Over the past weeks I set up a honeypot using T-Pot with Suricata as the IDS/IPS engine. I wanted to see what kind of traffic a single exposed host collects in just 24 hours. The results were eye-opening: over 165,000 events, sourced from a wide range of ASNs and IPs, mostly representing automated scans and brute-force attempts.
The Setup
Honeypot: T-Pot (includes Suricata, Dionaea, Cowrie, etc.)
Environment: Vultr VPS
Data Export: Suricata logs pulled from Elasticsearch → CSV → Python analysis
I focused my analysis on Suricata flow and alert events. Using a Python script, I extracted summary tables and visualizations for:
Hourly attack trends
Top attacker IPs and ASNs
Alert categories and severity levels
Flow durations to separate quick scans from longer brute-force attempts
Key Findings
Total Events: 165,197
Unique Source IPs: 200
Peak Activity: Aug 29, 20:00 CT (~14,600 events in a single hour)
Attacker Infrastructure
NYBULA (40k events), AS-VULTR (23k), and Global Connectivity Solutions LLP (12k) dominated
Other traffic came from Flagman Telecom, Network-Advisors, China Mobile, Viettel Group, and Google Cloud
Top Source IPs
144.202.75.221: 22.8k events with bidirectional traffic (likely brute attempts)
196.251.66.157 & 196.251.66.164: ~20k each, but 0 bytes exchanged (pure scanning)
208.67.108.93: TLS probes with 7.2k events
Alerts
90% of alerts were Generic Protocol Command Decode (low-value noise)
Only 2 severity-1 alerts in the dataset
Most flows lasted <1 second (scans), but some longer ones point to brute-force attempts
Visuals
Recommendations
Detection Rules: flag IPs with >100 SSH attempts in 10 minutes
Defensive Actions: rate-limit or block /24 networks from NYBULA and Vultr
Research Extensions: expand analysis to 72h/1 week, build Kibana dashboards, train a simple ML classifier with the clean dataset
Project Repo
I’ve published the full analysis, datasets, and code here:
👉 GitHub Repo: Suricata Honeypot Analysis
Closing Thoughts
Even a single honeypot attracts a massive amount of automated traffic in just 24 hours. Most of it is noise, but by digging deeper you can start to identify persistent infrastructures (ASNs, IP ranges) and patterns worth tracking. This project also demonstrates how you can turn raw honeypot data into actionable insights and portfolio-ready analysis using Python, Pandas, and visualization.
Top comments (0)