diff options
| author | 尹姜谊 <[email protected]> | 2024-04-17 09:50:42 +0800 |
|---|---|---|
| committer | 尹姜谊 <[email protected]> | 2024-04-17 09:50:42 +0800 |
| commit | 7fa88127a69a09a396d3e36f891fb5ae0311709f (patch) | |
| tree | e5e55b86703fad1d97db22c5c2a0c597b5e1a919 | |
| parent | e9d1a027b12b0ecca261949053814827dd730f2a (diff) | |
Modify:默认配置修改
| -rw-r--r-- | config23.10.yaml | 152 | ||||
| -rw-r--r-- | config24.01.yaml | 17 |
2 files changed, 8 insertions, 161 deletions
diff --git a/config23.10.yaml b/config23.10.yaml deleted file mode 100644 index 7843c62..0000000 --- a/config23.10.yaml +++ /dev/null @@ -1,152 +0,0 @@ -common: - output_path: data/ - time_zone: Asia/Shanghai - recv_time_columnname: common_recv_time - time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}')) - save_knowledgebase: True - active_scan: # max calls/s (rough estimate) = max workers * max_call_per_sec - switch: on - max_workers: 100 - max_calls_per_sec: 100 - -monitor: - monitor_file_path: /opt/vpn-thwarting/vpn_knolwdgebase_monitor.prom - outdated_days: 100 # outdated after Inactive for days. outdated results will not be monitored as effective results - timezone_hour_gap: 8 - -clickhouse: - host: 192.168.40.194 - port: 9001 - username: default - password: ceiec2021 - db_name: tsg_galaxy_p19 - table_name: session_record - -mariadb: - host: 192.168.44.53 - port: 3306 - user: root - pswd: 111111 - timezone_hour_gap: 8 # actual local timezone - mariadb timezone (hours) - db_name: cn_api - ip_table_name: cn_vpn_learning_ip - domain_table_name: cn_vpn_learning_domain - -knowledgebase: - host: 192.168.44.54:8090 - kb_username: learning_engine - api_pin: 111111 - api_path: /v1/knowledgeBase/items/batch - api_token: a2857bc21b01421b85953fc2c65b4d4c - api_retry_times: 3 - api_timeout: 9999 - db_name: cn_api - ip_library_name: vpn_learning_ip - domain_library_name: vpn_learning_domain - - -### PLUGIN CONFIGS - -hotspotvpn: - plugin_name: hotspotvpn - vpn_service_name: hotspotvpn - plugin_id: 1 - object_type: ip - confidence: confirmed - sql: SELECT common_server_ip, any(common_server_asn) AS asn, count(*) AS session_num, groupUniqArray(common_server_domain) as domains, length(domains) as domain_count, countDistinct(common_client_ip) AS cip_num FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY common_server_ip having domain_count >= 3 - domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org - - -ipvanishvpn: - plugin_name: ipvanishvpn - vpn_service_name: ipvanishvpn - plugin_id: 2 - confidence: confirmed - domain: - object_type: domain - sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com' - ip: - object_type: ip - kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn' - - -ivacyvpn: - plugin_name: ivacyvpn - vpn_service_name: ivacyvpn - plugin_id: 3 - confidence: confirmed - domain: - object_type: domain - sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.pointtoserver.com' - ip: - object_type: ip - kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn' - - -protonvpn: - plugin_name: protonvpn - vpn_service_name: protonvpn - plugin_id: 4 - object_type: ip - confidence: confirmed - sql: SELECT common_server_ip, groupUniqArray(common_server_port) AS ports FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (common_server_port IN (443, 7770, 8443, 88, 5060, 51820, 500, 80, 1224, 4500, 4569, 5060, 1194)) GROUP BY common_server_ip HAVING length(ports) > 10 - - - -cyberghostvpn: - plugin_name: cyberghost - vpn_service_name: cyberghost - plugin_id: 5 - confidence: confirmed - domain: - object_type: domain - sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja' - ip: - object_type: ip - kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn' - udp_monitor_app_name: Cyberghost-UDP - sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and application_full_path like '%{$udp_monitor_app_name}%' - - -windscribevpn: - plugin_name: windscribevpn - vpn_service_name: windscribevpn - plugin_id: 6 - confidence: confirmed - domain: - object_type: domain - sql: SELECT DISTINCT common_server_fqdn FROM {$db_name}.