The recent MyDoom variant represents a case where session data can be used to determine if hosts have been infected. The default session data recording in Sguil uses Snort’s stream4 preprocessor keepstats function. Session data is a record of transactions between parties, typically storing source and destination IP addresses and ports, session start and end times, and counts of packets and bytes of data sent by sources and destinations. If any inbound connections to port 1034 TCP on 1.2.3.4 appear, we know someone is making use of this backdoor.”]
Source: https://taosecurity.blogspot.com/2004/07/using-session-data-to-scope-events.html