AnsweredAssumed Answered

Traffic Classification

Question asked by Michael Pochan on Mar 15, 2017
Latest reply on Mar 16, 2017 by Michael Pochan

I'm attempting to classify Tanium traffic based on the use of service port 17472 and our Tanium server. I created an app rule to populate the 'service' meta key if the following conditions are met: 

 

(ip.dst = <tanium_server_IP> && tcp.dstport = 17472) || (ip.src = <tanium_server_IP> && tcp.srcport = 17472)

 

However I've had no luck with results. Looking in our decoders' index-decoder.xml file, I found the following section that seems to specify an alias for the particular service port being used. Are we able to edit this to classify our own traffic or do we need to use a lua parser (or is there something wrong with my app rule). 

 

<key description="Service Type" level="IndexNone" name="service" valueMax="75" format="UInt32" defaultAction="Open">
   <aliases>
   <alias format="$alias" value="0">OTHER</alias>
   <alias format="$alias" value="20">FTPD</alias>
   <alias format="$alias" value="21">FTP</alias>
   <alias format="$alias" value="22">SSH</alias>
   <alias format="$alias" value="23">TELNET</alias>
   <alias format="$alias" value="25">SMTP</alias>
   <alias format="$alias" value="53">DNS</alias>

 

Any feedback would be greatly appreciated. 

 

Thanks. 

Outcomes