Defining application signatures

Use the application signatures file to create IP address and content-based rules that assign application IDs to flows that QRadar does not automatically detect.

About this task

The application signatures file is a definition file that is distributed to all QRadar Flow Collectors by the primary QRadar Console. The file includes source and destination ports, and ranges.

The application signatures file includes the following characteristics:

  • Hex content is delimited with the pipe character (|): 
     <dstcontent offset="0" depth="4">|45 54|</dstcontent> 
    <dstcontent offset="0" depth="4">GET</dstcontent>
  • A flow can be associated with multiple signatures. A flow is mapped to an application ID based on the signature order in the file. The first signature that applies in the file is assigned to the flow.
  • When you edit the signatures.xml file, the data that is inserted between the XML tags is case-sensitive. For example, when you specify TCP within the XML tags, enter the value with all capital letters.
  • Modifying or removing existing signatures is not supported. Any changes made to the signatures will be restored on the next QRadar Auto Update. If any signature is consistently classifying flows incorrectly, please contact IBM Support.
  • To make a signature unique and not to be overwritten by QRadar Auto Update, the "appid" and "sigid" pair should be unique.

The following code is an example of a Signatures.xml file:

<signatures> 
  <signature>
   <appid>1009</appid> 
   <appname>IMAP</appname>
   <groupname>Mail</groupname>   
   <colour>#ff0000</colour>  
   <description>IMAP traffic</description>
   <revision>1</revision>
   <protocol>TCP</protocol>
   <srcip>any</srcip>
   <srcport>any</srcport>
   <dstip>any</dstip>
   <dstport>any</dstport>
   <commondstport>143</commondstport>
   <srccontent offset="0" depth="128" ignorecase="true">LOGIN</srccontent>
   <dstcontent offset="0" depth="5">* OK</dstcontent>
   <weight>30</weight> 
  </signature>
</signatures>

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. To change to the globalconfig directory, type the following command:

    cd /store/configservices/staging/globalconfig

  3. Open the following file:

    signatures.xml

  4. Make the necessary changes using the following parameters:
    Table 1. Application Signatures default parameters

    Parameter

    Description

    appid

    A unique ID for each application that you want to define. Use numbers in the 15,000 - 20,000 range for custom applications.

    appname

    The name of the application. The application name is used in the Network Activity and Offenses tabs.

    groupname

    Te group name for the application. Used only with the automatic generation script.

    description

    The long description of the application and any required notes for the particular signature.

    revisi on

    Use for version control.

    protocol

    If the same signature is required for more than one protocol, define the second signature.

    srcip

    The specific source IP address. Use multiple application identifications when more than one source IP address is required.

    srcport

    The specific source port for the signature. Use multiple application identifications when more than one source port is required.

    dstip

    The specific destination IP address. Use multiple application identifications when more destination IP addresses are required.

    dstport

    The specific destination port for the signature to execute. Use multiple application identifications when more than one destination port is required.

    commondstport

    The destination port that is most commonly associated with the application.

    commonsrcport

    The source port that is most commonly associated with the application.

    scrcontent <offset> <depth>

    <offset> is the offset in the payload where you want to begin searching for the source content. If no value is specified, the default is 0.

    <depth> is the offset in the payload you want to stop the search.

    For example, if you configure the following value, the payload is searched 5-15 bytes:

    scrcontent 5 10

    dstcontent <offset> <depth>

    <offset> is the offset in the payload where you want to begin searching for the destination content. If no value is specified, the default is 0.

    <depth> is the offset in the payload you want to stop the search.

    For example, if you configure the following the value, the payload is searched 5-15 bytes:

    scrcontent 5 10

    weight

    The weight that you want to assign this application. The weight influences any potential rules & offenses created based on data using this application. Increasing the value of the weight increases the magnitude of the offense when it is created.
  5. Save and exit the file.
  6. Log in to QRadar.
  7. Click the Admin tab.
  8. Click Deploy Changes.