some of these are worse than others

in the last few months since i most recently cleared out the database,
my test network (a defunct /16) has received 3.8M http transactions
containing 460K distinct worm bodies sent from 137K source addresses.

the top 8, by quantity, are:

     srcaddr | count | first | last

Which signature database you use to match these or just log the 404's ?


If you don't mind partitioning yourself, 80.49% (the top 3) of these come
from a subset of APNIC space ...

Understand Paul, I'm not advocating you partitioning yourself, given what
you do. Its just an interesting data point.