Continuing the Halloween tradition.
Three investigation moments from 2003:
February: Slammer scans saturating my upstream. Investigation: legitimate Slammer infrastructure noise. Lesson: bandwidth is the new constraint.
August: Blaster traffic from inside my network. Investigation: a friend's laptop, briefly connected. Lesson: even trusted hosts need to be monitored.
September: Sebek captures showing unusually-careful attacker. Investigation: legitimate; just a careful attacker. Lesson: the careful-attacker population continues to be small but real.
Have a safe night.