nevisDetect plug-ins
The nevisDetect plug-ins are dynamically loaded by the nevisDetect Core component. Upon loading, and for each plug-in, the system automatically reads several attributes from the file /var/opt/nevisdetect/core/conf/plugins.properties. The table below lists these attributes. Since there are multiple plug-ins, each attribute name is made unique by a counter. The value of the counter itself has no meaning. In the table, we use <n> to denote that:
| Attribute | Description |
|---|---|
plugin.<n>.class | The full qualified Java class name of the plug-in. |
plugin.<n>.jar | The path of the jar file containing the plug-in class. |
plugin.<n>.configuration | The path of the configuration of the plug-in class. |
See also the following example:
# test plugin 1
plugin.1.class=ch.nevis.nevisDetect.core.test.TestPlugin
plugin.1.jar=/var/opt/nevisdetect/core/plugins/nevisdetect-core-tests.jar
plugin.1.configuration=/var/opt/nevisdetect/core/plugins/test-plugin-1.properties
# behaviosec plugin
plugin.2.class=ch.nevisDetect.plugin.behaviosec.BehavioSecPlugin
plugin.2.jar=/var/opt/nevisdetect/core/plugins/behaviosec-plugin.jar
plugin.2.configuration=/var/opt/nevisdetect/core/plugins/behaviosec-plugin.properties
BehavioSec plug-in
The table below lists the plug-in specific attributes of the BehavioSec plug-in. You specify these attributes in the file behaviosec-plugin.properties.
| Name | Type/unit | Example | Default | Description |
|---|---|---|---|---|
| colorCodes | list of string tuples | BehavioSecTransaction:#FF8000, BehavioSecSession:#FFFF00, BehavioSecRisk:#FF4D00 | BehavioSecTransaction:#FF8000, BehavioSecSession:#FFFF00, BehavioSecRisk:#FF4D00 | Defines the HTML color codes of the BehavioSec risk scores. The risk scores will be shown in these colors in the nevisDetect web application. |
| riskScores | list of strings | BehavioSecTransaction, BehavioSecSession, BehavioSecRisk | BehavioSecTransaction, BehavioSecSession, BehavioSecRisk | Defines the plug-in risk scores that will be extracted/converted from the response of the BehavioSense service. |
| proxy | DNS name/port | adnprox01.zh.adnovum.ch:3128 | Specifies the outbound proxy. This attribute is optional. | |
| dashboard | URL | Specifies the URL of the BehavioSense dashboard. | ||
| url | URL | Specifies the URL of the BehavioSense service. | ||
| http.client.connectTimeout | int/msec | 500 | The timeout for establishing a TCP connection. | |
| http.client.keyStore | file | file:/var/opt/neviskeybox/ default/nevisdetect/ behaviosec_keystore.jks | The Java keystore file used for establishing the TLS connection. | |
| http.client.keyStorePassword | string | The passphrase for the keystore. | ||
| http.client.trustStore | file | file:/var/opt/neviskeybox/ default/nevisdetect/ behaviosec_truststore.jks | The Java truststore file used for establishing the TLS connection. | |
| http.client.trustStorePassword | string | The passphrase for the truststore. | ||
| finalizeSession | boolean | true | Defines whether to call finalizeSession if the session is terminated. The default is "true". | |
| training.operatorFlags | integer | 0 | Sets the operator flags for the call to the BehavioSense service in the training mode. For details, see http://developer.behaviosec.com/docapi/5.2/#operator-flags. | |
| detection.operatorFlags | integer | 0 | Sets the operator flags for the call to the BehavioSense service in the detection mode. For more details, see http://developer.behaviosec.com/docapi/5.2/#operator-flags. | |
| reportFlags | integer | 0 | Sets the report flag for the call to the BehavioSense service. For more details, see http://developer.behaviosec.com/docapi/5.2/#report-flags. | |
| riskScoreIgnoreFlags | boolean | true | Defines if the following BehavioSec flags in the response are influencing the risk score: coached, diError, drFlag, otjsError, pnFlag, ohFlag, pdError, isBot, tabAnomaly, pocAnomaly, numpadAnomaly, ipChanged, deviceChanged, isDataCorrupted, isSessionCorrupted, isReplay. If the attribute is set to "true", the above flags are ignored (that is, the flags will not influence the risk score). | |
| uniqueLoginId | boolean | false | Defines whether to send the loginId (instead of the uniqueId) to the BehavioSec plug-in. Set to "true" only if the loginId is unique. | |
