This is an extensive listfile, including every network session that was part of the attack, listed individually, one per line. In additon, if there was no network traffic (but perhaps other evidence of an attack) a pseudo-listfile-entry is included here. These pseudo entries are generally indicated by information in the entry being excluded, or entered as a wildcard (*).

For example, if an attack was carried out on the console, there will be and entry here to designate the victim of the attack (Destination field) and the Time/Duration of the console portion of the attack. Or in the case of a sweep or probe that hits all (or most of) a subnet within a small period of time, we might have condensed that attack, manually, into one or more entries using a wildcard of * for the final octet of the destination of victim ip.

In general the Destination field is also the Victim of the attack, however there are circumstances where the Victim is the Source of a tcpconnection, and thus the ip shows up in the Source column. In that situation, the scoring software matches the detected victim with the host in the Source column.

ATTACK: /data/id/1999/5week/thursday/sniffer/attacker/183002.ntinfoscan-139-probe--clear-hume/183002.ntinfoscan-139-probe--clear-hume.exs.list

ID# Name Date Start Duration Service Source SrcPort Dest. DestPort insider? manual? console? success? aDump? oDump iDump BSM? SysLogs FSListing Stealthy New? Category OS
54.183002 ntinfoscan 04/08/1999 18:31:00 00:01:00 ftp 206.048.044.018 1674 172.016.112.100 21 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:31:00 00:00:01 ftp-data 172.016.112.100 20 206.048.044.018 20 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:00:07 telnet 206.048.044.018 1676 172.016.112.100 23 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:00:01 http 206.048.044.018 1677 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:00:01 http 206.048.044.018 1678 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:00:01 http 206.048.044.018 1679 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:00:01 http 206.048.044.018 1680 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:00:01 http 206.048.044.018 1681 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:00:01 http 206.048.044.018 1682 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:32:00 00:15:05 http 206.048.044.018 1683 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:47:05 00:00:01 http 206.048.044.018 1699 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:47:05 00:00:01 http 206.048.044.018 1700 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:47:05 00:00:01 http 206.048.044.018 1701 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:47:05 00:00:02 nbssn 206.048.044.018 1702 172.016.112.100 139 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:47:07 00:00:02 nbssn 206.048.044.018 1703 172.016.112.100 139 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT
54.183002 ntinfoscan 04/08/1999 18:47:10 00:00:01 http 206.048.044.018 1677 172.016.112.100 80 out auto rem succ aDmp oDmp iDmp not SysLg FSLst Clr Old llPROBE llNT

ID#	Name	Date	Start	Duration	Service	Source	SrcPort	Dest.	DestPort	insider?	manual?	console?	success?	aDump?	oDump	iDump	BSM?	SysLogs	FSListing	Stealthy	New?	Category	OS
54.183002	ntinfoscan	04/08/1999	18:31:00	00:01:00	ftp	206.048.044.018	1674	172.016.112.100	21	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:31:00	00:00:01	ftp-data	172.016.112.100	20	206.048.044.018	20	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:00:07	telnet	206.048.044.018	1676	172.016.112.100	23	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:00:01	http	206.048.044.018	1677	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:00:01	http	206.048.044.018	1678	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:00:01	http	206.048.044.018	1679	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:00:01	http	206.048.044.018	1680	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:00:01	http	206.048.044.018	1681	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:00:01	http	206.048.044.018	1682	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:32:00	00:15:05	http	206.048.044.018	1683	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:47:05	00:00:01	http	206.048.044.018	1699	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:47:05	00:00:01	http	206.048.044.018	1700	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:47:05	00:00:01	http	206.048.044.018	1701	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:47:05	00:00:02	nbssn	206.048.044.018	1702	172.016.112.100	139	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:47:07	00:00:02	nbssn	206.048.044.018	1703	172.016.112.100	139	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT
54.183002	ntinfoscan	04/08/1999	18:47:10	00:00:01	http	206.048.044.018	1677	172.016.112.100	80	out	auto	rem	succ	aDmp	oDmp	iDmp	not	SysLg	FSLst	Clr	Old	llPROBE	llNT