Add: turbovpn_serverip plugin

4 files changed, 100 insertions, 5 deletions

diff --git a/config.yaml b/config.yaml
index f2d42e3..9ac560f 100644
--- a/config.yaml
+++ b/config.yaml
@@ -5,11 +5,11 @@ common:
     time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
 
 clickhouse:
-    host: 192.168.40.194
+    host: 192.168.44.30
     port: 9001
     username: default
-    password: ceiec2021
-    db_name: tsg_galaxy_p19
+    password: galaxy2019
+    db_name: tsg_galaxy_v3
     table_name: session_record
 
 mariadb:
@@ -115,4 +115,15 @@ ivacyvpn_serverip:
     plugin_name: ivacyvpn_serverip
     object_type: ip
     confidence: confirmed
-    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn'
\ No newline at end of file
+    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn'
+
+
+turbovpn_serverip:
+    vpn_service_name: turbovpn
+    plugin_id: 10
+    plugin_name: turbovpn_serverip
+    object_type: ip
+    confidence: confirmed
+    security_table_name: security_event
+    security_policy_id: 3847
+    sql: SELECT common_server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND common_policy_id ={$security_policy_id} AND common_server_port IN (66, 109, 8080, 97, 94, 92) GROUP BY common_server_ip having length(groupUniqArray(common_server_port))>3
\ No newline at end of file
diff --git a/detection/vpn_detector.py b/detection/vpn_detector.py
index 3347292..866fa6d 100644
--- a/detection/vpn_detector.py
+++ b/detection/vpn_detector.py
@@ -206,6 +206,9 @@ if __name__ == '__main__':
     elif plugin_name == 'ivacyvpn_serverip':
         from vpnservices.ivacyvpn_serverip import IvacyvpnServerip
         detector = IvacyvpnServerip(start_time, end_time)
+    elif plugin_name == 'turbovpn_serverip':
+        from vpnservices.turbovpn_serverip import TurbovpnServerip
+        detector = TurbovpnServerip(start_time, end_time)
 
     else:
         print('Please input correct plugin name')
diff --git a/detection/vpnservices/turbovpn_serverip.py b/detection/vpnservices/turbovpn_serverip.py
new file mode 100644
index 0000000..83f070c
--- /dev/null
+++ b/detection/vpnservices/turbovpn_serverip.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# @Time    : 2024/1/17 18:09
+# @author    : yinjinagyi
+# @File    : turbovpn_serverip.py
+# @Function:
+
+import pandas as pd
+from vpn_detector import VpnDetector
+
+class TurbovpnServerip(VpnDetector):
+    """
+    This class is used to detect turbovpn server ip
+    """
+
+    def __init__(self, start_time, end_time):
+        super().__init__(start_time, end_time)
+        self.plugin_config = self.load_config()['turbovpn_serverip']
+        self.plugin_id = self.plugin_config['plugin_id']
+        self.plugin_name = self.plugin_config['plugin_name']
+        self.object_type = self.plugin_config['object_type']
+        self.vpn_service_name = self.plugin_config['vpn_service_name']
+        self.confidence = self.plugin_config['confidence']
+        self.output_file_name = self.plugin_name + '_' + str(self.start_time).replace(' ', '_').replace(':', '')[:13] + '.csv'
+        self.start_time = start_time
+        self.end_time = end_time
+
+        self.sql = self.plugin_config['sql']
+
+    def find_server(self):
+        """
+        Get turbovpn server ip from clickhouse database
+        :return: turbovpn server ip list
+        """
+        self.logger.info('Start to query turbovpn server ip from session record')
+
+        # construct query sql
+        TIME_FILTER_PATTERN = self.config['common']['time_filter_pattern'].replace('recv_time_columnname', self.config['common']['recv_time_columnname'])
+        time_filter = TIME_FILTER_PATTERN.replace("{$start_time}", str(self.start_time)).replace("{$end_time}", str(
+            self.end_time)).replace("{$time_zone}", self.time_zone)
+        self.sql = self.sql.replace("{$db_name}", self.dbname).replace("{$table_name}", self.table_name)
+        self.sql = self.sql.replace("{$time_filter}", time_filter)
+
+        self.sql = self.sql.replace("{$security_table_name}", self.plugin_config['security_table_name'])\
+            .replace("{$security_policy_id}", str(self.plugin_config['security_policy_id']))
+
+        self.logger.info("Sql for {}: {}".format(self.plugin_name, self.sql))
+
+        # query data from clickhouse database
+        try:
+            turbovpn_serverip_df = pd.DataFrame(self.client.execute(self.sql))
+        finally:
+            self.client.disconnect()
+
+        if turbovpn_serverip_df.empty:
+            self.logger.info('No turbovpn server ip found from clickhouse database')
+            return []
+        turbovpn_serverip_list = turbovpn_serverip_df[0].drop_duplicates().tolist()
+        self.logger.info('Query turbovpn server ip from clickhouse database successfully. {} items found'
+                         .format(len(turbovpn_serverip_list)))
+        return turbovpn_serverip_list
diff --git a/test/test_plugins.py b/test/test_plugins.py
index 4287568..6e4dcdf 100644
--- a/test/test_plugins.py
+++ b/test/test_plugins.py
@@ -17,6 +17,8 @@ from ipvanishvpn_servername import IpvanishvpnServername
 from ivacyvpn_serverip import IvacyvpnServerip
 from ivacyvpn_servername import IvacyvpnServername
 
+from detection.vpnservices.turbovpn_serverip import TurbovpnServerip
+
 
 class TestHotspotvpnServerip(unittest.TestCase):
 
@@ -166,4 +168,22 @@ class TestIvacyvpnServerip(unittest.TestCase):
                                                       plugin_id=self.ivacyvpn_detector.plugin_id,
                                                       plugin_name=self.ivacyvpn_detector.plugin_name,
                                                       output_filename=self.ivacyvpn_detector.output_file_name,
-                                                      confidence=self.ivacyvpn_detector.confidence)
\ No newline at end of file
+                                                      confidence=self.ivacyvpn_detector.confidence)
+
+class TestTurbovpnServerip(unittest.TestCase):
+
+    def setUp(self):
+        self.turbovpn_detector = TurbovpnServerip(start_time='2024-01-17 00:00:00',
+                                                  end_time='2024-01-18 00:00:00')
+
+    def test_get_turbovpn_serverip(self):
+        self.result = self.turbovpn_detector.find_server()
+
+    def test_save_to_knowledgebase(self):
+        self.turbovpn_detector.save_to_knowledgebase(object_type='ip',
+                                                      object_list=self.turbovpn_detector.find_server(),
+                                                      vpn_service_name=self.turbovpn_detector.vpn_service_name,
+                                                      plugin_id=self.turbovpn_detector.plugin_id,
+                                                      plugin_name=self.turbovpn_detector.plugin_name,
+                                                      output_filename=self.turbovpn_detector.output_file_name,
+                                                      confidence=self.turbovpn_detector.confidence)
\ No newline at end of file