Usually, in every medium size company Network, there's a firewall connecting the corporative LAN/WAN to the Internet with a set of rules that only allows specific traffic, such as HTTP, HTTPS, FTP or POP3 / SMTP. A malicious internal user, could take advantage of these open ports, and use them to access other services (sending through them, other protocols).
For example, he could set up a SSH server on the Internet, listening port 443, and configure the Intranet SSH client to access that port. Such an arrangement makes virtually impossible for any administrator to detect the real nature of the traffic. The same applies if there is a proxy working to provide Internet access to the LAN. By using tools like proxy tunnel, it is possible to establish a connection to server on the Internet, without being detected.
tcpstatflow is a tool design with the purpose of fighting these techniques, by detecting traffic that is not HTTP / HTTPS / FTP / SMTP / POP3, with a reasonable margin of error. It's based on the fact that these protocols presents a huge asymmetry in the amount of data transmitted in one way and the opposite (within a single TCP connection).
As an example, you could consider HTTP requests, where you have the browser sending a small packet with a GET command (and same extra overhead) and as a response, receives a web page, an image, or a download. The same asymmetry takes place in reverse, with SMTP. Your mail client sends your composition, and a small ACK is sent back from the server. Asymmetry. Keep that in mind.
tcpstatflow listens network traffic in promiscuous mode, and analyze incoming and outgoing packets of each TCP connection, generating alarms when certain (configurable) thresholds are surpassed. These thresholds refer to parameters such as: quantity of in and out packets per connection, quantity of in and out bytes per connection and connection elapsed.
