Directory
Honeycomb is good at spotting worms. For example, Honeycomb creates detailed signatures for Slammer and Code Red (far more detailed than the typical web server request line) on a typical end-user DSL connection. But the system has lots of other potential uses -- it can be applied to any kind of traffic to actively search for signatures when those are currently not available. Examples are all those "Does anyone have a signature for program X"-type of questions on IDS mailing lists -- just run this traffic through Honeycomb and see what you get. Spam detection is another potential application that comes to mind.
The system is an extension of the open-source honeypot honeyd and inspects traffic inside the honeypot; currently it examines protocol headers as well as payload data. Integrating Honeycomb with honeyd has several advantages over a bump-in-the-wire approach:
