common:
    output_path: data/
    time_zone: Asia/Yangon
    recv_time_columnname: recv_time
    time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
    save_knowledgebase: True
    active_scan:  # max calls/s (rough estimate) = max workers * max_call_per_sec
        switch: off
        max_workers: 100
        max_calls_per_sec: 100
    protected_isp_list: ["google", "谷歌", "cloudflare", "microsoft", "alibaba", "amazon", "facebook","微软", "腾讯", "中国电信"]       # isp关键词, 英文小写
    protected_ip_list: ['8.8.8.8', '8.8.4.4', '1.1.1.1', '255.255.255.255', '0.0.0.0', '127.*']

monitor:
    monitor_file_path: /opt/vpn-finder-plugins/prom/vpn_plugin_knowledgebase_monitor.prom
    outdated_days: 100 # outdated after Inactive for days. outdated results will not be monitored as effective results
    timezone_hour_gap: 8


clickhouse:
    host: 10.160.12.147
    port: 9001
    username: default
    password: galaxy2019
    db_name: tsg_galaxy_v3
    table_name: session_record
    security_table_name: security_event

mariadb:
    host: 10.160.12.201
    port: 3306
    user: root
    pswd: galaxy2019
    db_name: cn_api
    ip_table_name: cn_vpn_learning_ip
    domain_table_name: cn_vpn_learning_domain

knowledgebase:
    host: 10.160.12.204:8090
    kb_username:
    api_pin:
    api_path: /v1/knowledgeBase/items/batch
    api_token: a2857bc21b01421b85953fc2c65b4d4c
    api_retry_times: 3
    api_timeout: 9999
    db_name: cn_api
    ip_library_name: vpn_learning_ip
    domain_library_name: vpn_learning_domain


### PLUGIN CONFIGS

hotspotvpn:
    plugin_name: hotspotvpn
    vpn_service_name: hotspotvpn
    plugin_id: 1
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_ja3_hash in ('f49621211538d12435b8498f195d0c31', '908e8001ed339d74cedd91a4eb7abfab')) UNION ALL SELECT server_ip  FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY server_ip having length(groupUniqArray(server_domain)) >= 5
    domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org


ipvanishvpn:
    plugin_name: ipvanishvpn
    vpn_service_name: ipvanishvpn
    plugin_id: 2
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com' group by dns_qname
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn' group by domain


ivacyvpn:
    plugin_name: ivacyvpn
    vpn_service_name: ivacyvpn
    plugin_id: 3
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ((dns_qname LIKE '%.pointtoserver.com') or (dns_qname LIKE '%.ptoserver.com') or (dns_qname LIKE '%.dns2use.com')) group by dns_qname
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn' group by domain


protonvpn:
    plugin_name: protonvpn
    vpn_service_name: protonvpn
    plugin_id: 4
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip, groupUniqArray(server_port) as ports FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (server_port IN (443, 7770, 8443, 88, 5060, 51820, 500, 80, 1224, 4500, 4569, 5060, 1194)) GROUP BY server_ip HAVING length(ports) >= 10


# tsg系统内置Cyberghost-UDP APP获取新增活跃IP
cyberghostvpn:
    plugin_name: cyberghostvpn
    vpn_service_name: cyberghostvpn
    plugin_id: 5
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja' group by dns_qname
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn' group by domain
        monitor_on: False
        udp_monitor_app_name: Cyberghost-UDP
        sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and app_transition like '%{$udp_monitor_app_name}%' group by server_ip


windscribevpn:
    plugin_name: windscribevpn
    vpn_service_name: windscribevpn
    plugin_id: 6
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT  server_fqdn FROM {$db_name}.{$table_name} WHERE {$time_filter} and server_domain in ({$domain_list}) and server_fqdn like '%-%' group by server_fqdn ORDER BY server_fqdn ASC
        domains: whiskergalaxy.com, totallyacdn.com
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'windscribevpn' group by domain
        sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and (ssl_cert_subject like '%Windscribe%' or ssl_cert_issuer like '%Windscribe%') group by server_ip

turbovpn:
    vpn_service_name: turbovpn
    plugin_id: 7
    plugin_name: turbovpn
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (app_transition LIKE '%Turbo_Payload%') group by server_ip UNION ALL SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (server_fqdn ='www.myanmar.com') group by server_ip UNION ALL select server_ip from {$db_name}.{$table_name}　WHERE {$time_filter} AND (server_port in (66, 109, 8080, 97, 94, 92, 21, 25, 110, 119, 2000, 2001))　 AND decoded_as='BASE' and  sent_bytes<1000 AND received_bytes<1000 and sent_pkts<10 and received_pkts<10　and server_asn in ('14061', '21859', '9009', '212238', '16276', '40021', '20473', '174', '138915', '12876') group by server_ip having count(*) >=10


geckovpn:
    vpn_service_name: geckovpn
    plugin_id: 8
    plugin_name: geckovpn
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%' group by server_ip


vpnunlimited:
    vpn_service_name: vpnunlimited
    plugin_id: 9
    plugin_name: vpnunlimited
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND server_domain in ({$domain_list}) group by server_ip
    domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live, puppyfood.info, fastdecidos.info, cyberroast.shop, picknife.org, nohumguitar.com, thewalruss.net, simplexsolutionsinc.com, prebreeze.club


psiphon3vpn:
    vpn_service_name: psiphon3vpn
    plugin_id: 10
    plugin_name: psiphon3vpn