

Some notes for next examples :

Some of next examples are real captures you can find in the log directory some other are anonymized but all of them are not (of course ?) real world evidences.

10.1.1.1:80 is a webserver and (10.1.1.77,10.1.1.42) are workstations.

The snort and cctde processes are running on 10.1.1.1.

between {} are some comments.

Next is only a short overview of what you can trace with CCTDE so ...

1. Monitoring openned connections in real time

cctde.conf :

A_TIMELINE_PERIOD=300
A_DISPLAY_TCP_CONNECTION=1
A_DISPLAY_CURRENT=1
A_MAX_UPCON=uptime;30

We start Snort using RunAndLog.sh and Cctde using :

./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -R 15

{15 seconds after start time, we have a first resume}

CCTDE [17798] started the 27/01/2004 20:35:47
  o Processed 0 connections and 0 bytes (0 packets) in 15 seconds (0 desync packets).
  o First packet : 01/01/1970 01:00:00 / Last packet : 01/01/1970 01:00:00
  o 0 connection(s) UP.

{24533 is a standard browser connection while 24534 is a netcat connection I keep up}

[ 01/27/04-20:36:06.329335 ] : SYN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
[ 01/27/04-20:36:09.237962 ] : SYN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

CCTDE [17798] started the 27/01/2004 20:35:47
  o Processed 2 connections and 4494 bytes (21 packets) in 30 seconds (0 desync packets).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:09
  o 2 connection(s) UP.
    # 10.1.1.77:1046->10.1.1.1:80 (24533 / state : 2)
      packets rx=9 tx=9, bytes rx=2991 tx=1503, uptime=11
    # 10.1.1.77:1047->10.1.1.1:80 (24534 / state : 2)
      packets rx=1 tx=2, bytes rx=0 tx=0, uptime=8

{No more user action for the browser, it closes the connection}

[ 01/27/04-20:36:26.360547 ] : FIN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80

CCTDE [17798] started the 27/01/2004 20:35:47
  o Processed 2 connections and 4494 bytes (24 packets) in 45 seconds (0 desync packets).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:26
  o 1 connection(s) UP.
    # 10.1.1.77:1047->10.1.1.1:80 (24534 / state : 2)
      packets rx=1 tx=2, bytes rx=0 tx=0, uptime=23

{Alerts are coming}
CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (31 seconds).
CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (32 seconds).
CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (33 seconds).
CCTDE : Con created more than 30 seconds ago : 10.1.1.77:1047->10.1.1.1:80 (34 seconds).

{I'm closing the netcat connection}
[ 01/27/04-20:36:44.170555 ] : FIN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

CCTDE [17798] started the 27/01/2004 20:35:47
  o Processed 2 connections and 4494 bytes (25 packets) in 60 seconds (0 desync packets).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44
  o 0 connection(s) UP.

CCTDE [17798] started the 27/01/2004 20:35:47
  o Processed 2 connections and 4494 bytes (25 packets) in 61 seconds (0 desync packets).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44
  o 0 connection(s) UP.
SigTERM ... Exiting!

2. Monitoring openned connections in replay mode

We can analyze already recorded tcpdump files.

We use the next script to get the start time of the 1. example tcpdump logfile :

./display_fst_record.sh ../logs/cctde_alert_ex1.tcpdump.log
1075232166.329335 10.1.1.77.1046 > 10.1.1.1.80: S 146707260:146707260(0) [...]

We start CCTDE :

./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075232166

We run Snort using :

./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

3. Monitoring Max threshold values and reminders

cctde.conf :

A_TIMELINE_PERIOD=300
A_DISPLAY_TCP_CONNECTION=1
A_DISPLAY_CLIENTS_INFOS=1
A_MAX_CL=prx;8
A_MAX_CL_DAL=prx;3
A_MAX_CL_PAL=prx;50

Here we go :

./display_fst_record.sh ../logs/cctde_alert_ex3.tcpdump.log
1075234136.644412 10.1.1.77.1048 > 10.1.1.1.80: S 597101825:597101825(0) [...]
./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075234136
./ReadLog.sh ../logs/cctde_alert_ex3.tcpdump.log

[ 01/27/04-21:08:56.644412 ] : SYN TCP packet [24535] : 10.1.1.77:1048->10.1.1.1:80

[...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 8 packets.
{Packet rx number reached A_MAX_CL:prx}

{Next two alerts are reminders for percentage increase set with A_MAX_CL_PAL=prx}
[...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 12 packets (rem. 50%).
[...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 18 packets (rem. 50%).
[ 01/27/04-21:09:27.361352 ] : FIN TCP packet [24535] : 10.1.1.1:80->10.1.1.77:1048

{Next two alerts are reminder for A_MAX_CL_DAL}
[...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 19 packets (rem. 3 secs).
[...] CCTDE - MAX_CL stats : Packet rx reached 8 : 10.1.1.77 received 19 packets (rem. 3 secs).

