Tcpdump fun! What kind of traffic is coming from Internet?

A short post. Just before using Suricata IDS and a honeypot in my virtual lab, I wanted to check that port mirroring was working fine. Also I was curious about what kind of traffic would I receive from Internet so I run tcpdump and this is the result (3 hours listening):

  • 88% of the traffic was ssh login attempts from a China host: user root, oracle, nagios and postgres.
  • 3% of the traffic was bittorrent (lost packages?).
  • 3% of the traffic is against TCP 10021 and TCP 34900 ports.
  • 3% of the traffic is SSDP protocol (trying to configure and detect wireless devices?)
  • The rest of traffic is a mixture of mysql, telnet, ms-sql and http connection attempts.

What will I find when I start the honeypot? What will Suricata detect?

Posted in: IDS

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s