Skip to main content
Version: 1.8.x.x LTS

nevisDetect plug-ins

The nevisDetect plug-ins are dynamically loaded by the nevisDetect Core component. Upon loading, and for each plug-in, the system automatically reads several attributes from the file /var/opt/nevisdetect/core/conf/plugins.properties. The table below lists these attributes. Since there are multiple plug-ins, each attribute name is made unique by a counter. The value of the counter itself has no meaning. In the table, we use <n> to denote that:

AttributeDescription
plugin.<n>.classThe full qualified Java class name of the plug-in.
plugin.<n>.jarThe path of the jar file containing the plug-in class.
plugin.<n>.configurationThe path of the configuration of the plug-in class.

See also the following example:

# test plugin 1
plugin.1.class=ch.nevis.nevisDetect.core.test.TestPlugin
plugin.1.jar=/var/opt/nevisdetect/core/plugins/nevisdetect-core-tests.jar
plugin.1.configuration=/var/opt/nevisdetect/core/plugins/test-plugin-1.properties

# behaviosec plugin
plugin.2.class=ch.nevisDetect.plugin.behaviosec.BehavioSecPlugin
plugin.2.jar=/var/opt/nevisdetect/core/plugins/behaviosec-plugin.jar
plugin.2.configuration=/var/opt/nevisdetect/core/plugins/behaviosec-plugin.properties

BehavioSec plug-in

The table below lists the plug-in specific attributes of the BehavioSec plug-in. You specify these attributes in the file behaviosec-plugin.properties.

NameType/unitExampleDefaultDescription
colorCodeslist of string tuplesBehavioSecTransaction:#FF8000,
BehavioSecSession:#FFFF00,
BehavioSecRisk:#FF4D00
BehavioSecTransaction:#FF8000,
BehavioSecSession:#FFFF00,
BehavioSecRisk:#FF4D00
Defines the HTML color codes of the BehavioSec risk scores. The risk scores will be shown in these colors in the nevisDetect web application.
riskScoreslist of stringsBehavioSecTransaction, BehavioSecSession, BehavioSecRiskBehavioSecTransaction, BehavioSecSession, BehavioSecRiskDefines the plug-in risk scores that will be extracted/converted from the response of the BehavioSense service.
proxyDNS name/portadnprox01.zh.adnovum.ch:3128Specifies the outbound proxy. This attribute is optional.
dashboardURLSpecifies the URL of the BehavioSense dashboard.
urlURLSpecifies the URL of the BehavioSense service.
http.client.connectTimeoutint/msec500The timeout for establishing a TCP connection.
http.client.keyStorefilefile:/var/opt/neviskeybox/
default/nevisdetect/
behaviosec_keystore.jks
The Java keystore file used for establishing the TLS connection.
http.client.keyStorePasswordstringThe passphrase for the keystore.
http.client.trustStorefilefile:/var/opt/neviskeybox/
default/nevisdetect/
behaviosec_truststore.jks
The Java truststore file used for establishing the TLS connection.
http.client.trustStorePasswordstringThe passphrase for the truststore.
finalizeSessionbooleantrueDefines whether to call finalizeSession if the session is terminated. The default is "true".
training.operatorFlagsinteger0Sets the operator flags for the call to the BehavioSense service in the training mode. For details, see http://developer.behaviosec.com/docapi/5.2/#operator-flags.
detection.operatorFlagsinteger0Sets the operator flags for the call to the BehavioSense service in the detection mode. For more details, see http://developer.behaviosec.com/docapi/5.2/#operator-flags.
reportFlagsinteger0Sets the report flag for the call to the BehavioSense service. For more details, see http://developer.behaviosec.com/docapi/5.2/#report-flags.
riskScoreIgnoreFlagsbooleantrueDefines if the following BehavioSec flags in the response are influencing the risk score: coached, diError, drFlag, otjsError, pnFlag, ohFlag, pdError, isBot, tabAnomaly, pocAnomaly, numpadAnomaly, ipChanged, deviceChanged, isDataCorrupted, isSessionCorrupted, isReplay. If the attribute is set to "true", the above flags are ignored (that is, the flags will not influence the risk score).
uniqueLoginIdbooleanfalseDefines whether to send the loginId (instead of the uniqueId) to the BehavioSec plug-in. Set to "true" only if the loginId is unique.
tenantIdstringdefault_tenantSpecifies the optional tenant ID of BehavioSense.
supportedMimeTypeslist of stringsapplication/behaviosecThe MIME type(s) of the part of a multi-part HTTP request that contains BehavioSec data.
fraudulentFlagslist of stringsisBot, isDataCorrupted, isSessionCorrupted, isReplaydiError, pdError, isBot, isRemoteAccess, uiScoreFlag, uiConfidenceFlag, tabAnomaly, pocAnomaly, numpadAnomaly, ipChanged, deviceChanged, isDataCorrupted, isSessionCorrupted, isReplay, coached, drFlag, ohFlag, otjsError, pnFlag advancedUser, deviceIdShared, deviceIntegrity, ipShared, newCountry, locationMismatch, travelTooFastOptional. Take the flag names from the BehavioSec documentation. List all items in a single line separated by comma, or further separate them (with \ + newline) to improve readability. The included report flags mark the request as fraudulent and block it.
flagDescMappinglist of stringsflagName1=valueName1, flagName2=valueName2, flagName3=valueName3advancedUser=advancedUserScore, deviceChanged=deviceDesc, deviceIntegrity=deviceIntegrityDesc, diError=diDesc, finalized=finalizeTimestamp, isBot=botDesc, isDuplicate=duplicateDesc, isRemoteAccess=raDesc, isReplay=replayDesc, isSessionCorrupted=isSessionCorruptedDesc, locationMismatch=locationMismatchDesc, newCountry=ipCountry, numpadUsed=numpadRatio, otjsError=otjsDesc, pdError=pdDesc, pocUsed=pocRatio, tabUsed=tabRatio, travelTooFast=travelTooFastDesc, uiConfidenceFlag=uiConfidence, uiScoreFlag=uiScoreOptional. Take the flag and description / score names from the BehavioSec documentation. Add key=value pairs seperated by commas to customize logging, the default values will be extended. List all items in a single line separated by comma, or further separate them (with \ + newline) to improve readability. If a given flag is found, the associated value will also be logged along with it. Warning: assigning a new value to an already existing flag (such as those in the default configuration) will overwrite it!

