Alerting and logging. A honeypot is useless without strong alerting and logging. All honeypots display connection attempts as alerts, either on the sensor or on a centralized console. Alerts should allow criticality levels to be set for each sensor, origination IP address, port, and even intrusion signature. All probes to a honeypot should be investigated, though some probes are more suspicious than others. A probe originating from a more secure network might indicate a more serious compromise, for example. For this reason, a defense industry client with a honeypot on a nongovernment network wanted the highest priority set on traffic originating from a distant government network that was classified. The client wanted their incident response team to be alerted immediately if a probe originated from the more sensitive network. KFSensor provided the most versatility in setting criticality levels, followed by Honeyd and then HoneyPoint.
Most honeypots allow alerts to be sent via syslog, email, and Windows Event logs (if hosted on a Windows computer). All alerts should be logged to a local database, and bonus points were given if logs could also be saved to an external database, especially if the database supported was SQL-based. All three products reviewed allow you to throttle alert messages so that one probing event -- say, a port scan -- doesn't trigger thousands of emails to the on-call support person.
Most honeypot products allow current alerts to be used to fine-tune future alerts, typically to filter out legitimate traffic. Fine-tuning a honeypot can take a few days, but a good honeypot simplifies the process. KFSensor easily provided the most flexibility in refining alerts. Right-clicking any alert opens up a "visitor rule" that can be greatly customized. Both HoneyPoint and Honeyd also had filtering features, but they were not as flexible or easy to implement.
Reporting. Management likes to see reports and pretty pictures, and everyone likes to see favorable trends over time. Unfortunately, I have yet to see a honeypot program with decent built-in reporting or anything near what we've come to expect in most computer security defense programs. HoneyPoint's 10 simple reports are easily enough to win the reporting category in this competition. I would like to see honeypot reporting mature to meet today's expectations.