CCTDE [18576] started the 27/01/2004 21:42:58 (Pcap start : 27/01/2004 21:08:56)
  o Processed 1 connections and 2411 bytes (38 packets) in 8 seconds (0 desync packets).
  o First packet : 27/01/2004 21:08:56 / Last packet : 27/01/2004 21:09:27
  o 1 recorded client(s).
    # 10.1.1.77 [01/27/04-21:08:56.644412 - 01/27/04-21:09:27.361352 ]
      conn=1, packets rx=19 tx=19, bytes rx=2299 tx=112, Uptime global=31
SigTERM ... Exiting!

4. Playing with timelines and refresh periods

cctde.conf :

A_TIMELINE_PERIOD=2
A_DISPLAY_TCP_CONNECTION=1

Here we go :

./display_fst_record.sh ../logs/cctde_alert_ex1.tcpdump.log
1075232166.329335 10.1.1.77.1046 > 10.1.1.1.80: S 146707260:146707260(0) [...]
./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075232166
./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

[ 01/27/04-20:36:06.329335 ] : SYN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
[ 01/27/04-20:36:09.237962 ] : SYN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80
[ 01/27/04-20:36:26.360547 ] : FIN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
[ 01/27/04-20:36:44.170555 ] : FIN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

{Here is ^C}
CCTDE [2227] started the 27/01/2004 22:16:23 (Pcap start : 27/01/2004 20:36:06)
  o Processed 2 connections and 4494 bytes (25 packets) in 3 seconds (0 desync packets) (Pcap delay : 38).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44

{Second time list for the Netcat client}
{Note that even if the period is 2 second long, all packet related to this connection belongs to this timeline}
  o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 20, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
      conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35
      $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
        conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35

{First time list for the browser}
  o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 19, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
      conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
      $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
        conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
SigTERM ... Exiting!

We do it again using a 5 second refresh period. As we are in replay mode, the refresh period is calculated packet after packet starting with pcap_start :

./src/cctde -S logs/snort_alert -f conf/cctde.conf -s 1075232166 -R 5
./ReadLog.sh ../logs/cctde_alert_ex1.tcpdump.log

[ 01/27/04-20:36:06.329335 ] : SYN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80
[ 01/27/04-20:36:09.237962 ] : SYN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

{Packet is coming and its recorded time is greated than pcap_start + refresh_period}
CCTDE [2230] started the 27/01/2004 22:21:45 (Pcap start : 27/01/2004 20:36:06)
  o Processed 2 connections and 4494 bytes (22 packets) in 2 seconds (0 desync packets) (Pcap delay : 17).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:23
  o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 20, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
      conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
      $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
        conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
  o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 19, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:23.000006 ]
      conn=1, packets rx=10 tx=9, bytes rx=2991 tx=1503, Uptime global=0
      $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:23.000006 ]
        conn=1, packets rx=10 tx=9, bytes rx=2991 tx=1503, Uptime global=0

[ 01/27/04-20:36:26.360547 ] : FIN TCP packet [24533] : 10.1.1.77:1046->10.1.1.1:80

CCTDE [2230] started the 27/01/2004 22:21:45 (Pcap start : 27/01/2004 20:36:06)
  o Processed 2 connections and 4494 bytes (24 packets) in 2 seconds (0 desync packets) (Pcap delay : 20).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:26
  o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 20, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
      conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
      $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:09.241206 ]
        conn=1, packets rx=1 tx=2, bytes rx=0 tx=0, Uptime global=0
  o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 19, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
      conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
      $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
        conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20

[ 01/27/04-20:36:44.170555 ] : FIN TCP packet [24534] : 10.1.1.77:1047->10.1.1.1:80

