Defining application mappings

To identify application signatures, create user-defined application mappings that are based on the IP address and port number.

Before you begin

You must add the new application IDs. For more information, see Defining new applications.

About this task

When you update the application mapping file, follow these guidelines:

  • Each line in the file indicates a mapped application. You can specify multiple mappings, each on a separate line, for the same application.
  • You can specify a wildcard character (*) for any field. Use the wildcard character alone, and not as part of a comma-separated list. The wildcard character indicates that the field applies to all flows.
  • You can associate a flow with multiple mappings. A flow is mapped to an application ID based on the mapping order in the file. The first mapping that applies in the file is assigned to the flow.
  • When you add new application ID numbers, you must create a new and unique application ID number. The application ID number must not exist in the apps.conf file. Apply numbers that range 15,000 - 20,000 for custom applications.
  • The format of the entry must resemble the following syntax:
    <New_ID> <Old_ID> <Source_IP_Address>:<Source_Port> <Dest IP Address>:
<Dest_Port> <Name>

    <New_ID> specifies the application ID you want to assign to the flow. A value of 1 indicates an unknown application. If the ID you want to assign does not exist, you must create the ID in the apps.conf file. For more information, see Defining new applications.

    <Old_ID> specifies the default application ID of the flow, as assigned by QRadar. A value of * indicates a wildcard character. If multiple application IDs are assigned, the application IDs are separated by commas.

    <Old_ID> specifies the default application ID of the flow, as assigned by QRadar®. A value of * indicates a wildcard character. A value of 0 or 1 indicates an application that has not been identified by another algorithm. If multiple application IDs are assigned, the application IDs are separated by commas.

  • If using wildcard characters for <Old_ID> is inapplicable or the application is currently being classified, determine the application ID in the following these steps.
    1. Log in to the QRadar interface.
    2. Click the Network Activity tab.
    3. Pause the live stream and filter to find the flow that is misclassified.
    4. Double-click the affected flow.
    5. Hover over the value for the Application field to see ID and Desc. This ID can then be used in application mapping rules.
Table 1. Application IDs
Option Description Values
Source_IP_Address Specifies the source IP address of the flow.

Can contain either a comma-separated list of addresses or CIDR values. A value of * indicates a wildcard character, which means that this field applies to all flows.
<Source_Port> Specifies the associated port.

Can contain a comma-separated list of values or ranges that are specified in the format: <lower_port_number>-<upper_port_number>. A value of * indicates a wildcard character, which means that this field applies to all flows.
<Dest_IP_Address> Specifies the destination IP address of the flow.

Can contain either a comma-separated list of addresses or CIDR values. A value of * indicates a wildcard character, which means that this field applies to all flows.
<Dest_Port> Specifies the associated destination port.

Can contain a comma-separated list of values or ranges that are specified in the format: <lower_port_number>-<upper_port_number>. A value of * indicates a wildcard character, which means that this field applies to all flows.
<Name> Specifies a name that you want to assign to this mapping. Optional

The following example of mapping file /user_application_mapping.conf maps all flows that match the IP addresses and ports for which the QRadar Flow Collector assigned to the old ID of 1010. It assigns the new ID of 15000 when it originates from either of two subnets in 10.100.*, and when designated for a specific address and either of two destination ports:

15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443

The following example overrides the assigned name for application ID 1010. It specifies a new application, ID 15100, based on any traffic that is going to port 33333 or a range of destination ports for specific addresses or application overrides.

Important:

Due to PDF formatting, do not copy and paste the message formats directly into the interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the interface.

15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443 AllowedWebTypeA
15000 1010 10.100.30/24:* 172.14.33.20:80 AllowedWebTypeA
15100 * *:3333310.35.20/24,10.33/16,10.77.34.12:33333,33350-33400 GameX
15100 1,34803,34809 *:33333 *:33333,33350-33400 GameX

The following example shows the assignment of new application names and IDs, based on matching three application IDs, one of which is the application identifier (1). These application IDs match on a basic hit of a specified destination port, for any traffic:

21200 1,34803,34809 *:* *:123 ntp
34731 1,34803,34809 *:* *:1241 Nessus
2001 1,34803,34809 *:* *:1214 Kazaa

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. Access the Network Activity tab.
  3. To determine the default application IDs, hover your mouse pointer over the application field for a flow that is associated with the application you want to update.
  4. Choose one of the following options:
    • Open the following file:

      /store/configservices/staging/globalconfig/user_application_mapping.conf

    • If the user_application_mapping.conf does not exist in your system, create the file and place the empty file in the following directory: /store/configservices/staging/globalconfig/
  5. Update the file, as necessary.
  6. Save and exit the file.
  7. Log in to the QRadar user interface.
  8. Click the Admin tab.
  9. Click Deploy Changes.