Add: vpnunlimited_serverip plugin

6 files changed, 112 insertions, 6 deletions

diff --git a/config23.10.yaml b/config23.10.yaml
index a35b2fa..422ce11 100644
--- a/config23.10.yaml
+++ b/config23.10.yaml
@@ -5,11 +5,11 @@ common:
     time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
 
 clickhouse:
-    host: 192.168.44.30
+    host: 192.168.40.194
     port: 9001
     username: default
-    password: galaxy2019
-    db_name: tsg_galaxy_v3
+    password: ceiec2021
+    db_name: tsg_galaxy_p19
     table_name: session_record
 
 mariadb:
@@ -128,4 +128,14 @@ turbovpn_serverip:
     confidence: confirmed
     security_table_name: security_event
     security_policy_id: 3847
-    sql: SELECT common_server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND common_policy_id ={$security_policy_id} AND common_server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY common_server_ip having length(groupUniqArray(common_server_port))>3
\ No newline at end of file
+    sql: SELECT common_server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND common_policy_id ={$security_policy_id} AND common_server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY common_server_ip having length(groupUniqArray(common_server_port))>3
+
+
+vpnunlimited_serverip:
+    vpn_service_name: vpnunlimited
+    plugin_id: 11
+    plugin_name: vpnunlimited_serverip
+    object_type: ip
+    confidence: confirmed
+    sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND common_server_domain in ({$domain_list})
+    domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live
diff --git a/config24.01.yaml b/config24.01.yaml
index 448dbeb..b342454 100644
--- a/config24.01.yaml
+++ b/config24.01.yaml
@@ -128,4 +128,14 @@ turbovpn_serverip:
     confidence: confirmed
     security_table_name: security_event
     security_policy_id: 3847
-    sql: SELECT server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND has(security_rule_list, {$security_policy_id}) AND server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY server_ip having length(groupUniqArray(server_port))>3
\ No newline at end of file
+    sql: SELECT server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND has(security_rule_list, {$security_policy_id}) AND server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY server_ip having length(groupUniqArray(server_port))>3
+
+
+vpnunlimited_serverip:
+    vpn_service_name: vpnunlimited
+    plugin_id: 11
+    plugin_name: vpnunlimited_serverip
+    object_type: ip
+    confidence: confirmed
+    sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND server_domain in ({$domain_list})
+    domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live
diff --git a/detection/vpn_detector.py b/detection/vpn_detector.py
index 866fa6d..45090ba 100644
--- a/detection/vpn_detector.py
+++ b/detection/vpn_detector.py
@@ -209,6 +209,9 @@ if __name__ == '__main__':
     elif plugin_name == 'turbovpn_serverip':
         from vpnservices.turbovpn_serverip import TurbovpnServerip
         detector = TurbovpnServerip(start_time, end_time)
+    elif plugin_name == 'vpnunlimited_serverip':
+        from vpnservices.vpnunlimited_serverip import VpnunlimitedServerip
+        detector = VpnunlimitedServerip(start_time, end_time)
 
