summaryrefslogtreecommitdiff
path: root/config23.10.yaml
blob: 422ce115917bd3512dd8422a66e25b6d705f8c43 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

common:
    output_path: data/
    time_zone: Asia/Shanghai
    recv_time_columnname: common_recv_time
    time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))

clickhouse:
    host: 192.168.40.194
    port: 9001
    username: default
    password: ceiec2021
    db_name: tsg_galaxy_p19
    table_name: session_record

mariadb:
    host: 192.168.44.53
    port: 3306
    user: root
    pswd: 111111
    timezone_hour_gap: 8  # actual local timezone - mariadb timezone (hours)
    db_name: cn_api
    ip_table_name: cn_vpn_learning_ip
    domain_table_name: cn_vpn_learning_domain

knowledgebase:
    host: 192.168.44.54:8090
    kb_username: learning_engine
    api_pin: 111111
    api_path: /v1/knowledgeBase/items/batch
    api_token: a2857bc21b01421b85953fc2c65b4d4c
    api_retry_times: 3
    api_timeout: 9999
    db_name: cn_api
    ip_library_name: vpn_learning_ip
    domain_library_name: vpn_learning_domain


### PLUGIN CONFIGS

hotspotvpn_serverip:
    vpn_service_name: hotspotvpn
    plugin_id: 1
    plugin_name: hotspotvpn_serverip
    object_type: ip
    confidence: confirmed
    sql: SELECT common_server_ip, any(common_server_asn) AS asn, count(*) AS session_num, groupUniqArray(common_server_domain) as domains, length(domains) as domain_count, countDistinct(common_client_ip) AS cip_num FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY common_server_ip having domain_count >= 3
    domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org


ipvanishvpn_servername:
    vpn_service_name: ipvanishvpn
    plugin_id: 2
    plugin_name: ipvanishvpn_servername
    object_type: domain
    confidence: confirmed
    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com'


ipvanishvpn_serverip:
    vpn_service_name: ipvanishvpn
    plugin_id: 3
    plugin_name: ipvanishvpn_serverip
    object_type: ip
    confidence: confirmed
    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn'


psiphon3vpn_serverip:
    vpn_service_name: psiphon3vpn
    plugin_id: 4
    plugin_name: psiphon3vpn_serverip
    object_type: ip
    confidence:


cyberghostvpn_servername:
    vpn_service_name: cyberghostvpn
    plugin_id: 5
    plugin_name: cyberghostvpn_servername
    object_type: domain
    confidence: confirmed
    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja'


cyberghostvpn_serverip:
    vpn_service_name: cyberghostvpn
    plugin_id: 6
    plugin_name: cyberghostvpn_serverip
    object_type: ip
    confidence: confirmed
    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn'


geckovpn_serverip:
    vpn_service_name: geckovpn
    plugin_id: 7
    plugin_name: geckovpn_serverip
    object_type: ip
    confidence: confirmed
    sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%'



ivacyvpn_servername:
    vpn_service_name: ivacyvpn
    plugin_id: 8
    plugin_name: ivacyvpn_servername
    object_type: domain
    confidence: confirmed
    sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.pointtoserver.com'



ivacyvpn_serverip:
    vpn_service_name: ivacyvpn
    plugin_id: 9
    plugin_name: ivacyvpn_serverip
    object_type: ip
    confidence: confirmed
    kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn'


turbovpn_serverip:
    vpn_service_name: turbovpn
    plugin_id: 10
    plugin_name: turbovpn_serverip
    object_type: ip
    confidence: confirmed
    security_table_name: security_event
    security_policy_id: 3847
    sql: SELECT common_server_ip FROM {$db_name}.{$security_table_name} WHERE {$time_filter} AND common_policy_id ={$security_policy_id} AND common_server_port IN (66, 109, 8080, 97, 94, 92, 21, 25) GROUP BY common_server_ip having length(groupUniqArray(common_server_port))>3


vpnunlimited_serverip:
    vpn_service_name: vpnunlimited
    plugin_id: 11
    plugin_name: vpnunlimited_serverip
    object_type: ip
    confidence: confirmed
    sql: SELECT DISTINCT common_server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND common_server_domain in ({$domain_list})
    domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 17:46:42 +0000