I'm in the process of building myself a "sandbox" it's going to consist of:

DEC 1000 as a honeypot
Gateway E-3200 running OpenBSD 3.4 with PF as the firewall
Linksys dual-ethernet router
compaq laptop as a host running slackware 9.1
PII 266 w/ 192MB RAM running XP Pro and VMWare (its slow as a dog, but it runs )

Compaq Presario 4784 running OpenBSD 3.4 with SNORT
xl0: inside sensor
xl1: outside sensor
xl2: private network to Sun Ultra 1 running ACID, MySQL and APACHE/PHP/SSL

my question is this: what do you think would be better? Patch all the system then play, or leave them unpatched..play, then go back and patch and play some more.

I've gotten mixed answers from searching and talking to others. I'm curious what the AO communities view is on this.

If anyone wants pictures of my sandbox when its complete...let me know...i'll be more than happy to post them


laters.