Clusters Table Level Cluster name Flows % of flows Port Protocol % of unique src   [WORM] Conficker/Downadup activity (139/445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase    5781   2.34   445   tcp   93.58    [WORM] NETBIOS SMB Initiation using Pysmb library (139/TCP, "nt|00|pysmb")    1065   0.43   445   tcp   28.82    [WORM] Conficker/Downadup activity (445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase    1054   0.43   445   tcp   28.51    SMB Initiation (port 139/445/TCP)    544   0.22   445   tcp   5.14    NETBIOS SMB Initiation (445/TCP)    80   0.03   445   tcp   2.10    SMB / NTLMSSP negotiation (445/TCP)    32   0.01   445   tcp   0.88    RPC DCOM probe (port 135/TCP)    21   0.01   135   tcp   0.19    [SCAN] Web proxy check / CONNECT method to mail (gmail)    12   0.00   80   tcp   0.17    [EXPLOIT] LSASS / DCE RPC exploit: Mainz/Bielefeld Shellcode (445/TCP)    9   0.00   445   tcp   0.19    [WORM] part of MS RPC DCOM Blaster (135/TCP, CVE-2003-0352, MS03-026)    6   0.00   135   tcp   0.11    [P2P] BitTorrent traffic    6   0.00   11639   tcp   0.08    [BinaryFile] Shellcode - part of EXE Windows file download (all zeros)    3   0.00   445   tcp   0.08    part of SMB / NTLMSSP negotiation (445/TCP)    3   0.00   445   tcp   0.08    [EXPLOIT] DCERPC / LSASS exploit (445/TCP)    2   0.00   445   tcp   0.06  The cluster table is a ranking of activity of clusters sorted by the amount of flows that make up a cluster. The data is based on traffic to honeypots in the last 24 hours. A high position of an unlabelled cluster is the result of a new pattern of activity in the network not known to the system previously and may be an indicator of a new attack. It is possible to click on a cluster to acquire more detailed information about the observed payload.

© Copyright by 2007    (Last update: 2012-02-05 07:05:00 CET)