Modified: merge plugins belongs to same vpn service

author: 尹姜谊 <[email protected]> 2024-01-31 19:03:50 +0800
committer: 尹姜谊 <[email protected]> 2024-01-31 19:03:50 +0800
commit: 70378b7136a94fdf62fbdec9d92d11b4bbf1f4cf (patch)
tree: f814ccfab64e1f0cd11eddb6dbe437a4d3ad6cd9 /config24.01.yaml
parent: 1cac7e7fb3590556b845bc96e0367ae974875403 (diff)
1 files changed, 57 insertions, 82 deletions
diff --git a/config24.01.yaml b/config24.01.yaml
index 543fb56..99dd798 100644
--- a/config24.01.yaml
+++ b/config24.01.yaml
@@ -3,6 +3,7 @@ common:
     time_zone: Asia/Shanghai
     recv_time_columnname: recv_time
     time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
+    save_knowledgebase: False
 
 clickhouse:
     host: 192.168.44.30
@@ -37,132 +38,106 @@ knowledgebase:
 
 ### PLUGIN CONFIGS
 
-hotspotvpn_serverip:
+hotspotvpn:
+    plugin_name: hotspotvpn
     vpn_service_name: hotspotvpn
     plugin_id: 1
-    plugin_name: hotspotvpn_serverip
     object_type: ip
     confidence: confirmed
     sql: SELECT server_ip, any(server_asn) AS asn, count(*) AS session_num, groupUniqArray(server_domain) as domains, length(domains) as domain_count, countDistinct(client_ip) AS cip_num FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY server_ip having domain_count >= 3
     domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org
 
 
-ipvanishvpn_servername:
+ipvanishvpn:
+    plugin_name: ipvanishvpn
     vpn_service_name: ipvanishvpn
     plugin_id: 2
-    plugin_name: ipvanishvpn_servername
-    object_type: domain
     confidence: confirmed
-    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com'
+    domain:
+        object_type: domain
+        sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com'
+    ip:
+        object_type: ip
+        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn'
 
 
-ipvanishvpn_serverip:
-    vpn_service_name: ipvanishvpn
+ivacyvpn:
+    plugin_name: ivacyvpn
+    vpn_service_name: ivacyvpn
     plugin_id: 3
-    plugin_name: ipvanishvpn_serverip
-    object_type: ip
     confidence: confirmed
-    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn'
+    domain:
+        object_type: domain
+        sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.pointtoserver.com'
+    ip:
+        object_type: ip
+        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn'
 
 
-psiphon3vpn_serverip:
-    vpn_service_name: psiphon3vpn
+protonvpn:
+    plugin_name: protonvpn
+    vpn_service_name: protonvpn
     plugin_id: 4
-    plugin_name: psiphon3vpn_serverip
     object_type: ip
-    confidence:
+    confidence: confirmed
+    sql: SELECT server_ip, groupUniqArray(server_port) AS ports FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (server_port IN (443, 7770, 8443, 88, 5060, 51820, 500, 80, 1224, 4500, 4569, 5060, 1194)) GROUP BY server_ip HAVING length(ports) > 10
 
 
-cyberghostvpn_servername:
-    vpn_service_name: cyberghostvpn
+
+cyberghostvpn:
+    plugin_name: cyberghost
+    vpn_service_name: cyberghost
     plugin_id: 5
-    plugin_name: cyberghostvpn_servername
-    object_type: domain
     confidence: confirmed
-    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja'
+    domain:
+        object_type: domain
+        sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja'
+    ip:
+        object_type: ip
+        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn'
 
 
-cyberghostvpn_serverip:
-    vpn_service_name: cyberghostvpn
+windscribevpn:
+    plugin_name: windscribevpn
+    vpn_service_name: windscribevpn
     plugin_id: 6
-    plugin_name: cyberghostvpn_serverip
-    object_type: ip
     confidence: confirmed
-    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn'
+    domain:
+        object_type: domain
+        sql: SELECT DISTINCT server_fqdn FROM {$db_name}.{$table_name} WHERE {$time_filter} and server_domain in ({$domain_list}) and server_fqdn like '%-%' ORDER BY server_fqdn ASC
+        domains: whiskergalaxy.com, totallyacdn.com
+    ip:
+        object_type: ip
+        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'windscribevpn'
 
