Clusters Table Level Cluster name Flows % of flows Port Protocol % of unique src   [WORM] Conficker/Downadup activity (139/445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase    6807   2.66   445   tcp   92.91    [WORM] NETBIOS SMB Initiation using Pysmb library (139/TCP, "nt|00|pysmb")    1432   0.56   445   tcp   31.78    [WORM] Conficker/Downadup activity (445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase    1326   0.52   445   tcp   29.49    SMB Initiation (port 139/445/TCP)    939   0.37   445   tcp   5.63    NETBIOS SMB Initiation (445/TCP)    142   0.06   445   tcp   2.41    SMB / NTLMSSP negotiation (445/TCP)    76   0.03   445   tcp   1.16    [BinaryFile] Shellcode - part of EXE Windows file download (all zeros)    62   0.02   445   tcp   1.29    [SCAN] Web proxy check / CONNECT method to mail (gmail)    24   0.01   808   tcp   0.27    NETBIOS Query (137/UDP)    23   0.01   137   udp   0.14    BitTorrent traffic    16   0.01   11639   tcp   0.14    [EXPLOIT] LSASS / DCE RPC exploit: Mainz/Bielefeld Shellcode (445/TCP)    6   0.00   445   tcp   0.14    [P2P] BitTorrent traffic    6   0.00   11639   tcp   0.07    part of SMB / NTLMSSP negotiation (445/TCP)    3   0.00   445   tcp   0.07    RPC DCOM probe (port 135/TCP)    2   0.00   135   tcp   0.05  The cluster table is a ranking of activity of clusters sorted by the amount of flows that make up a cluster. The data is based on traffic to honeypots in the last 24 hours. A high position of an unlabelled cluster is the result of a new pattern of activity in the network not known to the system previously and may be an indicator of a new attack. It is possible to click on a cluster to acquire more detailed information about the observed payload.

© Copyright by 2007    (Last update: 2012-02-07 00:05:00 CET)