An interesting post by Martin Roesch on the new architecture in the beta release of Snort.

As incident handlers we always need to look out for sources that report possible malicious activity coming (or going to) our networks. We run a couple of honeypots and have a netflow monitor that alerts us when something is out of the ordinary. Extra sources however are always an extra bonus.

Recently I came across ATLAS from Arbor Networks.

They have an excellent service where you can easily sign up and if they approve your account you get access to alerts from their honeypots. According to their website they cover a large part of the Internet. There’s of course some commercial mumbo jumbo but at first their service seems to be very useful. A feed (RSS) allows you to get instant updates with a short description with the type of incident -scan, phish, …-, a timeframe and a link to their site with additional information.

The Project Honeypot allows for everyone who is hosting a website to create a mini honeypot to trap spammers. I’ve configured mine to run at this site at “coast.php”.

It is a “poor-man” honeypot but can still offer useful results. Watch for my future writeups on how to create honeypots with Bind, Apache and Postfix.