DEV Community

MaxHagl
MaxHagl

Posted on

Analyzing 165k Honeypot Events in 24 Hours with Suricata

Over the past weeks I set up a honeypot using T-Pot with Suricata as the IDS/IPS engine. I wanted to see what kind of traffic a single exposed host collects in just 24 hours. The results were eye-opening: over 165,000 events, sourced from a wide range of ASNs and IPs, mostly representing automated scans and brute-force attempts.

The Setup

Honeypot: T-Pot (includes Suricata, Dionaea, Cowrie, etc.)

Environment: Vultr VPS

Data Export: Suricata logs pulled from Elasticsearch → CSV → Python analysis

I focused my analysis on Suricata flow and alert events. Using a Python script, I extracted summary tables and visualizations for:

Hourly attack trends

Top attacker IPs and ASNs

Alert categories and severity levels

Flow durations to separate quick scans from longer brute-force attempts

Key Findings

Total Events: 165,197

Unique Source IPs: 200

Peak Activity: Aug 29, 20:00 CT (~14,600 events in a single hour)

Attacker Infrastructure

NYBULA (40k events), AS-VULTR (23k), and Global Connectivity Solutions LLP (12k) dominated

Other traffic came from Flagman Telecom, Network-Advisors, China Mobile, Viettel Group, and Google Cloud

Top Source IPs

144.202.75.221: 22.8k events with bidirectional traffic (likely brute attempts)

196.251.66.157 & 196.251.66.164: ~20k each, but 0 bytes exchanged (pure scanning)

208.67.108.93: TLS probes with 7.2k events

Alerts

90% of alerts were Generic Protocol Command Decode (low-value noise)

Only 2 severity-1 alerts in the dataset

Most flows lasted <1 second (scans), but some longer ones point to brute-force attempts

Visuals

Events per Hour

Top Attacker AS Orgs

Flow Durations

Alert Severity Distribution

Alert Category Distribution

Recommendations

Detection Rules: flag IPs with >100 SSH attempts in 10 minutes

Defensive Actions: rate-limit or block /24 networks from NYBULA and Vultr

Research Extensions: expand analysis to 72h/1 week, build Kibana dashboards, train a simple ML classifier with the clean dataset

Project Repo

I’ve published the full analysis, datasets, and code here:
👉 GitHub Repo: Suricata Honeypot Analysis

Closing Thoughts

Even a single honeypot attracts a massive amount of automated traffic in just 24 hours. Most of it is noise, but by digging deeper you can start to identify persistent infrastructures (ASNs, IP ranges) and patterns worth tracking. This project also demonstrates how you can turn raw honeypot data into actionable insights and portfolio-ready analysis using Python, Pandas, and visualization.

Top comments (0)