{$table_name} WHERE {$time_filter} and common_server_domain in ({$domain_list}) and common_server_fqdn like '%-%' ORDER BY common_server_fqdn ASC - domains: whiskergalaxy.com, totallyacdn.com - ip: - object_type: ip - kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'windscribevpn' - - -turbovpn: - vpn_service_name: turbovpn - plugin_id: 7 - plugin_name: turbovpn - object_type: ip - confidence: confirmed - security_table_name: security_event - security_policy_id: 3847 - sql: SELECT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND common_policy_id ={$security_policy_id} AND common_server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY common_server_ip having length(groupUniqArray(common_server_port))>3 - - -geckovpn: - vpn_service_name: geckovpn - plugin_id: 8 - plugin_name: geckovpn - object_type: ip - confidence: confirmed - sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%' - - -vpnunlimited: - vpn_service_name: vpnunlimited - plugin_id: 9 - plugin_name: vpnunlimited - object_type: ip - confidence: confirmed - sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND common_server_domain in ({$domain_list}) - domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live
\ No newline at end of file diff --git a/config24.01.yaml b/config24.01.yaml index 54f3055..c75e79b 100644 --- a/config24.01.yaml +++ b/config24.01.yaml @@ -1,6 +1,6 @@ common: output_path: data/ - time_zone: Asia/Shanghai + time_zone: Asia/Yangon recv_time_columnname: recv_time time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}')) save_knowledgebase: True @@ -12,14 +12,13 @@ common: protected_ip_list: ['8.8.8.8', '8.8.4.4', '1.1.1.1', '255.255.255.255', '0.0.0.0', '127.*'] monitor: - monitor_file_path: /Users/joy/Downloads/vpn_thwarting_monitor.prom -# monitor_file_path: /opt/vpn-finder-plugins/prom/vpn_plugin_knowledgebase_monitor.prom + monitor_file_path: /opt/vpn-finder-plugins/prom/vpn_plugin_knowledgebase_monitor.prom outdated_days: 100 # outdated after Inactive for days. outdated results will not be monitored as effective results timezone_hour_gap: 8 clickhouse: - host: 192.168.44.30 + host: 10.160.12.21 port: 9001 username: default password: galaxy2019 @@ -28,7 +27,7 @@ clickhouse: security_table_name: security_event mariadb: - host: 192.168.44.113 + host: 10.160.12.3 port: 3306 user: root pswd: galaxy2019 @@ -37,9 +36,9 @@ mariadb: domain_table_name: cn_vpn_learning_domain knowledgebase: - host: 192.168.44.53:8090 - kb_username: learning_engine - api_pin: 111111 + host: 10.160.12.3:8090 + kb_username: + api_pin: api_path: /v1/knowledgeBase/items/batch api_token: a2857bc21b01421b85953fc2c65b4d4c api_retry_times: 3 @@ -133,7 +132,7 @@ turbovpn: plugin_name: turbovpn object_type: ip confidence: confirmed - sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (app_transition LIKE '%Turbo_Payload%') UNION ALL select server_ip from {$db_name}.{$table_name} WHERE {$time_filter} AND (server_port in (66, 109, 8080, 97, 94, 92, 21, 25, 110, 119, 2000, 2001)) AND decoded_as='BASE' and sent_bytes<1000 AND received_bytes<1000 and sent_pkts<10 and received_pkts<10 and server_asn in ('14061', '21859', '9009', '212238', '16276', '40021', '20473', '174', '138915', '12876') group by server_ip having count(*) >10 + sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (app_transition LIKE '%Turbo_Payload%') UNION ALL select server_ip from {$db_name}.{$table_name} WHERE {$time_filter} AND (server_port in (66, 109, 8080, 97, 94, 92, 21, 25, 110, 119, 2000, 2001)) AND decoded_as='BASE' and sent_bytes<1000 AND received_bytes<1000 and sent_pkts<10 and received_pkts<10 and server_asn in ('14061', '21859', '9009', '212238', '16276', '40021', '20473', '174', '138915', '12876') group by server_ip having count(*) >=10 geckovpn: |