SCAN Wiki - Question1

Recently Viewed: Investigations > Home > SotM > ToolsUsed > Question1

Question1

Question N1

What are he high-level trends in connectivity to/from the honeynet? What was growing/decreasing? How does that match global statistics from DShield and other sources?

Some Of The Things We Looked At

•	Most attacked ports - Top7Ports

•	Number of Events per day - Timeline - and Total traffic per 10 minutes intervals DetailGraph

•	most common X (10 ?) ports --> each port - how many events per day

•	to which ports/hosts the communication was ?

•	NotInbound - All data OTHER THAN Inbound

•	OutgSYN - Outgoing Connections (I know, it is silly, but we made it in two different ways!)

Trends Reported

•	Inbound traffic:

•	Outbound traffic: (check OutgSYN)

•

Timeline

•	Top7Ports - Most frequently seen ports

•	DailyFeb22 - Increase in LDAP scanning activity - also reported by DShield

•	BonusQuestion - High-level metrics

•	Worms activity - Question2

•	Scans - Question4

•	Internet Noise - Question5

External Reference Consulted

•	http://isc.incidents.org/alldiaries.html?month=2&year=2004

•	http://www.sans.org/webcasts/show.php?webcastid=90486