Config Reference

Config Push Protocol

Users can customize the information sent from the controller to get different settings based on their department. The information should include fields like guid, hostname, version, ip_addresses, mac_address, os, and label.

1. Label Matching: This is the highest priority. If the controller's label field matches the label specified in the mapping.conf file, the department associated with that label is selected immediately.
2. Hostname Matching: If no label match is found, the system checks if the controller's hostname matches the pattern defined for a department. A wildcard (*) can be used in the hostname pattern to allow for partial matching.
3. IP Address Matching: If neither label nor hostname matches, the IP address is compared. The controller's IP addresses are checked to see if any of them fall within the subnet ranges specified for a department.
4. MAC Address Matching: If the IP address does not match, the system will try to match the controller's MAC address using a pattern that can include wildcards.
5. Operating System (OS) Matching: As the last option, the controller's OS is compared against the OS specified for the department. The system performs a partial match if a wildcard (*) is used, ensuring that different versions of the same OS can be grouped together.

The matching process in NOT case-sensitive.

The process follows a first-match-wins strategy. As soon as a match is found, the department associated with that match is selected, and the remaining conditions are ignored.

Example Workflow of Matching

Here’s a simple example to illustrate how the matching process works:

• Controller Information:
• Label: "hr"
• Hostname: "newyork-hr1"
• IP Addresses: ["123.11.219.5"]
• MAC Address: "23:ab:123:45:67:89"

• OS: "linux"

• Matching Process:

• Label Matching: The system checks the label "hr". It finds that the HR department has a matching label, so it immediately selects the HR department.
• Hostname, IP, MAC, and OS: Since the label matched, the system does not proceed to check the other conditions (hostname, IP, MAC, or OS).

The HR department is selected based on the label match, even though other conditions might also match.

browsermon.conf

[server]
watchdog_ip=0.0.0.0
watchdog_port=8900
[installation]
install_dir=C:\\browsermon
[elastic]
host=localhost
port=9200
username=Browsermon
password=BrowsermonElasticUser
eti_index=threat_index
ucs_index=eunomatix_ucs
[default]
browser=firefox
mode=scheduled
schedule_window=1m
logdir=C:\\browsermon\\history
logmode=csv
rotation=1h
backup_count=0
log_level=DEBUG
kafka_mode=true
kafka_server_url=localhost:9092
eti_mode=false
ucs_mode=false
extension_read_mode=false
cache_ttl=30d
cache_max_size=1000
kafka_server_url=localhost:9092
machine_label=DefaultLabel
[extensions]
extensions_scheduler=24h
extensions_backup_count=5

Configuration Explanation

• watchdog_ip: IP address of the Watchdog server.
• watchdog_port: Port number where Watchdog service listens for connections.
• install_dir: Directory where you want to install browsermon into
• host: eti/ucs server hostname or IP address
• port: Port number on which eti/ucs is listening
• username: Username for eti/ucs authentication
• password: Password for eti/ucs authentication
• eti_index: Name of the eti index where threat intel data will be fetched from
• ucs_index: Name of the ucs index where classification data will be fetched from
• browser: Specifies the browser(s) to monitor, such as Firefox, Chrome, or Edge.
• mode: Determines whether BrowserMon operates in scheduled mode (default) or real-time mode.
• schedule_window: Sets the interval between each browser data collection iteration.
• logdir: Defines the directory where browser history log files are stored.
• logmode: Specifies the format of the history log files (CSV or JSON).
• rotation: Sets the interval for rotating history log files.
• backup_count: Defines the number of backup copies of history log files to retain.
• log_level: Specifies the logging level (INFO or DEBUG).
• kafka_mode: Enables (true) or disables (false) Kafka integration for centralized logging.
• kafka_server_url: URL of the bootstrap Kafka server.
• eti_mode: Enables (true) or disables (false) EUNOMATIX Threat Intel service.
• ucs_mode: Enables (true) or disables (false) EUNOMATIX URL Classification Service.
• extension_read_mode: Enables (true) or disables (false) Extension reading mode.
• cache_ttl: Amount of time for which url will remain in cache
• cache_max_size: Upper bound the cache can grow to e.g if set to 100 that means 100 urls will be cached
• machine_label: The label you will sent as a payload to the watchdog server (This can be set by the controller in the browsermon-local.conf and browsermon.conf file).
• extensions_scheduler: Defines the time delay between every extensions data read iteration.
• extensions_backup_count: Defines the number of backup copies of extensions log files that will be retained. Time difference between each backup is equal to scheduler window set in extensions_scheduler variable above.

*All these config variables can be changed in browsermon-local.conf file except watchdog_ip, watchdog_port, extensions_scheduler and extensions_backup_count.

Order of Precedence

BrowserMon 4.0 supports different types of configurations to tailor settings based on organizational needs (browsermon-watchdog.conf and browsermon-local.conf files can be configured at run time and will be updated after every 30 min) :

1. Default Configuration (browsermon.conf): Provides baseline settings for all deployments.

2. Central Watchdog Configuration (browsermon-watchdog.conf): Overrides default configurations for centralized management this configuration is recieved from the watchdog server and written in the browsermon-watchdog.conf file in your installation directory.

3. Local Configuration (browsermon-local.conf): Allows local administrators to customize settings for specific requirements, overriding both default and watchdog configurations.