| tenantId | string | default_tenant | Specifies the optional tenant ID of BehavioSense. | |
| supportedMimeTypes | list of strings | application/behaviosec | The MIME type(s) of the part of a multi-part HTTP request that contains BehavioSec data. | |
| fraudulentFlags | list of strings | isBot, isDataCorrupted, isSessionCorrupted, isReplay | diError, pdError, isBot, isRemoteAccess, uiScoreFlag, uiConfidenceFlag, tabAnomaly, pocAnomaly, numpadAnomaly, ipChanged, deviceChanged, isDataCorrupted, isSessionCorrupted, isReplay, coached, drFlag, ohFlag, otjsError, pnFlag advancedUser, deviceIdShared, deviceIntegrity, ipShared, newCountry, locationMismatch, travelTooFast | Optional. Take the flag names from the BehavioSec documentation. List all items in a single line separated by comma, or further separate them (with \ + newline) to improve readability. The included report flags mark the request as fraudulent and block it. |
| flagDescMapping | list of strings | flagName1=valueName1, flagName2=valueName2, flagName3=valueName3 | advancedUser=advancedUserScore, deviceChanged=deviceDesc, deviceIntegrity=deviceIntegrityDesc, diError=diDesc, finalized=finalizeTimestamp, isBot=botDesc, isDuplicate=duplicateDesc, isRemoteAccess=raDesc, isReplay=replayDesc, isSessionCorrupted=isSessionCorruptedDesc, locationMismatch=locationMismatchDesc, newCountry=ipCountry, numpadUsed=numpadRatio, otjsError=otjsDesc, pdError=pdDesc, pocUsed=pocRatio, tabUsed=tabRatio, travelTooFast=travelTooFastDesc, uiConfidenceFlag=uiConfidence, uiScoreFlag=uiScore | Optional. Take the flag and description / score names from the BehavioSec documentation. Add key=value pairs seperated by commas to customize logging, the default values will be extended. List all items in a single line separated by comma, or further separate them (with \ + newline) to improve readability. If a given flag is found, the associated value will also be logged along with it. Warning: assigning a new value to an already existing flag (such as those in the default configuration) will overwrite it! |
nevisAdapt plug-in
See chapter nevisAdapt plug-in for details on the configuration.
Proxy plug-in
The table below lists the plug-in specific attributes of the Proxy plug-in. You specify these attributes in the file proxy-plugin.properties.
| Name | Type/unit | Example | Description |
|---|---|---|---|
| colorCodes | list of string tuples | colorCodes=CyberDetectionTCP:#DF01D7, CyberDetectionTLS:#AF01D8 | Defines the HTML color codes of plug-in's risk scores. The risk scores will be shown in these colors in the nevisDetect web application. |
| description.1description.2... | string | description.1= Adapter for passing request to the cyber detection service © Company description.2= support by [email protected] | Use this attribute to add a description of the plug-in. The attribute is optional. |
| name | string | CyberDetection | Specifies the name of the plug-in. |
| riskScores | list of strings | riskScores=CyberDetectionTCP, CyberDetectionTLS | Specifies a list of the risk scores delivered by the plug-in. |
| serviceMapping | list of string tuples | requestData: /service/processRequestData, terminateSession: /service/processSessionTermination, getVersion: /getVersion | Defines a list of supported methods and their mapping. The following methods are allowed: requestData, terminateSession, getVersion. The syntax of this attribute is: <method-name>:<path> |
| url | URL | Defines the URL of the service. | |
| http.client.connectTimeout | int/msec | 500 | The timeout for establishing a TCP connection. |
| http.client.retryTimeout | int/msec | 5000 | The retry timeout in case of a connection error or an HTTP error code. |
| http.client.keyStore | file | file: /var/opt/neviskeybox/default/ nevisdetect/thirdparty_keystore.jks | The Java keystore file used for establishing the TLS connection. |
| http.client.keyStorePassword | string | The passphrase for the keystore. | |
| http.client.trustStore | file | file: /var/opt/neviskeybox/default/ nevisdetect/thirdparty_truststore.jks | The Java truststore file used for establishing the TLS connection. |
| http.client.trustStorePassword | string | The passphrase for the truststore. |