While low-interaction honeypots don't do a whole lot to convince an intruder that they're the real thing, they don't have to. Their only job is to alert the computer security or incident response team when something touches them.
Honeypot software features All honeypots have a few core functions in common. First, they must publish one or more ports and services that will attract intruders. Next, they must capture at least the intruder's origination address (usually IP address), date, time, and data sent in the connection attempt. All connection attempts should be logged (unless instructed to be ignored) and generate alerts so that an incident response team can get involved. Lastly, a great honeypot helps in data analysis, whether it's through detailed packet analysis, password attempt analysis, or aggregating related probes into a single incident. How well each honeypot does this and with what finesse is where the evaluation takes place.
Platforms and installation. Honeypot software should be easy to install and configure. KFSensor leads the pack in this regard with the best GUIs across the board, although it runs only on Windows (XP and later). HoneyPoint and Honeyd run on Windows, Linux, and Mac OS X, and Honeyd supports BSD and Solaris as well. HoneyPoint is fairly simple to install, but requires minor text file manipulation for licensing. Honeyd is the most versatile honeypot of the three; unfortunately, it's also the most difficult to install and configure. Longtime Linux command-line users will find familiarity, but Windows users will usually be daunted by the downloading, compiling, and configuration work, all at the command line. All three honeypots could run as a user-mode program or as a system service or daemon. Running as a system service makes it easier for them to resume operations after a reboot.
Emulation levels and services. Most honeypot programs are low interaction to medium interaction -- or it's more accurate to say that some services are emulated at a low level and others at medium. All three honeypots reviewed fall into the low to medium range of emulation. KFSensor and Honeyd allow routing of probes to external real systems if high interaction is desired for particular services. The forwarded attacker still thinks he is connected to the same target system and IP address, and the honeypot continues to capture data so that the administrator can get a complete picture of what the attacker is doing.