Use Snort either on an active link or as a packet inspection tool after the fact? It might be useful to throw down PE Hunter to capture Windows binaries as they pass by. I can think of plenty of uses for this, not just in front of a honeypot, but in front of Internet-facing servers themselves. This is one of those detective tools that won’t necessarily stop or prevent an attack, but can act as a watchguard for something evul going on, or to figure out what an attacker may have done on your network. The real usefulness of this tool won’t be realized until it is used though. Who knows, maybe it will pick up too much junk from malware or software downloads and miss too much other stuff.
Of note, no, I’m not all that great with Snort. It’s on my medium-term project list, probably nearer the fall or winter before I can really dig my fingers into Snort more, even though I may have my own Snort box up in the next month or so just to get it up and familiarized.