nevisAdapt plug-in

See chapter nevisAdapt plug-in for details on the configuration.

Proxy plug-in

The table below lists the plug-in specific attributes of the Proxy plug-in. You specify these attributes in the file proxy-plugin.properties.

NameType/unitExampleDescription
colorCodeslist of string tuplescolorCodes=CyberDetectionTCP:#DF01D7, CyberDetectionTLS:#AF01D8Defines the HTML color codes of plug-in's risk scores. The risk scores will be shown in these colors in the nevisDetect web application.
description.1description.2...stringdescription.1= Adapter for passing request to the cyber detection service © Company
description.2= support by [email protected]
Use this attribute to add a description of the plug-in. The attribute is optional.
namestringCyberDetectionSpecifies the name of the plug-in.
riskScoreslist of stringsriskScores=CyberDetectionTCP, CyberDetectionTLSSpecifies a list of the risk scores delivered by the plug-in.
serviceMappinglist of string tuplesrequestData: /service/processRequestData,
terminateSession: /service/processSessionTermination,
getVersion: /getVersion
Defines a list of supported methods and their mapping. The following methods are allowed: requestData, terminateSession, getVersion. The syntax of this attribute is: <method-name>:<path>
urlURLDefines the URL of the service.
http.client.connectTimeoutint/msec500The timeout for establishing a TCP connection.
http.client.retryTimeoutint/msec5000The retry timeout in case of a connection error or an HTTP error code.
http.client.keyStorefilefile: /var/opt/neviskeybox/default/
nevisdetect/thirdparty_keystore.jks
The Java keystore file used for establishing the TLS connection.
http.client.keyStorePasswordstringThe passphrase for the keystore.
http.client.trustStorefilefile: /var/opt/neviskeybox/default/
nevisdetect/thirdparty_truststore.jks
The Java truststore file used for establishing the TLS connection.
http.client.trustStorePasswordstringThe passphrase for the truststore.