Add: ActiveObtainer

author: 尹姜谊 <[email protected]> 2024-01-23 10:12:59 +0800
committer: 尹姜谊 <[email protected]> 2024-01-23 10:12:59 +0800
commit: 6ba8db34d295086a294c15f888b6ec0a928e87f4 (patch)
tree: 141adfd9ace9af8f4e69045355edcbb42e798aa5 /config23.10.yaml
parent: e9188b4443008917e71b81cd5221346af809cf8c (diff)
1 files changed, 131 insertions, 0 deletions
diff --git a/config23.10.yaml b/config23.10.yaml
new file mode 100644
index 0000000..a35b2fa
--- /dev/null
+++ b/config23.10.yaml
@@ -0,0 +1,131 @@
+common:
+    output_path: data/
+    time_zone: Asia/Shanghai
+    recv_time_columnname: common_recv_time
+    time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
+
+clickhouse:
+    host: 192.168.44.30
+    port: 9001
+    username: default
+    password: galaxy2019
+    db_name: tsg_galaxy_v3
+    table_name: session_record
+
+mariadb:
+    host: 192.168.44.53
+    port: 3306
+    user: root
+    pswd: 111111
+    timezone_hour_gap: 8  # actual local timezone - mariadb timezone (hours)
+    db_name: cn_api
+    ip_table_name: cn_vpn_learning_ip
+    domain_table_name: cn_vpn_learning_domain
+
+knowledgebase:
+    host: 192.168.44.54:8090
+    kb_username: learning_engine
+    api_pin: 111111
+    api_path: /v1/knowledgeBase/items/batch
+    api_token: a2857bc21b01421b85953fc2c65b4d4c
+    api_retry_times: 3
+    api_timeout: 9999
+    db_name: cn_api
+    ip_library_name: vpn_learning_ip
+    domain_library_name: vpn_learning_domain
+
+
+### PLUGIN CONFIGS
+
+hotspotvpn_serverip:
+    vpn_service_name: hotspotvpn
+    plugin_id: 1
+    plugin_name: hotspotvpn_serverip
+    object_type: ip
+    confidence: confirmed
+    sql: SELECT common_server_ip, any(common_server_asn) AS asn, count(*) AS session_num, groupUniqArray(common_server_domain) as domains, length(domains) as domain_count, countDistinct(common_client_ip) AS cip_num FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY common_server_ip having domain_count >= 3
+    domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org
+
+
+ipvanishvpn_servername:
+    vpn_service_name: ipvanishvpn
+    plugin_id: 2
+    plugin_name: ipvanishvpn_servername
+    object_type: domain
+    confidence: confirmed
+    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com'
+
+
+ipvanishvpn_serverip:
+    vpn_service_name: ipvanishvpn
+    plugin_id: 3
+    plugin_name: ipvanishvpn_serverip
+    object_type: ip
+    confidence: confirmed
+    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn'
+
+
+psiphon3vpn_serverip:
+    vpn_service_name: psiphon3vpn
+    plugin_id: 4
+    plugin_name: psiphon3vpn_serverip
+    object_type: ip
+    confidence:
+
+
+cyberghostvpn_servername:
+    vpn_service_name: cyberghostvpn
+    plugin_id: 5
+    plugin_name: cyberghostvpn_servername
+    object_type: domain
+    confidence: confirmed
+    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja'
+
+
+cyberghostvpn_serverip:
+    vpn_service_name: cyberghostvpn
+    plugin_id: 6
+    plugin_name: cyberghostvpn_serverip
+    object_type: ip
+    confidence: confirmed
+    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn'
+
+
+geckovpn_serverip:
+    vpn_service_name: geckovpn
+    plugin_id: 7
+    plugin_name: geckovpn_serverip
+    object_type: ip
+    confidence: confirmed
+    sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%'
+
+
+
+ivacyvpn_servername:
+    vpn_service_name: ivacyvpn
+    plugin_id: 8
+    plugin_name: ivacyvpn_servername
+    object_type: domain
+    confidence: confirmed
+    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.pointtoserver.com'
+
+
+
+ivacyvpn_serverip:
+    vpn_service_name: ivacyvpn
+    plugin_id: 9
+    plugin_name: ivacyvpn_serverip
+    object_type: ip
+    confidence: confirmed
+    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn'
+
+
+turbovpn_serverip:
+    vpn_service_name: turbovpn
+    plugin_id: 10
+    plugin_name: turbovpn_serverip
+    object_type: ip
+    confidence: confirmed
+    security_table_name: security_event
+    security_policy_id: 3847
+    sql: SELECT common_server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND common_policy_id ={$security_policy_id} AND common_server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY common_server_ip having length(groupUniqArray(common_server_port))>3
+\ No newline at end of file
author	尹姜谊 <[email protected]>	2024-01-23 10:12:59 +0800
committer	尹姜谊 <[email protected]>	2024-01-23 10:12:59 +0800
commit	6ba8db34d295086a294c15f888b6ec0a928e87f4 (patch)
tree	141adfd9ace9af8f4e69045355edcbb42e798aa5 /config23.10.yaml
parent	e9188b4443008917e71b81cd5221346af809cf8c (diff)