CCTDE [2230] started the 27/01/2004 22:21:45 (Pcap start : 27/01/2004 20:36:06)
  o Processed 2 connections and 4494 bytes (25 packets) in 2 seconds (0 desync packets) (Pcap delay : 38).
  o First packet : 27/01/2004 20:36:06 / Last packet : 27/01/2004 20:36:44
  o Time list created the 27/01/2004 20:36:08 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 20, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
      conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35
      $ 10.1.1.1:80 [01/27/04-20:36:09.237962 - 01/27/04-20:36:44.170555 ]
        conn=1, packets rx=1 tx=3, bytes rx=0 tx=0, Uptime global=35
  o Time list created the 27/01/2004 20:36:06 and is 2 secs long with 1 clients.
    Tcp connections : 2, Packets : 19, Bytes: 4494
    # 10.1.1.77 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
      conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
      $ 10.1.1.1:80 [01/27/04-20:36:06.329335 - 01/27/04-20:36:26.360547 ]
        conn=1, packets rx=10 tx=11, bytes rx=2991 tx=1503, Uptime global=20
[...]

5. Using TopX clients and servers

cctde.conf :

A_DISPLAY_TCP_CONNECTION=1
A_TOP_X_SRV=uptime;3
A_TOP_X_SRV=prx;3
A_TOP_X_CL=con;3

[ 01/27/04-22:22:32.751836 ] : SYN TCP packet [28388] : 10.1.1.77:1142->a.b.c.d:80
[ 01/27/04-22:22:40.893699 ] : FIN TCP packet [28388] : a.b.c.d:80->10.1.1.77:1142
[ 01/27/04-22:22:44.299457 ] : SYN TCP packet [28389] : 10.1.1.77:1143->a.b.c.d:80
[ 01/27/04-22:22:51.529459 ] : FIN TCP packet [28389] : a.b.c.d:80->10.1.1.77:1143
[ 01/27/04-22:22:52.648686 ] : SYN TCP packet [28390] : 10.1.1.77:1144->a.b.c.d:80
[ 01/27/04-22:22:56.838305 ] : SYN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
[ 01/27/04-22:22:57.541056 ] : FIN TCP packet [80107] : 10.1.1.42:1899->a.b.c.f:80
[ 01/27/04-22:22:58.016760 ] : SYN TCP packet [95566] : 10.1.1.42:1900->a.b.c.g:80
[ 01/27/04-22:22:58.749543 ] : FIN TCP packet [95566] : a.b.c.g:80->10.1.1.42:1900
[ 01/27/04-22:23:03.844294 ] : FIN TCP packet [28390] : a.b.c.d:80->10.1.1.77:1144
[ 01/27/04-22:23:10.587484 ] : SYN TCP packet [12387] : 10.1.1.77:1145->a.b.c.e:80
[ 01/27/04-22:23:15.068484 ] : FIN TCP packet [12387] : a.b.c.e:80->10.1.1.77:1145
[ 01/27/04-22:23:15.875747 ] : SYN TCP packet [12388] : 10.1.1.77:1146->a.b.c.e:80
[ 01/27/04-22:23:30.436164 ] : FIN TCP packet [12388] : a.b.c.e:80->10.1.1.77:1146

CCTDE [2254] started the 27/01/2004 22:39:25 (Pcap start : 27/01/2004 22:22:32)
  o Processed 7 connections and 3356 bytes (96 packets) in 4 seconds (0 desync packets) (Pcap delay : 58).
  o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30

  o TOP_3_CL_CON has 2 recorded client(s).
    # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
      conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
    # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
      conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1

  o TOP_3_SRV_UPTIME has 3 recorded server(s).
    # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
      conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
    # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
      conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
    # a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
      conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1

  o TOP_3_SRV_PRX has 3 recorded server(s).
    # a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
      conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
    # a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
      conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
    # a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
      conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
SigTERM ... Exiting!

