From b0484623c1e41dcafe9bd28faf01dc95ca091903 Mon Sep 17 00:00:00 2001
From: 尹姜谊 <yinjiangyi@iie.ac.cn>
Date: Thu, 14 Mar 2024 09:33:45 +0800
Subject: Modify: turbovpn新增udp payload识别，需预定义Turbo_UDP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config24.01.yaml                            |  3 ++-
 data/turbovpn/turbovpn-ip_2024-03-12_20.csv |  7 +++++++
 data/turbovpn/turbovpn-ip_2024-03-13_00.csv | 18 ++++++++++++++++++
 data/turbovpn/turbovpn-ip_2024-03-13_19.csv |  7 +++++++
 detection/vpnservices/turbovpn.py           |  1 +
 5 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 data/turbovpn/turbovpn-ip_2024-03-12_20.csv
 create mode 100644 data/turbovpn/turbovpn-ip_2024-03-13_00.csv
 create mode 100644 data/turbovpn/turbovpn-ip_2024-03-13_19.csv

diff --git a/config24.01.yaml b/config24.01.yaml
index 47a7c42..606c8fe 100644
--- a/config24.01.yaml
+++ b/config24.01.yaml
@@ -23,6 +23,7 @@ clickhouse:
     password: galaxy2019
     db_name: tsg_galaxy_v3
     table_name: session_record
+    security_table_name: security_event
 
 mariadb:
     host: 192.168.44.53
@@ -128,7 +129,7 @@ turbovpn:
     plugin_name: turbovpn
     object_type: ip
     confidence: confirmed
-    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY server_ip having length(groupUniqArray(server_port))>3
+    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY server_ip having length(groupUniqArray(server_port))>3 UNION ALL SELECT server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND (app_transition LIKE '%Turbo_UDP%')
 
 
 geckovpn:
diff --git a/data/turbovpn/turbovpn-ip_2024-03-12_20.csv b/data/turbovpn/turbovpn-ip_2024-03-12_20.csv
new file mode 100644
index 0000000..a46f3be
--- /dev/null
+++ b/data/turbovpn/turbovpn-ip_2024-03-12_20.csv
@@ -0,0 +1,7 @@
+addr_format,ip1,ip2,plugin_id,plugin_name,vpn_service_name,method,confidence,is_valid
+Single,165.227.91.243,165.227.91.243,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,96.126.100.78,96.126.100.78,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,137.184.55.151,137.184.55.151,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,143.198.168.208,143.198.168.208,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,134.209.212.4,134.209.212.4,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,162.243.1.80,162.243.1.80,7,turbovpn,turbovpn,passive_ml,confirmed,1
diff --git a/data/turbovpn/turbovpn-ip_2024-03-13_00.csv b/data/turbovpn/turbovpn-ip_2024-03-13_00.csv
new file mode 100644
index 0000000..bc1973c
--- /dev/null
+++ b/data/turbovpn/turbovpn-ip_2024-03-13_00.csv
@@ -0,0 +1,18 @@
+addr_format,ip1,ip2,plugin_id,plugin_name,vpn_service_name,method,confidence,is_valid
+Single,192.241.241.129,192.241.241.129,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,162.243.5.116,162.243.5.116,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,104.248.15.166,104.248.15.166,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,198.199.114.225,198.199.114.225,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,157.245.218.82,157.245.218.82,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,192.241.192.5,192.241.192.5,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,167.71.102.90,167.71.102.90,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,162.243.5.152,162.243.5.152,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,96.126.100.78,96.126.100.78,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,162.243.1.80,162.243.1.80,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,159.89.180.216,159.89.180.216,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,192.241.246.124,192.241.246.124,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,137.184.55.151,137.184.55.151,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,143.198.121.152,143.198.121.152,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,165.227.91.243,165.227.91.243,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,143.198.168.208,143.198.168.208,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,134.209.212.4,134.209.212.4,7,turbovpn,turbovpn,passive_ml,confirmed,1
diff --git a/data/turbovpn/turbovpn-ip_2024-03-13_19.csv b/data/turbovpn/turbovpn-ip_2024-03-13_19.csv
new file mode 100644
index 0000000..2101494
--- /dev/null
+++ b/data/turbovpn/turbovpn-ip_2024-03-13_19.csv
@@ -0,0 +1,7 @@
+addr_format,ip1,ip2,plugin_id,plugin_name,vpn_service_name,method,confidence,is_valid
+Single,134.209.212.4,134.209.212.4,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,165.227.91.243,165.227.91.243,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,96.126.100.78,96.126.100.78,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,137.184.55.151,137.184.55.151,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,143.198.168.208,143.198.168.208,7,turbovpn,turbovpn,passive_ml,confirmed,1
+Single,162.243.1.80,162.243.1.80,7,turbovpn,turbovpn,passive_ml,confirmed,1
diff --git a/detection/vpnservices/turbovpn.py b/detection/vpnservices/turbovpn.py
index 0266cd2..a8eef71 100644
--- a/detection/vpnservices/turbovpn.py
+++ b/detection/vpnservices/turbovpn.py
@@ -42,6 +42,7 @@ class Turbovpn(VpnDetector):
             self.end_time)).replace("{$time_zone}", self.time_zone)
         self.sql = self.sql.replace("{$db_name}", self.dbname).replace("{$table_name}", self.table_name)
         self.sql = self.sql.replace("{$time_filter}", time_filter)
+        self.sql = self.sql.replace("{$security_table_name}", self.config['clickhouse']['security_table_name'])
 
         # self.sql = self.sql.replace("{$security_table_name}", self.plugin_config['security_table_name'])\
         #     .replace("{$security_policy_id}", str(self.plugin_config['security_policy_id']))
-- 
cgit v1.2.3