Application detection
Application detection inspects the first 64 bytes of a packet for a signature and attempts
to identify the application from the signature and port. It is used when no other inspectors can
detect an application, session, or protocol. IBM®
QRadar® Network Insights relies on its own set of
inspectors and application detection methods. The QFlow algorithms are used
only when QRadar Network
Insights cannot
identify a specific protocol.
The application determination algorithms are shown in the following
table.
| Numeric value | Algorithm name | Description |
|---|---|---|
| 2 | Application signatures | A payload-based algorithm that looks at the way that the payload is structured. This algorithm uses information from the signatures.xml file. |
| 3 | State-based decoding | A payload-based algorithm that uses complex internal logic. |
| 4 | QRadar port-based mapping | A port-based algorithm that uses a pre-defined list of application mappings. This algorithm uses information from the /opt/qradar/conf/appid_map.conf file. |
| 5 | User port-based mapping | A port-based algorithm that uses a customizable list of application mappings. Use this algorithm to add new port-based mappings or reclassify existing mappings that come with QRadar. This algorithm uses information from the /opt/qradar/conf/user_application_mapping.conf file. |
| 6 | ICMP protocol mapping | A protocol-based algorithm that looks at the protocol type and code. |
| 7 | Flow exporter | An algorithm that relies on the Flow Exporter to determine the application. For example, the QFlow process inherently trusts application IDs that come from QRadar Network Insights. |
| 8 | QNI Application Signatures | This algorithm is used by QRadar Network Insights. |
| 9 | QNI Inspectors | This algorithm is used by QRadar Network Insights. |
| 10 | X-Force Web Application Classification | This algorithm is used by QRadar Network Insights. |
You can see which type of
application detection algorithm that is used in the Application Determination
Algorithm field on the Flow Information window.