1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
common:
output_path: data/
time_zone: Asia/Shanghai
recv_time_columnname: common_recv_time
time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
save_knowledgebase: True
clickhouse:
host: 192.168.40.194
port: 9001
username: default
password: ceiec2021
db_name: tsg_galaxy_p19
table_name: session_record
mariadb:
host: 192.168.44.53
port: 3306
user: root
pswd: 111111
timezone_hour_gap: 8 # actual local timezone - mariadb timezone (hours)
db_name: cn_api
ip_table_name: cn_vpn_learning_ip
domain_table_name: cn_vpn_learning_domain
knowledgebase:
host: 192.168.44.54:8090
kb_username: learning_engine
api_pin: 111111
api_path: /v1/knowledgeBase/items/batch
api_token: a2857bc21b01421b85953fc2c65b4d4c
api_retry_times: 3
api_timeout: 9999
db_name: cn_api
ip_library_name: vpn_learning_ip
domain_library_name: vpn_learning_domain
### PLUGIN CONFIGS
hotspotvpn:
plugin_name: hotspotvpn
vpn_service_name: hotspotvpn
plugin_id: 1
object_type: ip
confidence: confirmed
sql: SELECT common_server_ip, any(common_server_asn) AS asn, count(*) AS session_num, groupUniqArray(common_server_domain) as domains, length(domains) as domain_count, countDistinct(common_client_ip) AS cip_num FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY common_server_ip having domain_count >= 3
domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org
ipvanishvpn:
plugin_name: ipvanishvpn
vpn_service_name: ipvanishvpn
plugin_id: 2
confidence: confirmed
domain:
object_type: domain
sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com'
ip:
object_type: ip
kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn'
ivacyvpn:
plugin_name: ivacyvpn
vpn_service_name: ivacyvpn
plugin_id: 3
confidence: confirmed
domain:
object_type: domain
sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.pointtoserver.com'
ip:
object_type: ip
kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn'
protonvpn:
plugin_name: protonvpn
vpn_service_name: protonvpn
plugin_id: 4
object_type: ip
confidence: confirmed
sql: SELECT common_server_ip, groupUniqArray(common_server_port) AS ports FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (common_server_port IN (443, 7770, 8443, 88, 5060, 51820, 500, 80, 1224, 4500, 4569, 5060, 1194)) GROUP BY common_server_ip HAVING length(ports) > 10
cyberghostvpn:
plugin_name: cyberghost
vpn_service_name: cyberghost
plugin_id: 5
confidence: confirmed
domain:
object_type: domain
sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja'
ip:
object_type: ip
kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn'
windscribevpn:
plugin_name: windscribevpn
vpn_service_name: windscribevpn
plugin_id: 6
confidence: confirmed
domain:
object_type: domain
sql: SELECT DISTINCT common_server_fqdn FROM {$db_name}.{$table_name} WHERE {$time_filter} and common_server_domain in ({$domain_list}) and common_server_fqdn like '%-%' ORDER BY common_server_fqdn ASC
domains: whiskergalaxy.com, totallyacdn.com
ip:
object_type: ip
kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'windscribevpn'
turbovpn:
vpn_service_name: turbovpn
plugin_id: 7
plugin_name: turbovpn
object_type: ip
confidence: confirmed
security_table_name: security_event
security_policy_id: 3847
sql: SELECT common_server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND common_policy_id ={$security_policy_id} AND common_server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY common_server_ip having length(groupUniqArray(common_server_port))>3
geckovpn:
vpn_service_name: geckovpn
plugin_id: 8
plugin_name: geckovpn
object_type: ip
confidence: confirmed
sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%'
vpnunlimited:
vpn_service_name: vpnunlimited
plugin_id: 11
plugin_name: vpnunlimited
object_type: ip
confidence: confirmed
sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND common_server_domain in ({$domain_list})
domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live
|
