config24.01.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

common:
    output_path: data/
    time_zone: Asia/Yangon
    recv_time_columnname: recv_time
    time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
    save_knowledgebase: True
    active_scan:  # max calls/s (rough estimate) = max workers * max_call_per_sec
        switch: off
        max_workers: 100
        max_calls_per_sec: 100
    protected_isp_list: ["google", "谷歌", "cloudflare", "microsoft", "alibaba", "amazon", "facebook","微软", "腾讯", "中国电信"]       # isp关键词, 英文小写
    protected_ip_list: ['8.8.8.8', '8.8.4.4', '1.1.1.1', '255.255.255.255', '0.0.0.0', '127.*']

monitor:
    monitor_file_path: /opt/vpn-finder-plugins/prom/vpn_plugin_knowledgebase_monitor.prom
    outdated_days: 100 # outdated after Inactive for days. outdated results will not be monitored as effective results
    timezone_hour_gap: 8


clickhouse:
    host: 10.160.12.147
    port: 9001
    username: default
    password: galaxy2019
    db_name: tsg_galaxy_v3
    table_name: session_record
    security_table_name: security_event

mariadb:
    host: 10.160.12.201
    port: 3306
    user: root
    pswd: galaxy2019
    db_name: cn_api
    ip_table_name: cn_vpn_learning_ip
    domain_table_name: cn_vpn_learning_domain

knowledgebase:
    host: 10.160.12.204:8090
    kb_username:
    api_pin:
    api_path: /v1/knowledgeBase/items/batch
    api_token: a2857bc21b01421b85953fc2c65b4d4c
    api_retry_times: 3
    api_timeout: 9999
    db_name: cn_api
    ip_library_name: vpn_learning_ip
    domain_library_name: vpn_learning_domain


### PLUGIN CONFIGS

hotspotvpn:
    plugin_name: hotspotvpn
    vpn_service_name: hotspotvpn
    plugin_id: 1
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_ja3_hash in ('f49621211538d12435b8498f195d0c31', '908e8001ed339d74cedd91a4eb7abfab')) UNION ALL SELECT server_ip  FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY server_ip having length(groupUniqArray(server_domain)) >= 5
    domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org


ipvanishvpn:
    plugin_name: ipvanishvpn
    vpn_service_name: ipvanishvpn
    plugin_id: 2
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com' group by dns_qname
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ipvanishvpn' group by domain


ivacyvpn:
    plugin_name: ivacyvpn
    vpn_service_name: ivacyvpn
    plugin_id: 3
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ((dns_qname LIKE '%.pointtoserver.com') or (dns_qname LIKE '%.ptoserver.com') or (dns_qname LIKE '%.dns2use.com')) group by dns_qname
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'ivacyvpn' group by domain


protonvpn:
    plugin_name: protonvpn
    vpn_service_name: protonvpn
    plugin_id: 4
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip, groupUniqArray(server_port) as ports FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (server_port IN (443, 7770, 8443, 88, 5060, 51820, 500, 80, 1224, 4500, 4569, 5060, 1194)) GROUP BY server_ip HAVING length(ports) >= 10


# tsg系统内置Cyberghost-UDP APP获取新增活跃IP
cyberghostvpn:
    plugin_name: cyberghostvpn
    vpn_service_name: cyberghostvpn
    plugin_id: 5
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja' group by dns_qname
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'cyberghostvpn' group by domain
        monitor_on: False
        udp_monitor_app_name: Cyberghost-UDP
        sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and app_transition like '%{$udp_monitor_app_name}%' group by server_ip


windscribevpn:
    plugin_name: windscribevpn
    vpn_service_name: windscribevpn
    plugin_id: 6
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT  server_fqdn FROM {$db_name}.{$table_name} WHERE {$time_filter} and server_domain in ({$domain_list}) and server_fqdn like '%-%' group by server_fqdn ORDER BY server_fqdn ASC
        domains: whiskergalaxy.com, totallyacdn.com
    ip:
        object_type: ip
        kb_sql: SELECT domain FROM {$mariadb_dbname}.{$mariadb_domain_tablename} where vpn_service_name = 'windscribevpn' group by domain
        sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and (ssl_cert_subject like '%Windscribe%' or ssl_cert_issuer like '%Windscribe%') group by server_ip

turbovpn:
    vpn_service_name: turbovpn
    plugin_id: 7
    plugin_name: turbovpn
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (app_transition LIKE '%Turbo_Payload%') UNION ALL select server_ip from {$db_name}.{$table_name}　WHERE {$time_filter} AND (server_port in (66, 109, 8080, 97, 94, 92, 21, 25, 110, 119, 2000, 2001))　 AND decoded_as='BASE' and  sent_bytes<1000 AND received_bytes<1000 and sent_pkts<10 and received_pkts<10　and server_asn in ('14061', '21859', '9009', '212238', '16276', '40021', '20473', '174', '138915', '12876') group by server_ip having count(*) >=10


geckovpn:
    vpn_service_name: geckovpn
    plugin_id: 8
    plugin_name: geckovpn
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%' group by server_ip


vpnunlimited:
    vpn_service_name: vpnunlimited
    plugin_id: 9
    plugin_name: vpnunlimited
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND server_domain in ({$domain_list}) group by server_ip
    domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live, puppyfood.info, fastdecidos.info, cyberroast.shop, picknife.org, nohumguitar.com, thewalruss.net, simplexsolutionsinc.com, prebreeze.club


psiphon3vpn:
    vpn_service_name: psiphon3vpn
    plugin_id: 10
    plugin_name: psiphon3vpn