A short post. Just before using Suricata IDS and a honeypot in my virtual lab, I wanted to check that port mirroring was working fine. Also I was curious about what kind of traffic would I receive from Internet so I run tcpdump and this is the result (3 hours listening):
- 88% of the traffic was ssh login attempts from a China host: user root, oracle, nagios and postgres.
- 3% of the traffic was bittorrent (lost packages?).
- 3% of the traffic is against TCP 10021 and TCP 34900 ports.
- 3% of the traffic is SSDP protocol (trying to configure and detect wireless devices?)
- The rest of traffic is a mixture of mysql, telnet, ms-sql and http connection attempts.
What will I find when I start the honeypot? What will Suricata detect?