in the last few months since i most recently cleared out the database,
my test network (a defunct /16) has received 3.8M http transactions
containing 460K distinct worm bodies sent from 137K source addresses.
the top 8, by quantity, are:
srcaddr | count | first | last
Which signature database you use to match these or just log the 404's ?
Pete
If you don't mind partitioning yourself, 80.49% (the top 3) of these come
from a subset of APNIC space ...
Understand Paul, I'm not advocating you partitioning yourself, given what
you do. Its just an interesting data point.