diff options
| author | 尹姜谊 <[email protected]> | 2024-03-29 18:31:32 +0800 |
|---|---|---|
| committer | 尹姜谊 <[email protected]> | 2024-03-29 18:31:32 +0800 |
| commit | e9d1a027b12b0ecca261949053814827dd730f2a (patch) | |
| tree | 8be1588a2bfbf7e927bf4f4b75c99a7ddb18f2a5 | |
| parent | 92de3042ad7206dfb3092bf46906da82c044b6a2 (diff) | |
Fix: cyberghost 监控识别加开关
| -rw-r--r-- | config24.01.yaml | 3 | ||||
| -rw-r--r-- | detection/vpnservices/cyberghostvpn.py | 54 |
2 files changed, 30 insertions, 27 deletions
diff --git a/config24.01.yaml b/config24.01.yaml index a26dbc8..54f3055 100644 --- a/config24.01.yaml +++ b/config24.01.yaml @@ -5,7 +5,7 @@ common: time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}')) save_knowledgebase: True active_scan: # max calls/s (rough estimate) = max workers * max_call_per_sec - switch: on + switch: off max_workers: 100 max_calls_per_sec: 100 protected_isp_list: ["google", "谷歌", "cloudflare", "microsoft", "alibaba", "amazon", "facebook","微软", "腾讯", "中国电信"] # isp关键词, 英文小写 @@ -108,6 +108,7 @@ cyberghostvpn: ip: object_type: ip kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn' + monitor_on: False udp_monitor_app_name: Cyberghost-UDP sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and app_transition like '%{$udp_monitor_app_name}%' diff --git a/detection/vpnservices/cyberghostvpn.py b/detection/vpnservices/cyberghostvpn.py index 4550a99..b68adb1 100644 --- a/detection/vpnservices/cyberghostvpn.py +++ b/detection/vpnservices/cyberghostvpn.py @@ -172,32 +172,34 @@ class CyberghostvpnServerip(VpnDetector): # 根据udp探测行为获取IP - self.logger.info('[{}] - Start to query server ip from session records according to udp payload feature.'.format(self.plugin_name)) - - TIME_FILTER_PATTERN = self.config['common']['time_filter_pattern'].replace('recv_time_columnname', - self.config['common'][ - 'recv_time_columnname']) - time_filter = TIME_FILTER_PATTERN.replace("{$start_time}", str(self.start_time)).replace("{$end_time}", str( - self.end_time)).replace("{$time_zone}", self.time_zone) - self.sql = self.sql.replace("{$db_name}", self.dbname).replace("{$table_name}", self.table_name) - self.sql = self.sql.replace("{$time_filter}", time_filter) - self.sql = self.sql.replace("{$udp_monitor_app_name}", self.plugin_config['ip']['udp_monitor_app_name']) - - self.logger.info("[{}] - Sql for {}: {}".format(self.plugin_name, self.plugin_name, self.sql)) - - # query data from clickhouse database - try: - cyberghostvpn_serverip_df = pd.DataFrame(self.client.execute(self.sql)) - finally: - self.client.disconnect() - - if cyberghostvpn_serverip_df.empty: - self.logger.info('[{}] - No server ip found from session records'.format(self.plugin_name)) - else: - cyberghostvpn_serverip_list = cyberghostvpn_serverip_df[0].drop_duplicates().tolist() - self.logger.info('[{}] - Query server ip from clickhouse database successfully. {} items found' - .format(self.plugin_name, len(cyberghostvpn_serverip_list))) - resolved_ip_list.extend(cyberghostvpn_serverip_list) + if self.plugin_config['ip']['monitor_on']: + + self.logger.info('[{}] - Start to query server ip from session records according to udp payload feature.'.format(self.plugin_name)) + + TIME_FILTER_PATTERN = self.config['common']['time_filter_pattern'].replace('recv_time_columnname', + self.config['common'][ + 'recv_time_columnname']) + time_filter = TIME_FILTER_PATTERN.replace("{$start_time}", str(self.start_time)).replace("{$end_time}", str( + self.end_time)).replace("{$time_zone}", self.time_zone) + self.sql = self.sql.replace("{$db_name}", self.dbname).replace("{$table_name}", self.table_name) + self.sql = self.sql.replace("{$time_filter}", time_filter) + self.sql = self.sql.replace("{$udp_monitor_app_name}", self.plugin_config['ip']['udp_monitor_app_name']) + + self.logger.info("[{}] - Sql for {}: {}".format(self.plugin_name, self.plugin_name, self.sql)) + + # query data from clickhouse database + try: + cyberghostvpn_serverip_df = pd.DataFrame(self.client.execute(self.sql)) + finally: + self.client.disconnect() + + if cyberghostvpn_serverip_df.empty: + self.logger.info('[{}] - No server ip found from session records'.format(self.plugin_name)) + else: + cyberghostvpn_serverip_list = cyberghostvpn_serverip_df[0].drop_duplicates().tolist() + self.logger.info('[{}] - Query server ip from clickhouse database successfully. {} items found' + .format(self.plugin_name, len(cyberghostvpn_serverip_list))) + resolved_ip_list.extend(cyberghostvpn_serverip_list) result_ip_list = list(set(resolved_ip_list)) |