Suricata + Telegram Alerting Integration on ubuntu server
This guide explains how to install, configure, and automate Suricata intrusion detection alerts to be sent directly to Telegram using a simple Bash script.
The setup uses the af-packet capture mode and monitors the Suricata eve.json log file for new alerts.
🛠️ 1. Installing Suricata and Dependencies
Start by installing Suricata and the required tools for the notification script:
sudo apt update
sudo apt install -y suricata jq curlSuricata – intrusion detection system
jq – parses JSON logs
curl – sends messages to Telegram via API
⚙️ 2. Configure Suricata (suricata.yaml)
Edit the main configuration file:
sudo nano /etc/suricata/suricata.yamlReplace its content (or relevant parts) with the minimal working configuration below:
%YAML 1.1
---
# ===============================
# Suricata minimal config
# ===============================
vars:
address-groups:
HOME_NET: "[192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
port-groups:
HTTP_PORTS: "80,8080,8000,3128,8180,8888"
SSH_PORTS: "22"
DNS_PORTS: "53"
af-packet:
- interface: wlxf81a67268645
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- eve-log:
enabled: yes
filename: eve.json
types:
- alert
- stats:
enabled: yes
filename: stats.log
append: yes
totals: yes
threads: no
deltas: no
logging:
default-log-level: notice
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: suricata.log
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
threading:
set-cpu-affinity: no
detect-thread-ratio: 1.0
Important:
Make sure the interface under af-packet matches your network interface (use ip link show to check it).
🚨 3. Telegram Notification Script
Create a script that monitors the Suricata eve.json log and sends alerts to Telegram.
Create the file:
sudo nano /usr/local/bin/suricata-telegram.sh
Paste the script below:
#!/bin/bash
# Script: Notification Telegram
# --- Configuration ---
EVE_LOG="/var/log/suricata/eve.json"
TELEGRAM_TOKEN="YOUR_TELEGRAM_BOT_TOKEN"
TELEGRAM_CHAT_ID="YOUR_CHAT_ID"
TELEGRAM_API="https://api.telegram.org/bot${TELEGRAM_TOKEN}/sendMessage"
# --- Dependencies ---
if ! command -v jq &> /dev/null; then
echo "Error: jq not installed."
exit 1
fi
if ! command -v curl &> /dev/null; then
echo "Error: curl not installed."
exit 1
fi
# --- Escape Markdown for Telegram ---
escape_markdown() {
local text="$1"
text="${text//\\/\\\\}"
text="${text//_/\\_}"
text="${text//\*/\\*}"
text="${text//\[/\\[}"
text="${text//\]/\\]}"
text="${text//(/\(}"
text="${text//)/\)}"
text="${text//~/\\~}"
text="${text//\`/\\\`}"
text="${text//>/\\>}"
text="${text//#/\\#}"
text="${text//+/\\+}"
text="${text//-/\\-}"
text="${text//=/\\=}"
text="${text//|/\\|}"
text="${text//\{/\\\{}"
text="${text//\}/\\\}}"
text="${text//./\\.}"
text="${text//\!/\\!}"
echo "$text"
}
declare -A sent_alerts # store previously sent alerts
echo "Monitoring Suricata alerts from: ${EVE_LOG}"
tail -n 0 -F "$EVE_LOG" | while read -r line; do
if echo "$line" | jq -e 'select(.event_type=="alert")' > /dev/null; then
sig=$(echo "$line" | jq -r '.alert.signature')
src=$(echo "$line" | jq -r '.src_ip')
dst=$(echo "$line" | jq -r '.dest_ip')
proto=$(echo "$line" | jq -r '.proto')
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
sig_escaped=$(escape_markdown "$sig")
src_escaped=$(escape_markdown "$src")
dst_escaped=$(escape_markdown "$dst")
key="${sig}_${src}_${dst}"
# Send only one notification per hour for the same alert
if [[ -z "${sent_alerts[$key]}" || $(( $(date +%s) - ${sent_alerts[$key]} )) -gt 3600 ]]; then
MSG="🚨 *SURICATA ALERT* 🚨
*Timestamp:* \`${timestamp}\`
*Rule:* \`${sig_escaped}\`
*Protocol:* ${proto}
*Source:* \`${src_escaped}\`
*Destination:* \`${dst_escaped}\`"
echo "New alert: $sig ($src -> $dst)"
curl -s -X POST "${TELEGRAM_API}" \
--data-urlencode "chat_id=${TELEGRAM_CHAT_ID}" \
--data-urlencode "text=${MSG}" \
--data-urlencode "parse_mode=MarkdownV2" > /dev/null
sent_alerts[$key]=$(date +%s)
else
echo "Duplicate alert ignored: $sig ($src -> $dst)"
fi
fi
done
Make it executable:
sudo chmod +x /usr/local/bin/suricata-telegram.sh🤖 4. Create the Telegram Bot
Open Telegram and search for @BotFather
Run /newbot → give it a name and username
Copy the API Token
Start a chat with your bot
Use this URL to get your chat ID:
https://api.telegram.org/bot<YOUR_TOKEN>/getUpdates
Replace both TELEGRAM_TOKEN and TELEGRAM_CHAT_ID in the script
🚀 5. Start Suricata and the Script
Start Suricata manually or as a service:
sudo systemctl start suricataThen run the Telegram alert script:
sudo /usr/local/bin/suricata-telegram.shYou should now receive alerts in your Telegram chat whenever Suricata detects malicious activity.
🧩 6. Example Alert
When you test with a command like:
curl http://testmyids.com or namap -A <IP>You’ll receive a Telegram message such as:
🚨 SURICATA ALERT 🚨
Timestamp: 2025-10-14 22:16:05
Rule: GPL ATTACK_RESPONSE id check returned root
Protocol: TCP
Source: 217.160.0.187
Destination: 192.168.0.149
✅ Summary of Functionality
Suricata monitors network traffic on your interface.
eve.json logs every alert as JSON.
The Bash script:
Reads new JSON alerts in real time
Sends formatted Telegram messages
Ignores duplicate alerts for 1 hour
Escapes Markdown characters for Telegram safety
Comments
Post a Comment