Application identification
The QFlow process uses algorithms to determine the flow application. Each algorithm relies on different types of information to determine the application.
IBM® QRadar® Network Insights relies on its own set of inspectors and application detection methods. QRadar Network Insights, the QFlow algorithms are used only when QRadar Network Insights cannot identify a specific protocol.
| Numeric value | Algorithm name | Description |
|---|---|---|
| 2 | Application signatures | A payload-based algorithm that looks at the way that the payload is structured. This algorithm uses information from the signatures.xml file. |
| 3 | State-based decoding | A payload-based algorithm that uses complex internal logic. |
| 4 | QRadar port-based mapping | A port-based algorithm that uses a pre-defined list of application mappings. This algorithm uses information from the /opt/qradar/conf/appid_map.conf file. |
| 5 | User port-based mapping | A port-based algorithm that uses a customizable list of application mappings. Use this algorithm to add new port-based mappings or reclassify existing mappings that come with QRadar. This algorithm uses information from the /opt/qradar/conf/user_application_mapping.conf file. |
| 6 | ICMP protocol mapping | A protocol-based algorithm that looks at the protocol type and code. |
| 7 | Flow exporter | An algorithm that relies on the Flow Exporter to determine the application. For example, the QFlow process inherently trusts application IDs that come from QRadar Network Insights. |
| 8 | QNI Application Signatures | This algorithm is used by QRadar Network Insights. |
| 9 | QNI Inspectors | This algorithm was removed in QRadar Network Insights 7.5.0. |
| 10 | X-Force Web Application Classification | This algorithm is used by QRadar Network Insights. |
| 11 New in 7.5.0 |
QNI port heuristics | This algorithm is used by QRadar Network Insights. It indicates that the application is identified by using port-based heuristics, and represents a low degree of confidence. |
| 12 New in 7.5.0 |
QNI initial data | This algorithm is used by QRadar Network Insights. It indicates that the application is identified by using the initial data in the flow session, and represents a medium degree of confidence. |
| 13 New in 7.5.0 |
QNI parsers | This algorithm is used by QRadar Network Insights. It indicates that the application is identified by parsing the available data, and represents the highest degree of confidence. |
Custom applications
If your organization has nonstandard or customized applications, you can add them to the /opt/qradar/conf/user_application_mapping.conf or signatures.xml files.
You can use the Application Determination Algorithm field to check that the correct algorithm was used to identify your customized applications. For example, you might define a custom application based on the port usage. Flows from that application are identified by algorithm 5, which is User Port Based Mapping. By verifying the algorithm that is used to identify the application, you can assign a level of confidence to the application mapping.
For more information, see Defining new applications and Default applications in the IBM QRadar Application Configuration Guide.