From e9d1a027b12b0ecca261949053814827dd730f2a Mon Sep 17 00:00:00 2001
From: 尹姜谊 <yinjiangyi@iie.ac.cn>
Date: Fri, 29 Mar 2024 18:31:32 +0800
Subject: Fix: cyberghost 监控识别加开关
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config24.01.yaml                       |  3 +-
 detection/vpnservices/cyberghostvpn.py | 54 ++++++++++++++++++----------------
 2 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/config24.01.yaml b/config24.01.yaml
index a26dbc8..54f3055 100644
--- a/config24.01.yaml
+++ b/config24.01.yaml
@@ -5,7 +5,7 @@ common:
     time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
     save_knowledgebase: True
     active_scan:  # max calls/s (rough estimate) = max workers * max_call_per_sec
-        switch: on
+        switch: off
         max_workers: 100
         max_calls_per_sec: 100
     protected_isp_list: ["google", "谷歌", "cloudflare", "microsoft", "alibaba", "amazon", "facebook","微软", "腾讯", "中国电信"]       # isp关键词, 英文小写
@@ -108,6 +108,7 @@ cyberghostvpn:
     ip:
         object_type: ip
         kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn'
+        monitor_on: False
         udp_monitor_app_name: Cyberghost-UDP
         sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and app_transition like '%{$udp_monitor_app_name}%'
 
diff --git a/detection/vpnservices/cyberghostvpn.py b/detection/vpnservices/cyberghostvpn.py
index 4550a99..b68adb1 100644
--- a/detection/vpnservices/cyberghostvpn.py
+++ b/detection/vpnservices/cyberghostvpn.py
@@ -172,32 +172,34 @@ class CyberghostvpnServerip(VpnDetector):
 
 
         # 根据udp探测行为获取IP
-        self.logger.info('[{}] - Start to query server ip from session records according to udp payload feature.'.format(self.plugin_name))
-
-        TIME_FILTER_PATTERN = self.config['common']['time_filter_pattern'].replace('recv_time_columnname',
-                                                                                   self.config['common'][
-                                                                                       'recv_time_columnname'])
-        time_filter = TIME_FILTER_PATTERN.replace("{$start_time}", str(self.start_time)).replace("{$end_time}", str(
-            self.end_time)).replace("{$time_zone}", self.time_zone)
-        self.sql = self.sql.replace("{$db_name}", self.dbname).replace("{$table_name}", self.table_name)
-        self.sql = self.sql.replace("{$time_filter}", time_filter)
-        self.sql = self.sql.replace("{$udp_monitor_app_name}", self.plugin_config['ip']['udp_monitor_app_name'])
-
-        self.logger.info("[{}] - Sql for {}: {}".format(self.plugin_name, self.plugin_name, self.sql))
-
-        # query data from clickhouse database
-        try:
-            cyberghostvpn_serverip_df = pd.DataFrame(self.client.execute(self.sql))
-        finally:
-            self.client.disconnect()
-
-        if cyberghostvpn_serverip_df.empty:
-            self.logger.info('[{}] - No server ip found from session records'.format(self.plugin_name))
-        else:
-            cyberghostvpn_serverip_list = cyberghostvpn_serverip_df[0].drop_duplicates().tolist()
-            self.logger.info('[{}] - Query server ip from clickhouse database successfully. {} items found'
-                             .format(self.plugin_name, len(cyberghostvpn_serverip_list)))
-            resolved_ip_list.extend(cyberghostvpn_serverip_list)
+        if self.plugin_config['ip']['monitor_on']:
+
+            self.logger.info('[{}] - Start to query server ip from session records according to udp payload feature.'.format(self.plugin_name))
+
+            TIME_FILTER_PATTERN = self.config['common']['time_filter_pattern'].replace('recv_time_columnname',
+                                                                                       self.config['common'][
+                                                                                           'recv_time_columnname'])
+            time_filter = TIME_FILTER_PATTERN.replace("{$start_time}", str(self.start_time)).replace("{$end_time}", str(
+                self.end_time)).replace("{$time_zone}", self.time_zone)
+            self.sql = self.sql.replace("{$db_name}", self.dbname).replace("{$table_name}", self.table_name)
+            self.sql = self.sql.replace("{$time_filter}", time_filter)
+            self.sql = self.sql.replace("{$udp_monitor_app_name}", self.plugin_config['ip']['udp_monitor_app_name'])
+
+            self.logger.info("[{}] - Sql for {}: {}".format(self.plugin_name, self.plugin_name, self.sql))
+
+            # query data from clickhouse database
+            try:
+                cyberghostvpn_serverip_df = pd.DataFrame(self.client.execute(self.sql))
+            finally:
+                self.client.disconnect()
+
+            if cyberghostvpn_serverip_df.empty:
+                self.logger.info('[{}] - No server ip found from session records'.format(self.plugin_name))
+            else:
+                cyberghostvpn_serverip_list = cyberghostvpn_serverip_df[0].drop_duplicates().tolist()
+                self.logger.info('[{}] - Query server ip from clickhouse database successfully. {} items found'
+                                 .format(self.plugin_name, len(cyberghostvpn_serverip_list)))
+                resolved_ip_list.extend(cyberghostvpn_serverip_list)
 
 
         result_ip_list = list(set(resolved_ip_list))
-- 
cgit v1.2.3