This service for Suricata alerts to get notifications via Telegram Messenger. It can help to get alerts faster in your Telegram account using Telegram Bot API. It creates message with secure clickable IP-addresses that can be checked via VirusTotal.
This service requires root rights to run Suricata in system mode. It can work as systemd service or can work as native.
- copy
configs/service.ini.example
toconfigs/service.ini
- make changes in config by your own
Create Telegram Bot and get BOT_TOKEN
using BotFather. Then get your Telegram User ID using myidbot. Specify interface that you would like monitor. You can specify multiply interfaces. To mute alert of specific rule (if you have messages spamming) you can specify sid or sids in BLACKLISTS_SIDS
. For example you should mute sid 2033967
, ET Telegram API Domain TLS SNI
or you will get many messages with alerts
- you also can change
configs/suricata.yaml
- install as systemd service using next commands:
chmod +x install.sh
sudo ./install.sh
These steps will create systemd service:
/etc/systemd/system/suricata-telegram-notifier.service
systemctl status suricata-telegram-notifier
- check systemd service statuslogs/service.log
- logs of suricata-telegram-notifier which similar to systemd statuslogs/suricata.log
- logs of Suricata instancelogs/fast.log
- last alerts in readable format
- add last alert checking to prevent spam