6. Executing commands and statistics backup/restore

cctde.conf :

A_DISPLAY_TCP_CONNECTION=1
A_COMMAND_FILE=conf/cctde.cmd
A_BACKUP_FILE=conf/cctde.bk

cctde.cmd :

display_client_x=192.168.19.14

./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

./test_sigusr1.sh
CCTDE [2275] started the 27/01/2004 23:06:31 (Pcap start : 27/01/2004 12:22:32)
o Processed 7 connections and 3356 bytes (96 packets) in 32 seconds (0 desync packets) (Pcap delay : 58).
o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30

./test_sigusr2.sh
display_client_x : 10.1.1.77
# 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46

./test_stop.sh
Stopping CCTDE (2275)
CCTDE [2275] started the 27/01/2004 23:06:31 (Pcap start : 27/01/2004 22:22:32)
o Processed 7 connections and 3356 bytes (96 packets) in 274 seconds (0 desync packets) (Pcap delay : 58).
o First packet : 27/01/2004 22:22:32 / Last packet : 27/01/2004 22:23:30
SigTERM ... Exiting!

then,

cctde.conf :

A_DISPLAY_TCP_CONNECTION=1
A_COMMAND_FILE=conf/cctde.cmd

cctde.cmd :

read_stats_from=conf/cctde.bk

./src/cctde -S logs/snort_alert -f conf/cctde.conf -p conf/ -s ... &

./test_sigusr1.sh
CCTDE [2300] started the 27/01/2004 23:14:53 (Pcap start : 27/01/2004 22:22:32)
o Processed 0 connections and 0 bytes (0 packets) in 35 seconds (0 desync packets) (Pcap delay : 0).
o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00

./test_sigusr2.sh
read_stats_from : conf/cctde.bk

./test_sigusr1.sh

CCTDE [2300] started the 27/01/2004 23:14:53 (Pcap start : 27/01/2004 22:22:32)
  o Processed 0 connections and 0 bytes (0 packets) in 43 seconds (0 desync packets) (Pcap delay : 0).
  o First packet : 01/01/1970 00:00:00 / Last packet : 01/01/1970 00:00:00
  o Time list created the 27/01/2004 22:22:32 and is 58 secs long with 2 clients.
    Tcp connections : 7, Packets : 96, Bytes: 3356
    # 10.1.1.42 [01/27/04-22:22:56.838305 - 01/27/04-22:22:58.749543 ]
      conn=2, packets rx=7 tx=10, bytes rx=485 tx=437, Uptime global=1
      $ a.b.c.g:80 [01/27/04-22:22:58.016760 - 01/27/04-22:22:58.749543 ]
        conn=1, packets rx=4 tx=5, bytes rx=196 tx=247, Uptime global=0
      $ a.b.c.f:80 [01/27/04-22:22:56.838305 - 01/27/04-22:22:57.541056 ]
        conn=1, packets rx=3 tx=5, bytes rx=289 tx=190, Uptime global=1
    # 10.1.1.77 [01/27/04-22:22:32.751836 - 01/27/04-22:23:30.436164 ]
      conn=5, packets rx=36 tx=43, bytes rx=2233 tx=201, Uptime global=46
      $ a.b.c.e:80 [01/27/04-22:23:10.587484 - 01/27/04-22:23:30.436164 ]
        conn=2, packets rx=16 tx=17, bytes rx=1166 tx=76, Uptime global=20
      $ a.b.c.d:80 [01/27/04-22:22:32.751836 - 01/27/04-22:23:03.844294 ]
        conn=3, packets rx=20 tx=26, bytes rx=1067 tx=125, Uptime global=26
[...]

CCTDE - Graphing Examples

You'll find here two kind of CCTDE output data graphed using the cctde_graph.pl perl script. The first one is a tcpdump capture of a browsing activity (Nothing more than something usual and no tunnel or anything) while the second one is a tcpdump capture of a small WebShell activity (including a wshput to the remote webserver).

Browing (Timeperiod=300 seconds)

Browing (Timeperiod=120 seconds)

WebShell (Timeperiod=60 seconds)

WebShell (Timeperiod=15 seconds)

License :

This file is part of CCTDE - Covert Channels and Tunnels Detection Engine v0.1 (C) Simon Castro .
CCTDE is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
CCTDE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with CCTDE; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Simon Castro
Last updated on the 30th of January 2004

CCTDE - Covert Channels and Tunnels Detection EngineExamples

1. Monitoring openned connections in real time

2. Monitoring openned connections in replay mode

3. Monitoring Max threshold values and reminders

4. Playing with timelines and refresh periods

5. Using TopX clients and servers

6. Executing commands and statistics backup/restore

CCTDE - Graphing Examples

License :

CCTDE - Covert Channels and Tunnels Detection Engine
Examples