This is an extensive listfile, including every network session that was part of the attack, listed individually, one per line. In additon, if there was no network traffic (but perhaps other evidence of an attack) a pseudo-listfile-entry is included here. These pseudo entries are generally indicated by information in the entry being excluded, or entered as a wildcard (*).

For example, if an attack was carried out on the console, there will be and entry here to designate the victim of the attack (Destination field) and the Time/Duration of the console portion of the attack. Or in the case of a sweep or probe that hits all (or most of) a subnet within a small period of time, we might have condensed that attack, manually, into one or more entries using a wildcard of * for the final octet of the destination of victim ip.

In general the Destination field is also the Victim of the attack, however there are circumstances where the Victim is the Source of a tcpconnection, and thus the ip shows up in the Source column. In that situation, the scoring software matches the detected victim with the host in the Source column.

ATTACK: /data/id/1999/4week/monday/sniffer/traitor/155048.yaga-11-u2r--clear-hume/155048.yaga-11-u2r--clear-hume.exs.list

ID#NameDateStartDurationServiceSourceSrcPortDest.DestPort insider?manual?console?success?aDump?oDumpiDumpBSM?SysLogsFSListingStealthyNew?CategoryOS
41.155048 yaga 03/29/1999 15:50:15 00:23:26 telnet172.016.118.0701108 inautoremsuccaDmpnotiDmpnotSysLgnotClrNewllU2RllNT
41.155048 yaga 03/29/1999 16:13:08 00:00:05 http172.016.118.0701109 inautoremsuccaDmpnotiDmpnotSysLgnotClrNewllU2RllNT
41.155048 yaga 03/29/1999 19:50:16 00:13:05 telnet172.016.118.0701113 inautoremsuccaDmpnotiDmpnotSysLgnotClrNewllU2RllNT