Clusters Table Level Cluster name Flows % of flows Port Protocol % of unique src   [WORM] Conficker/Downadup activity (139/445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase    8471   3.92   445   tcp   75.23    SMB Initiation (port 139/445/TCP)    4345   2.01   445   tcp   12.86    RPC DCOM probe (port 135/TCP)    3337   1.54   135   tcp   11.22    RPC DCOM probe (port 135/TCP)    2515   1.16   135   tcp   10.21    [WORM] SQL Slammer (1434/UDP, "sock", "send", "|81 F1 03 01 04 9B 81 F1 01|"    2404   1.11   1434   udp   0.75    [WORM] NETBIOS SMB Initiation using Pysmb library (139/TCP, "nt|00|pysmb")    1931   0.89   445   tcp   26.76    [WORM] Conficker/Downadup activity (445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase    1872   0.87   445   tcp   25.97    [P2P] BitTorrent traffic    1146   0.53   26526   tcp   0.97    [WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)    937   0.43   135   tcp   5.53    [TRASH] almost_all_zeros ("|00 00 00...|")    848   0.39   135   tcp   6.29    [WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)    308   0.14   135   tcp   2.74    NETBIOS SMB Initiation (445/TCP)    294   0.14   445   tcp   2.24    [TRASH] small part of MS RPC DCOM Blaster (135/TCP)    289   0.13   135   tcp   3.05    [WORM] part of MS RPC DCOM Blaster (135/TCP, CVE-2003-0352, MS03-026)    288   0.13   135   tcp   2.65    NETBIOS SMB Initiation (445/TCP)    205   0.09   445   tcp   2.40    NETBIOS SMB Initiation (445/TCP)    183   0.08   445   tcp   2.19    SMB / NTLMSSP negotiation (445/TCP)    174   0.08   445   tcp   1.40    [WORM] part of MS RPC DCOM Blaster (135/TCP, CVE-2003-0352, MS03-026)    115   0.05   135   tcp   0.86    MSSQL Probe port 1433/TCP (Spida Worm?)    101   0.05   1433   tcp   0.20    [WORM] part of MS RPC DCOM Blaster (135/TCP, CVE-2003-0352, MS03-026)    98   0.05   135   tcp   1.04    [WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)    78   0.04   135   tcp   0.63    [EXPLOIT] part of LSA Exploit / NETBIOS SMB-DS Exploit (445/TCP)    74   0.03   445   tcp   0.41    [SHELLCODE] x86 NOOP    46   0.02   445   tcp   0.42    [EXPLOIT] LSASS / DCERPC exploit + Shellcode NOOP (445/TCP)    36   0.02   445   tcp   0.42    NETBIOS SMB Initiation ? (445/TCP)    32   0.01   445   tcp   0.42  The cluster table is a ranking of activity of clusters sorted by the amount of flows that make up a cluster. The data is based on traffic to honeypots in the last 24 hours. A high position of an unlabelled cluster is the result of a new pattern of activity in the network not known to the system previously and may be an indicator of a new attack. It is possible to click on a cluster to acquire more detailed information about the observed payload.

© Copyright by 2007    (Last update: 2010-09-07 18:05:00 CEST)