Suricata Signature Analysis

Deployment Period: February 1, 2026 to February 28, 2026
Honeypot: T-Pot Community Edition, Google Cloud Platform
Data Source: Elasticsearch DSL queries, Kibana Dev Tools
TLP: TLP:CLEAR

About This Report

This report is part of a hands-on project focused on building practical skills in cyber threat intelligence. It is one report in a series covering a 28-day T-Pot honeypot deployment on Google Cloud Platform during February 2026.

Summary

Over 28 days, Suricata fired on a wide range of activity hitting the honeypot. The top signatures point to a mix of automated scanning, targeted exploitation attempts, and tool-specific traffic patterns. A few signatures tie directly to campaigns covered in other reports in this series. VNC probing, Python-based scanners, and FortiOS exploitation attempts were the most prominent categories by volume.

Background

Suricata is the intrusion detection system built into T-Pot. When traffic hits the honeypot, Suricata checks it against a library of known signatures and fires an alert when something matches.

Signature names use prefixes that show where the rule came from. GPL rules come from the older Snort GPLv2 ruleset. ET rules come from Emerging Threats, a community-maintained set focused on current attacker tooling. SURICATA prefixed alerts are generated by the engine itself, usually for malformed or unusual packets rather than specific exploits.

Findings

VNC Probing

GPL INFO VNC server response fired 3,435,894 times, the highest-volume signature by a wide margin. T-Pot runs a VNC honeypot on port 5900, so every connection triggers this alert. VNC is a frequent target because it is sometimes exposed without authentication and older versions carry well-documented weaknesses.

Python-Based Scanning

ET INFO User-Agent (python-requests) Inbound to Webserver fired 2,108,061 times. The python-requests library is the default HTTP client in many open-source scanning and exploitation frameworks. This volume points to large-scale automated scanning.

Scanning Tool Fingerprints

ET SCAN MS Terminal Server Traffic on Non-standard Port fired 242,279 times, indicating RDP-style traffic on ports other than 3389, which is a common enumeration technique.

ET SCAN NMAP -sS window 1024 fired 27,194 times. Nmap’s SYN scan sets a specific TCP window size that Suricata can detect directly. This is a clear indicator of Nmap activity.

ET SCAN Sipsak SIP scan fired 6,213 times. Sipsak is a SIP testing tool used to probe VoIP infrastructure.

RDP Authentication Bypass

ET HUNTING RDP Authentication Bypass Attempt fired 78,837 times. The HUNTING prefix indicates a signature for suspicious behavior not tied to a specific known exploit. RDP is a common ransomware delivery path.

FortiOS CVE-2018-13379

Two signatures matched FortiOS path traversal traffic. ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379) fired 29,938 times. ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379) fired 29,582 times. Both rules match the same underlying requests, so the counts overlap. The actual event volume is 29,938. This activity is covered in detail in the FortiOS SSL VPN campaign report.

GPL WEB_SERVER apache directory disclosure attempt also fired 29,582 times, matching the second FortiOS signature exactly. The path traversal payload triggers both rules simultaneously.

DoublePulsar

ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication fired 13,522 times. DoublePulsar is an NSA-developed backdoor leaked by the Shadow Brokers in 2017, installed via EternalBlue (MS17-010). This connects to the legacy exploitation activity covered in the pre-2017 CVE report.

SSH Activity

ET INFO SSH session in progress on Expected Port fired 44,498 times.
ET INFO SSH-2.0-Go version string Observed in Network Traffic fired 34,943 times.
ET INFO SSH session in progress on Unusual Port fired 14,936 times.

The Go SSH version string appears in several attack frameworks and worms. Nearly 35,000 alerts for this specific string points to automated tooling.

Dshield Blocklist Hits

ET DROP Dshield Block Listed Source group 1 fired 88,036 times. This alert fires when traffic originates from an IP on the Dshield blocklist.

Analysis

Most of the high-volume traffic is automated. The scanning tool fingerprints, the python-requests user agent, and the Nmap window size all point to opportunistic scanning at scale.

The FortiOS and DoublePulsar signatures stand out because they represent exploitation attempts, not just probes. Both vulnerabilities have mature, widely available exploit code, which keeps them in active use long after patches were released.

The SSH Go version string points in the same direction. Several open-source attack tools use the Go SSH library, and the sustained volume across 28 days suggests a recurring automated campaign rather than one-off attempts.

Data Reference

Top Suricata Signatures, February 2026 (28-day totals)

Methodology Notes

Double-counting across CVE-2018-13379 signatures. Two Suricata rules match the same FortiOS path traversal traffic. The counts are not additive. The actual event volume is the higher of the two figures (29,938).

SURICATA-prefixed alerts are engine-level detections for malformed packets. They are included in the table for completeness but are not indicators of specific attacker tooling.

Alert counts are not exploitation confirmations. Suricata fires when traffic matches a rule. The honeypot has no real services or valid credentials.

References

All data sourced from Elasticsearch DSL queries against T-Pot honeypot logs, 2026/02/01 through 2026/02/28. Raw query output is preserved in /data/.