config24.01.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

common:
    output_path: data/
    time_zone: Asia/Shanghai
    recv_time_columnname: recv_time
    time_filter_pattern: (recv_time_columnname> toDateTime('{$start_time}', '{$time_zone}')) AND(recv_time_columnname <= toDateTime('{$end_time}', '{$time_zone}'))
    save_knowledgebase: True
    active_scan:  # max calls/s (rough estimate) = max workers * max_call_per_sec
        switch: on
        max_workers: 100
        max_calls_per_sec: 100
    protected_isp_list: ["google", "谷歌", "cloudflare", "microsoft", "alibaba", "amazon", "facebook","微软", "腾讯", "中国电信"]       # isp关键词, 英文小写
    protected_ip_list: ['8.8.8.8', '8.8.4.4', '1.1.1.1', '255.255.255.255', '0.0.0.0', '127.*']

monitor:
#    monitor_file_path: /Users/joy/Downloads/vpn_thwarting_monitor.prom
    monitor_file_path: /opt/vpn-finder-plugins/prom/vpn_plugin_knowledgebase_monitor.prom
    outdated_days: 100 # outdated after Inactive for days. outdated results will not be monitored as effective results
    timezone_hour_gap: 8


clickhouse:
    host: 192.168.44.30
    port: 9001
    username: default
    password: galaxy2019
    db_name: tsg_galaxy_v3
    table_name: session_record
    security_table_name: security_event

mariadb:
    host: 192.168.44.53
    port: 3306
    user: root
    pswd: 111111
    db_name: cn_api
    table_name: cn_intelligence_indicator


knowledgebase:
    host: 192.168.44.54:8090
    kb_username:
    api_pin:
    api_path: /v1/tag/items/batch
    api_token: a2857bc21b01421b85953fc2c65b4d4c
    api_retry_times: 3
    api_timeout: 9999
    db_name: cn_api
    library_name: cn_intelligence_indicator


### PLUGIN CONFIGS

hotspotvpn:
    plugin_name: hotspotvpn
    vpn_service_name: hotspotvpn
    plugin_id: fd3a275b-49e0-462e-8630-c0f4698da9a8
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_ja3_hash in ('f49621211538d12435b8498f195d0c31', '908e8001ed339d74cedd91a4eb7abfab')) UNION ALL SELECT server_ip  FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (ssl_sni IN ({$domain_list})) GROUP BY server_ip having length(groupUniqArray(server_domain)) >= 5
    domains: paypal.com, facebook.com, twitter.com, whatsapp.com, get.adobe.com, cloudfront.net, mozilla.org


ipvanishvpn:
    plugin_name: ipvanishvpn
    vpn_service_name: ipvanishvpn
    plugin_id: c7ef715a-4ee0-4ac7-b30e-49f337fc8fb8
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.vpn.ipvanish.com'
    ip:
        object_type: ip
        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_tablename} where source_name = 'ipvanishvpn' and type='Domain'


ivacyvpn:
    plugin_name: ivacyvpn
    vpn_service_name: ivacyvpn
    plugin_id: fdb15703-fb5c-4600-8f04-6128adb1940b
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ((dns_qname LIKE '%.pointtoserver.com') or (dns_qname LIKE '%.ptoserver.com') or (dns_qname LIKE '%.dns2use.com'))
    ip:
        object_type: ip
        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_tablename} where source_name = 'ivacyvpn' and type='Domain'


protonvpn:
    plugin_name: protonvpn
    vpn_service_name: protonvpn
    plugin_id: 9315f6f7-c921-4bb2-a16f-3da86ad3baee
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip, groupUniqArray(server_port) as ports FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (server_port IN (443, 7770, 8443, 88, 5060, 51820, 500, 80, 1224, 4500, 4569, 5060, 1194)) GROUP BY server_ip HAVING length(ports) >= 10


