I'm writing a VoIP honeypot. Right now, it's listening on a specific port (SIP) for incoming connections. What would you suggest are the most important features it should have in terms of scanning/attack detection and analyzing? I don't think there are many sophisticated attacks out there (yet), so implementing anything beyond DoS/flooding detection might be a waste of time because creating VoIP sessions (with SIP) and recording and analyzing multimedia streams is more complicated than just to listen for scans on a specific port. But one day those automated attacks might come, similar to what is happening right now to Window RPC/SMB for instance.
Any thoughts on this from people who follow that whole VoIP security topic?