The bait n switch preproc with snort allows you to redirect traffic that
triggered an alert to a honeypot/net which combines research and some security
features into a honeypot deployment. So they definitely can provide some
security. Take in mind that any traffic hitting your honeynet is malicious
which can act as a warning system.
You can even deploy in a round-robin fashion so if alert is for a windows vuln
send to win32 HP and if linux alert send to *nix HP and so forth.
I wrote a paper with Jason Larsen discussing these ideas its called, Fun Things
to do with your honeypot.
Hope that helps.
-Albert G.
-----Original Message-----
From: krymson@gmail.com
Sent: Thursday, January 17, 2008 3:38 PM
To: security-basics@securityfocus.com
Subject: Re: Honeypot Server
"Easy to admin, monitor, alert..." I apologize, but I would first question what
your intended purpose for the honeypot would be. I get the feeling you want
something more like a network tripwire that you don't have to look at I would
steer you towards an IDS solution like Snort or some other sort of deep
inspection firewall or even just your firewall logs.
A honeypot, while fun and interesting, is still largely a measure for
malware/hacker research as opposed to any real security measure. I know you
didn't call it a security measure, but it sounds like you want a security
measure...? A honeypot has very little value to most shops that are not
providing actual research.
<- snip ->
Can you advise what is the best honeypot server available
Open-source or commercial - it doesn't matter as long as it will be easy to
administrate and easy to monitor and alerted ...
