Why are you attempting to alarm on TCP sessions that have been open for a while? The reason I ask this is all the rules we've created so far have been matched to a problem/risk. If you are worried about someone tunnelling data out then rather than looking at the TCP connections maybe you'd be better off looking at the Netflow data for bytes transferred or the actual databases for abnormal user access. Something else we've found very useful for picking up abnormal user behaviour out to the Internet is someone accessing an IP address through a proxy, this has helped us identify many compromised workstations.
Some reasons I think an alarm/correlation rule for this will flood you with false positives;
- Someone with Gmail open in a broswer is going to hold a TCP session open for a long time.
- Proxy servers are going to hold TCP sessions open for a long time
- Outlook is going to hold TCP sessions open for a long time
- Windows is going to spew information back to Microsoft with TCP sessions which have been held open for a long time