how efficiently I can use honeyd/Hoenypots

Greetings all,
  This is my first posting to this mailing list.
 I am very much fascinated by this technology, Pls Help me how
efficiently I can use honeyd/Hoenypots.

I have seen articles describing the results after evaluating honeypots
and honeyd for production and research as well. As these honeypots
became almost stable can we start using honeypots to benchmark other
IPS/IDS products.
 I would like to know How well can I use honeypots to evaluate IPS/IDS
products.

I think of following scenario:

Nessus-------- IPS---------Honeypot
                                          |
                                          |
                                          ----- snot

 Nessus will generate attacks to exploit IPS, HOneypot or Honeyd will
receive the attacks when IPS fails to block the attacks. Snot will be
used as packet logging and to group the attacks received to
Honeypot/HoneyD.
 I assume this way I can evaluate IPS products.

Coming to the drawbacks of such a set-up:
    - We have made assumption that HoneyPot/HoneyD is almost stable
    - The evalutaion is also depending on snot capablility of logging
packets. Snot s performance to work under high loads may effect the
evaluation
   
 
I request if anyone who have evaluated any IPS products share their
experiences and help to do so. And any idea of Nessus scripts to
evaluate IPS.

Best Regards,
Thanks in advance,
-Ravi
Received on Fri Dec 19 2003 - 09:47:59 PST