Ranking TOP10 HoneyNet The ranking shows the TOP 10 changes in activity based on honeypot data. An increase of unique sources probing a certain destination port may be the result of a botnet or worm scanning the network. The system collects samples of activity that is considered similar payload wise (plotted on the graphs as “events”) and forms the basis of the NCLUS alarm algorithm. The samples collected are only as good as the data that is actually sent to the honeypots. Thus if an attack requires a high level emulation of a service to actually send an exploit and the service is not emulated by the honeypot, poor samples or no samples at all may be collected. Clicking on a 24 hour port activity graph leads to weekly and monthly activity graphs for the port. Further clicking on the 24 hour port graph leads to a geographical distribution of sources of activity on that port, displayed map and tabular form.

© Copyright by 2007    (Last update: 2012-02-05 07:05:00 CET)