Need advice on which info do I have to expect to classify worm

[dcneting <ansiry () tm net my>]

Im using honeyd, snort and iptables in my simple honeynet in order to catch
and classify the worms(known and unknown). And I set the logs to be
centralized in only one database. Im planning to do the classification
process autonomously. Is the information collected by those 3 tools is
enough for me to classify worms into its category? Is just looking the info
in tcp header is enough..? Suggest me if there anything I missed...:)

Thanks.