 
-geckovpn_serverip:
-    vpn_service_name: geckovpn
+turbovpn:
+    vpn_service_name: turbovpn
     plugin_id: 7
-    plugin_name: geckovpn_serverip
+    plugin_name: turbovpn
     object_type: ip
     confidence: confirmed
-    sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%'
-
+    security_table_name: security_event
+    security_policy_id: 3847
+    sql: SELECT server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND has(security_rule_list, {$security_policy_id})  AND server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY server_ip having length(groupUniqArray(server_port))>3
 
 
-ivacyvpn_servername:
-    vpn_service_name: ivacyvpn
+geckovpn:
+    vpn_service_name: geckovpn
     plugin_id: 8
-    plugin_name: ivacyvpn_servername
-    object_type: domain
-    confidence: confirmed
-    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.pointtoserver.com'
-
-
-ivacyvpn_serverip:
-    vpn_service_name: ivacyvpn
-    plugin_id: 9
-    plugin_name: ivacyvpn_serverip
+    plugin_name: geckovpn
     object_type: ip
     confidence: confirmed
-    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn'
-
-
-turbovpn_serverip:
-    vpn_service_name: turbovpn
-    plugin_id: 10
-    plugin_name: turbovpn_serverip
-    object_type: ip
-    confidence: confirmed
-    security_table_name: security_event
-    security_policy_id: 3847
-    sql: SELECT server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND has(security_rule_list, {$security_policy_id}) AND server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY server_ip having length(groupUniqArray(server_port))>3
+    sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%'
 
 
-vpnunlimited_serverip:
+vpnunlimited:
     vpn_service_name: vpnunlimited
     plugin_id: 11
-    plugin_name: vpnunlimited_serverip
+    plugin_name: vpnunlimited
     object_type: ip
     confidence: confirmed
     sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND server_domain in ({$domain_list})
     domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live
 
 
-windscribevpn_servername:
-    vpn_service_name: windscribevpn
-    plugin_id: 12
-    plugin_name: windscribevpn_servername
-    object_type: domain
-    confidence: confirmed
-    sql: SELECT DISTINCT server_fqdn FROM {$db_name}.{$table_name} WHERE {$time_filter} and server_domain in ({$domain_list}) and server_fqdn like '%-%' ORDER BY server_fqdn ASC
-    domains: whiskergalaxy.com, totallyacdn.com
-
-
-windscribevpn_serverip:
-    vpn_service_name: windscribevpn
-    plugin_id: 13
-    plugin_name: windscribevpn_serverip
-    object_type: ip
-    confidence: confirmed
-    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'windscribevpn'
-
-
-protonvpn_serverip:
-    vpn_service_name: protonvpn
-    plugin_id: 14
-    plugin_name: protonvpn_serverip
-    object_type: ip
-    confidence: confirmed
-    sql: SELECT server_ip, groupUniqArray(server_port) AS ports FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (server_port IN (443, 7770, 8443, 88, 5060, 51820, 500, 80, 1224, 4500, 4569, 5060, 1194)) GROUP BY server_ip HAVING length(ports) > 10
-\ No newline at end of file
author	尹姜谊 <[email protected]>	2024-01-31 19:03:50 +0800
committer	尹姜谊 <[email protected]>	2024-01-31 19:03:50 +0800
commit	70378b7136a94fdf62fbdec9d92d11b4bbf1f4cf (patch)
tree	f814ccfab64e1f0cd11eddb6dbe437a4d3ad6cd9 /config24.01.yaml
parent	1cac7e7fb3590556b845bc96e0367ae974875403 (diff)