Honeypot - Frequently Asked Questions:
"The purpose of this page is to answer the most commonly asked questions concerning honeypot technologies, including what is a honeypot, what's its value, how do they work, and what are the different types. Most of this information was obtained from the honeypot mailling list"

What is a honeypot?
A honeypot is a security resource who's value lies in being probed, attacked, or compromised. Unlike firewalls or IDS sensors, honeypots are something you want the bad guys to interact with. To learn more about what honeypots are all about, you may want to start with the paper Honeypots: Definitions and Values.

How do honeypots work?
Conceptually, honeypots are very simple. They are a resource that has no production value, it has no authorized activity. Whenever there is any interaction with a honeypot, this is most likely malicious activity.

What is the value of a honeypot, what can it do for me?
Honeypots are unique, they don't solve a specific problem. Instead, they are a highly flexible tool with many different applications to security. It all depends on what you want to achieve. Some honeypots can be used to help prevent attacks, others can be used to detect attacks, while other honeypots can be used for information gathering and research.

What are the advantages of a honeypot?
Honeypots have several powerful advantages. They include:

Small data sets: Honeypots collect small amount of data, but almost all of this data is real attakcs or unauthorized activity. Instead of dealing with 5,000 alerts and 10GB of logs every day, you may only get 30 alerts with your honeypots and 1MB of logs every day. Since honeypots collect only malicious activity, it makes it much easier to analyze and react to the information they collect.

Reduced false positives: With most detection technologies (such as IDS sensors) a large percentage of your alerts are false warnings, making it very difficult to figure out what is a real attack. With honepyots, almost everything you detect or capture is an attack or unauthozied activity, vastly reducing false positives.

False negatives: Unlike most technologies, its very easy for honeypots to detect and records attacks or behavior never seen before in the wild.

Cost effective: Honeypots only interact with malicious activity, you do not need high preformance resources. Most honeypots can easily run on an old Pentium computer with 128 MB of Ram.

Simplicty: Honeypots are very simple, there are no advance algorithims to develop, nor any rulebases to maintaing.

http://www.tracking-hackers.com/misc/faq.html