Did you know that the upcoming TMG firewall has a "honeypot detector" feature? Well, it does, but in order to take advantage of it you need to join the TMG firewall to a Stirling security server. Once you do that, you'll be offered the opportunity to designate a "honeypot" IP address. The honeypot IP address is a phantom address that isn't actually used on the network. When the TMG firewall detects that repeated connection attempts are being made to a non-existent IP address, it can assume that there may be a worm scanning the network.
The Stirling and TMG firewall teams put together a nice article on their experiences with the TMG/Stirling honeypot detector.
The figure below from their article shows the alert they saw. Indeed! Honeypot detection works for them.
But you'll want to see the "rest of the story". Check it out at:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer