IBM QRadar Version 7.4.1 Application Configuration Guide IBM Note Before you use this information and the product that it supports, read the information in “Notices” on page 51. Product information This document applies to IBM® QRadar® Security Intelligence Platform 7.4.2 and subsequent releases unless superseded by an updated version of this document. © Copyright International Business Machines Corporation 2014, 2020. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this guide.................................................................................................... v Chapter 1. Application mappings........................................................................... 1 Defining new applications............................................................................................................................1 Defining application mappings...............................................................................................................2 Defining application signatures..............................................................................................................4 Chapter 2. Default applications..............................................................................9 ICMP type and code IDs............................................................................................................................ 40 Port IDs...................................................................................................................................................... 42 Protocol IDs............................................................................................................................................... 50 Notices................................................................................................................51 Trademarks................................................................................................................................................ 52 Terms and conditions for product documentation................................................................................... 52 IBM Online Privacy Statement.................................................................................................................. 53 General Data Protection Regulation..........................................................................................................53 Privacy policy considerations ................................................................................................................... 54 iii iv About this guide The IBM QRadar Application Configuration Guide provides you with information about how to configure application mappings. Defining custom applications enables QRadar to classify applications that are used in a flow. Application mapping is useful when you investigate various types of security threats. Intended Audience The guide is intended for the system administrator who configures application mappings in your QRadar deployment. You must have QRadar administrative access and a knowledge of your corporate network and networking technologies. Technical documentation To find IBM QRadar product documentation on the web, including all translated documentation, access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome). For information about how to access more technical documentation in the QRadar products library, see Accessing IBM Security Documentation Technical Note (www.ibm.com/support/docview.wss? rs=0&uid=swg21614644). Contacting customer support For information about contacting customer support, see the Support and Download Technical Note (http://www.ibm.com/support/docview.wss?uid=swg21616144). Statement of good security practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Please Note: Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage. IBM QRadar may be used only for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM QRadar. © Copyright IBM Corp. 2014, 2020 v vi IBM QRadar : QRadar Application Configuration Guide Chapter 1. Application mappings IBM QRadar includes default application IDs. However, you can edit the application mapping file to ensure that traffic is appropriately classified in QRadar. What is an application ID? When QRadar detects a flow, it assigns an application ID to the flow. The application ID is assigned based on the protocol and ports that are used for the flow, and the flow content. QRadar default application IDs are allocated based on the Service Name and Transport Protocol Port Number Registry (http:// www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt). What tasks are required to map applications? When you create or customize an application mapping, do the following tasks in sequence. 1. Define new applications The application configuration file contains default applications. To define new applications, you must add new applications IDs to the application configuration file. 2. Map traffic to the new applications by using one of the following methods: • Define application mappings Update the application mapping file, which maps applications to application IDs based on IP address and port number. • Define application signatures Define application signatures to apply to flows that the default application mapping does not automatically detect. To assign application IDs to flows, this method requires you to create rules that are based on IP address, port, and content. To define port-only application signatures, configure port mappings in the application mapping file, not the application signatures file. Defining new applications To define new applications, edit the application configuration file. About this task When you define new applications in the apps.conf file, use the following syntax: <appname><appid> The <appname> is the name that appears on the Network Activity and Offenses tabs. When you specify the application name, you can define up to five levels of categorization, and each subcategory is separated by a number sign (#). QRadar uses only the first three categories. If an application contains fewer than five categories, include a number sign in place of each missing subcategory. The <appid> number must be unique. For custom applications, assign numbers that are in the 15,000 - 20,000 range. For example, to add Authentication#Radius-1646####51343 as an application ID, insert the application ID as follows: Authentication#Radius-1645####51342 Authentication#Radius-1646####51343 <- inserted application Authentication#Radius-1812####51344 Authentication#Radius-1813####51345 © Copyright IBM Corp. 2014, 2020 1 Procedure 1. Using SSH, log in to QRadar as the root user. 2. Open the following file: /store/configservices/staging/globalconfig/apps.conf 3. Insert the new applications, in alphabetical order. 4. Save and exit the file. 5. Log in to QRadar as an administrator. 6. Click the Admin tab. 7. On the toolbar, click Deploy Changes. What to do next Update the application mapping and applications signature files. Defining application mappings To identify application signatures, create user-defined application mappings that are based on the IP address and port number. Before you begin You must add the new application IDs. For more information, see “Defining new applications” on page 1. About this task When you update the application mapping file, follow these guidelines: • Each line in the file indicates a mapped application. You can specify multiple mappings, each on a separate line, for the same application. • You can specify a wildcard character (*) for any field. Use the wildcard character alone, and not as part of a comma-separated list. The wildcard character indicates that the field applies to all flows. • You can associate a flow with multiple mappings. A flow is mapped to an application ID based on the mapping order in the file. The first mapping that applies in the file is assigned to the flow. • When you add new application ID numbers, you must create a new and unique application ID number. The application ID number must not exist in the apps.conf file. Apply numbers that range 15,000 - 20,000 for custom applications. • The