Effective network security administration depends to a great extent on
having accurate, concise, high-quality information about malicious activity
in one's network.  Honeynets can potentially provide such detailed information,
but the volume and diversity of this data can prove overwhelming.  In this
paper we explore ways to integrate honeypot data into daily network security
monitoring with a goal of sufficiently classifying and summarizing the
data to provide ongoing ``situational awareness.'' We present such a system,
built using the Bro NIDS, and discuss experiences drawn from six months
operation.

One key aspect of this environment is its ability to provide insight into
large-scale events.  We look at the problem of accurately classifying
botnet sweeps and worm outbreaks, which turns out to be difficult to grapple
with due to the high dimensionality of such incidents.  Using datasets
collected during a number of these events, we explore the utility of several
analysis methods, finding that when used together they show promise
for contributing towards effective situational awareness.