- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-24-2024 02:26 PM
I have security rules in place to block applications such as 'msrpc-base' and 'ms-rdp' from exiting the network. However, I still see logs showing traffic egressing to ports 135 and 3389 with the application being listed as 'incomplete' and session end reason as 'aged-out'. Is this a concern? Should I be creating rules to block the protocol/port combo instead?
10-24-2024 02:37 PM
If you want a complete block from the start on well-known services, yes block by the Service (aka protocol/port). The application filters can not categorize packets until a sufficient amount of traffic has passed in the session, so packets will continue until the application can be ID'd and rules re-evaluated. The application filters can be handy for ID'ing traffic on non-standard ports (assuming you do not have "application-default" turned on in the service), or traffic which changes after establishing, but they don't automatically assume new port based traffic matches.
10-24-2024 02:37 PM
If you want a complete block from the start on well-known services, yes block by the Service (aka protocol/port). The application filters can not categorize packets until a sufficient amount of traffic has passed in the session, so packets will continue until the application can be ID'd and rules re-evaluated. The application filters can be handy for ID'ing traffic on non-standard ports (assuming you do not have "application-default" turned on in the service), or traffic which changes after establishing, but they don't automatically assume new port based traffic matches.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!