# tsg系统内置Cyberghost-UDP APP获取新增活跃IP
cyberghostvpn:
    plugin_name: cyberghostvpn
    vpn_service_name: cyberghostvpn
    plugin_id: d3e486c4-4d4d-429e-9af8-d018f73dde99
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT DISTINCT dns_qname FROM {$db_name}.{$table_name} WHERE {$time_filter} AND dns_qname LIKE '%.nodes.gen4.ninja'
    ip:
        object_type: ip
        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_tablename} where source_name = 'cyberghostvpn' and type='Domain'
        monitor_on: False
        udp_monitor_app_name: Cyberghost-UDP
        sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and app_transition like '%{$udp_monitor_app_name}%'


windscribevpn:
    plugin_name: windscribevpn
    vpn_service_name: windscribevpn
    plugin_id: 9bd2b634-be41-453f-b6eb-89e25bbffcc3
    confidence: confirmed
    domain:
        object_type: domain
        sql: SELECT DISTINCT server_fqdn FROM {$db_name}.{$table_name} WHERE {$time_filter} and server_domain in ({$domain_list}) and server_fqdn like '%-%' ORDER BY server_fqdn ASC
        domains: whiskergalaxy.com, totallyacdn.com
    ip:
        object_type: ip
        kb_sql: SELECT distinct domain FROM {$mariadb_dbname}.{$mariadb_tablename} where source_name = 'windscribevpn' and type='Domain'
        sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} and (ssl_cert_subject like '%Windscribe%' or ssl_cert_issuer like '%Windscribe%')

turbovpn:
    vpn_service_name: turbovpn
    plugin_id: 77fdc9b2-83b5-451f-a85d-98798810a7ec
    plugin_name: turbovpn
    object_type: ip
    confidence: confirmed
    sql: SELECT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND (app_transition LIKE '%Turbo_Payload%') UNION ALL select server_ip from {$db_name}.{$table_name}　WHERE {$time_filter} AND (server_port in (66, 109, 8080, 97, 94, 92, 21, 25, 110, 119, 2000, 2001))　 AND decoded_as='BASE' and  sent_bytes<1000 AND received_bytes<1000 and sent_pkts<10 and received_pkts<10　and server_asn in ('14061', '21859', '9009', '212238', '16276', '40021', '20473', '174', '138915', '12876') group by server_ip having count(*) >10


geckovpn:
    vpn_service_name: geckovpn
    plugin_id: ffbda1c9-dbbe-4160-8961-270d3aeb6a37
    plugin_name: geckovpn
    object_type: ip
    confidence: confirmed
    sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND ssl_cert_issuer like '%CN=SUV;O=SUV999%'


vpnunlimited:
    vpn_service_name: vpnunlimited
    plugin_id: a0693f60-9028-4680-bbce-4200cfcbd291
    plugin_name: vpnunlimited
    object_type: ip
    confidence: confirmed
    sql: SELECT DISTINCT server_ip FROM {$db_name}.{$table_name} WHERE {$time_filter} AND server_domain in ({$domain_list})
    domains: hurriwhilealivo.club, comcatches.live, cyphyl.com, chinacitybit.click, valarre.com, puppyfood.info, securestartup.business, beansandchips.com, zigzagwand.art, wifimeshnet.cc, atomicspike.art, fastwaterblog.com, aspheric-zombies.club, godzillo.link, cyberroast.shop, seligmania-online.com, easy-2fa.us, ikitoshi.cc, webcitynews.com, prebreeze.club, blackbettyclothing.com, cyberanalytics.link, musicinst.link, adsoasis.xyz, holidayphoto.xyz, graphlist.dev, nohumguitar.com, coffeedaybreak.com, thewalruss.net, learnjapanfilms.cc, ezhyperlix.xyz, statsnet.group, hockeybet.org, fastblazingpix.com, zapp-a-weasel.live, puppyfood.info, fastdecidos.info, cyberroast.shop, picknife.org, nohumguitar.com, thewalruss.net, simplexsolutionsinc.com, prebreeze.club


psiphon3vpn:
    vpn_service_name: psiphon3vpn
    plugin_id: 5d225aa8-ae80-4c89-a972-026bbb5d14e4
    plugin_name: psiphon3vpn