Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Albin_Petersson
Contributor
Jump to solution

custom service objects always replace "standard" in logs?

Helloes.

 

I've noticed that most (if not all) of the time, custom service objects replace the "standard" service objects in the logs.  In the following example TCP/135 is actually microsofts RPC port/service.

Custom serviceCustom service

Is there a way to avoid this that we don't know of? Match for 'any' is unchecked.

 not matching for anynot matching for any

It'd be nice if the correct object showed up in the log. It seems to always take the most recent object it can match with. 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
/etc/services and/or /etc/protocols is used if there isn't a service defined in SmartConsole for the port number or IP protocol defined.
If there are multiple definitions for the same service, it seems reasonable it'd pick the most recently defined one.
In a couple of cases, there were some "bugs" with this process that were resolved with patches.
Otherwise, I'm not aware of a way to change the way a given service is resolved in the logs.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
Generally you shouldn't have two or more services with the same port number.
This usually causes a warning in SmartConsole when you create it.
Is this an RPC service by chance?
0 Kudos
Albin_Petersson
Contributor

This service works similar to RPC I would say. I haven't made this one in particular so I'm unsure how it works.

 

But there isn't an RPC service with port 135 per se. Microsoft's RPC uses port 135 but falls under ALL_DCE_RPC if I remember correctly, and that service has no port number. However, the firewall idenified RPC-initiated traffic before our own service was put in. 

There has to be some sort of auto-detect of standard port numbers, that somehow is overwritten when you make a custom service. Is that preventable?

0 Kudos
PhoneBoy
Admin
Admin
/etc/services and/or /etc/protocols is used if there isn't a service defined in SmartConsole for the port number or IP protocol defined.
If there are multiple definitions for the same service, it seems reasonable it'd pick the most recently defined one.
In a couple of cases, there were some "bugs" with this process that were resolved with patches.
Otherwise, I'm not aware of a way to change the way a given service is resolved in the logs.
0 Kudos
Albin_Petersson
Contributor

i looked at the /etc files and it makes sense. It's a  bit weird that it always matches on the newer objects but I suppose it's understandable.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events