     else:
         print('Please input correct plugin name')
diff --git a/detection/vpnservices/vpnunlimited_serverip.py b/detection/vpnservices/vpnunlimited_serverip.py
new file mode 100644
index 0000000..97221b8
--- /dev/null
+++ b/detection/vpnservices/vpnunlimited_serverip.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# @Time    : 2024/1/23 10:39
+# @author    : yinjinagyi
+# @File    : vpnunlimited_serverip.py
+# @Function:
+
+from vpn_detector import VpnDetector
+import pandas as pd
+
+class VpnunlimitedServerip(VpnDetector):
+    """
+
+    This class is used to detect vpnunlimited server ip
+    """
+
+    def __init__(self, start_time, end_time):
+        super().__init__(start_time, end_time)
+        self.plugin_config = self.load_config()['vpnunlimited_serverip']
+        self.plugin_id = self.plugin_config['plugin_id']
+        self.plugin_name = self.plugin_config['plugin_name']
+        self.object_type = self.plugin_config['object_type']
+        self.vpn_service_name = self.plugin_config['vpn_service_name']
+        self.confidence = self.plugin_config['confidence']
+        self.output_file_name = self.plugin_name + '_' + str(self.start_time).replace(' ', '_').replace(':', '')[:13] + '.csv'
+        self.start_time = start_time
+        self.end_time = end_time
+
+        self.sql = self.plugin_config['sql']
+        self.masquerede_domains = ["'"+i.strip()+"'" for i in self.plugin_config['domains'].split(',')]
+
+    def find_server(self):
+        """
+        Get vpnunlimited server ip from clickhouse database
+        :return: vpnunlimited server ip list
+        """
+        self.logger.info('Start to query vpnunlimited server ip from session records')
+
+        # construct query sql
+        TIME_FILTER_PATTERN = self.config['common']['time_filter_pattern'].replace('recv_time_columnname', self.config['common']['recv_time_columnname'])
+        time_filter = TIME_FILTER_PATTERN.replace("{$start_time}", str(self.start_time)).replace("{$end_time}", str(
+            self.end_time)).replace("{$time_zone}", self.time_zone)
+        self.sql = self.sql.replace("{$db_name}", self.dbname).replace("{$table_name}", self.table_name)
+        self.sql = self.sql.replace("{$time_filter}", time_filter)
+        self.sql = self.sql.replace("{$domain_list}", ','.join(self.masquerede_domains))
+
+        self.logger.info("Sql for {}: {}".format(self.plugin_name, self.sql))
+
+        # query data from clickhouse database
+        try:
+            vpnunlimited_serverip_df = pd.DataFrame(self.client.execute(self.sql))
+        finally:
+            self.client.disconnect()
+
+        if vpnunlimited_serverip_df.empty:
+            self.logger.info('No vpnunlimited server ip found from session records')
+            return []
+        vpnunlimited_serverip_list = vpnunlimited_serverip_df[0].drop_duplicates().tolist()
+        self.logger.info('Query vpnunlimited server ip from clickhouse database successfully. {} items found'
+                         .format(len(vpnunlimited_serverip_list)))
+
+        return vpnunlimited_serverip_list
\ No newline at end of file
diff --git a/test/test_plugins.py b/test/test_plugins.py
index 08f8121..1cc1f4c 100644
--- a/test/test_plugins.py
+++ b/test/test_plugins.py
@@ -18,6 +18,7 @@ from ivacyvpn_serverip import IvacyvpnServerip
 from ivacyvpn_servername import IvacyvpnServername
 
 from detection.vpnservices.turbovpn_serverip import TurbovpnServerip
+from vpnunlimited_serverip import VpnunlimitedServerip
 
 
 class TestHotspotvpnServerip(unittest.TestCase):
@@ -189,6 +190,26 @@ class TestTurbovpnServerip(unittest.TestCase):
                                                       confidence=self.turbovpn_detector.confidence)
 
 
+class TestVpnunlimitedServerip(unittest.TestCase):
+
+    def setUp(self):
+        self.vpnunlimited_detector = VpnunlimitedServerip(start_time='2023-10-16 00:00:00',
+                                                  end_time='2023-10-19 00:00:00')
+
+    def test_get_vpnunlimited_serverip(self):
+        self.result = self.vpnunlimited_detector.find_server()
+        print(self.result)
+
+    def test_save_to_knowledgebase(self):
+        self.vpnunlimited_detector.save_to_knowledgebase(object_type='ip',
+                                                      object_list=self.vpnunlimited_detector.find_server(),
+                                                      vpn_service_name=self.vpnunlimited_detector.vpn_service_name,
+                                                      plugin_id=self.vpnunlimited_detector.plugin_id,
+                                                      plugin_name=self.vpnunlimited_detector.plugin_name,
+                                                      output_filename=self.vpnunlimited_detector.output_file_name,
+                                                      confidence=self.vpnunlimited_detector.confidence)
+
+
 if __name__ == '__main__':
     # # 运行指定测试用例
     suite = unittest.TestSuite()
diff --git a/version.txt b/version.txt
index 1bbfb47..f5f8bff 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-24.01
\ No newline at end of file
+23.10
\ No newline at end of file