A bot to quickly get information about an IP, useful to get threat intelligence informations for blue team.
git clone https://github.com/matteounitn/Threat-Intelligence-telegram.git
- Go to https://my.telegram.org/auth?to=apps;
- Create an app(doesn't matter how do you call it);
- Get API ID and API KEYS;
- Replace them in
config.json.sample
and save it asconfig.json
You should register to:
- https://pulsedive.com (api-key)
- https://abuseipdb.com (api-key)
- https://greynoise.io (api-key)
- https://ipdata.co (api-key)
- https://otx.alienvault.com (api-key)
- https://neutrinoapi.com (user-id and api-key) ((PLEASE DO NOT USE ROOT KEY FOR THIS, create one api-key for the bot)
- https://exchange.xforce.ibmcloud.com (api-key and api-password)
- https://threatbook.io (api-key)
- https://www.virustotal.com (api-key)
Get api-keys and api-password or user-id when needed.
They are all almost free, i suggest you to register to neutrinoapi.com and pay for it, since it's very cheap.
If you don't want to use neutrinoapi (shame on you, it is one of the best) just comment the part of the code about neutrino and add a bogus api-key. Or just don't, the script should be failsafe, a bogus api-key will get a "unauthorized" response from neutrino.
Replace them in api_keys.json.sample
and save it as api_keys.json
Create a telegram bot from the BotFather (https://t.me/botfather) and start a chat with it.
The url of your newly created bot will look like http://t.me/your_bot_name
Copy the APItoken generated by the BotFather, and add it in config.json
as bot_token
.
Copy admin.json.sample
and save it as admin.json
.
Use @getmyid_bot
bot to get your user ID.
Should be in the form
Your user ID: XXXXXXXXX
Current chat ID: XXXXXXXXX
add the ID (doesn't matter which one, they should be the same) to admin.json (i.e., just change series of zero '000000000' in the file admin.json) You can have more than one admin, just treat the admin.json as an array
{
["FIRST_ID", "SECOND_ID"]
}
This lets people use your bot.
If you want it to be used by everyone, just use an empty array
{
[]
}
cd Threat-Intelligence-telegram
docker build --no-cache -t my_ip_threat .
docker run --name ip_threat_check -d my_ip_threat
Enjoy!
cd Threat-Intelligence-telegram
sudo apt install python3-dev python3-venv
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt
python3 run.py