IBM QRadar

Hey there Aleksey,

All of those example applications you gave above use the "state based decoding" algorithm (https://www.ibm.com/docs/en/qsip/7.4?topic=monitoring-application-identification) which looks for particular patterns inside the payload to determine whether the traffic is of a certain application type. In the case of your examples, the algorithm is looking for known malware domains inside the payload - so typically 64 bytes should be enough, as long as the domain did appear in those 64 bytes. I will note however that the SBD algorithm is only used if the "Application signatures", "User port-based mapping", "Flow exporter" and "ICMP protocol mapping" algorithms cannot determine the application of the traffic first. The other thing worth noting is that the domains that the SBD algorithm is looking for are quite old, so it's much more likely that a tool like QNI would be able to give you a much more reliable indication of malicious applications in your environment.

Hope that helps!

Hey there Aleksey,

All of those example applications you gave above use the "state based decoding" algorithm (https://www.ibm.com/docs/en/qsip/7.4?topic=monitoring-application-identification) which looks for particular patterns inside the payload to determine whether the traffic is of a certain application type. In the case of your examples, the algorithm is looking for known malware domains inside the payload - so typically 64 bytes should be enough, as long as the domain did appear in those 64 bytes. I will note however that the SBD algorithm is only used if the "Application signatures", "User port-based mapping", "Flow exporter" and "ICMP protocol mapping" algorithms cannot determine the application of the traffic first. The other thing worth noting is that the domains that the SBD algorithm is looking for are quite old, so it's much more likely that a tool like QNI would be able to give you a much more reliable indication of malicious applications in your environment.

Hope that helps!

Hi Aleksey, 

The SBD algorithm uses a hardcoded list of about 20000 known malicious domains from about ~10 years ago - I don't know exactly where this list came from but likely a public disclosure of some kind way back then. As a result, it is relatively unlikely that the application types you have listed above will be set - both because there are other application algorithms that are more likely to get a match first (the signatures algorithm in particular) and because a lot of the domains in this file are unlikely to be in use anymore since they are so old. If you want up to date malicious domain detection I would recommend you use QNI to extract domain names and then an application like DNS Analyser to get much more accurate malicious domain analysis driven from X-Force insights and DNS Analyser algorithms.

Hey there Aleksey,

All of those example applications you gave above use the "state based decoding" algorithm (https://www.ibm.com/docs/en/qsip/7.4?topic=monitoring-application-identification) which looks for particular patterns inside the payload to determine whether the traffic is of a certain application type. In the case of your examples, the algorithm is looking for known malware domains inside the payload - so typically 64 bytes should be enough, as long as the domain did appear in those 64 bytes. I will note however that the SBD algorithm is only used if the "Application signatures", "User port-based mapping", "Flow exporter" and "ICMP protocol mapping" algorithms cannot determine the application of the traffic first. The other thing worth noting is that the domains that the SBD algorithm is looking for are quite old, so it's much more likely that a tool like QNI would be able to give you a much more reliable indication of malicious applications in your environment.

Hope that helps!