Key Pages: Home | WhoIs | TraceRoute | Timeline | Investigations | WikiSyntax | Recent Changes
Recently Viewed: Question1 > Question2 > Question3 > Question4 > Question5
Question5
Question N5
What other common internet noise types do you see?


Things To Look At
It is a bit difficult to define "noise", as its definition varies from person to person.
In many cases I would consider the worms of Question2 and the scans of Question3 and Question4 also noise.

In most cases noise is that huge amount of activiy that is not harmful to use if we are not vulnerable to that "something" being exploited (or tried to be).
(check also Question8 in this regard).



Noise Observed
NetBIOS? - Especially FROM one of the honeypots themselves. 11.11.11.67 IS definitely a windows box, as it produces LOADS of Netbios noise....
Mainly port DstPort138 (name resolution FROM the honeypot in the honeynet and from outside, boxes without a firewall that doesn't do egress filtering, etc)
But also SrcDstPort137 and DstPort139. UDP and TCP.
DstPort445 (SmbDevice)
DstPort25 - SMTP ? Spammers trying to relay ?
DstPort135 RPC - Blaster / Nachi / RPC DCOM exploit / Messnger SPAM and other stuff - SrcPort666 - l33t H4x0rz ? or just some MESSENGER SPAMMERS ?
DstPort1434 - SQL Server (still Slammer..naaaa...just scans maybe)


Related Pages
Anomalous traffic - Question6
Scans observer - Question4
Worms - Question2
Timeline

Login