If you'd obtain such firewall logs from a production system, what source IPs or groups of such IPs you'd focus on as a highest threat?

(thanks for the quote: Tina Bird - http://www.loganalysis.org/presentations/tina-sans-webcast-2003.html)

Dani@NL: what a question ! It really depends.... it depends on WHAT runs on them. Importance of Vulnerabilty you have. Assestment to know WHAT is vulnerable to what .... so then I know what to watch... but that is not an optin in our case, as we don't know in advance the LayoutHoney. We had to figure it partially out.

We might concentrate on outbound connection first, thus.

Sign of compromise, usually. OutgSYN - NotInbound

Also strange patterns are interesting to us.

The slow and 'strange' activities like those described in Question3 Question4 and Question6 often will be scary, but it will be impossible to actually trace it to something concerete, unfortunately.

So we have to decide where to concentrate to maximize efficency.

Here are some of the nodes which attracted us first.

They are not necessarily the right things to look at. They are just what WE looked at first. We did not want to lie in this SotM, so we did not always correct our mistakes. Eventually we explain our mistakes, but it has been important to make them to reach some conclusions.

"Sbagliando s'impara" is an italian way of saying.