Michael,
The "service" meta is based on the "default" port for the service, and then we alias the name in the index table as you noted.
To add your traffic tag in, name your application rule "17472" (the default port for the tanium traffic) and set the rule to alert to the "service" meta key.
On the Decoder Configuration page, Files Tab, select the "index-decoder.xml" file and copy the "service" key entry (all of it):
<key description="Service Type" level="IndexNone" name="service" valueMax="75" format="UInt32" defaultAction="Open">
<aliases>
<alias format="$alias" value="0">OTHER</alias>
<alias format="$alias" value="20">FTPD</alias>
<alias format="$alias" value="21">FTP</alias>
<alias format="$alias" value="22">SSH</alias>
<alias format="$alias" value="23">TELNET</alias>
.
.
.
<alias format="$alias" value="1000014">ALERT</alias>
<alias format="$alias" value="1000015">CLOCK</alias>
</aliases>
</key>
after copying, switch your selection to the "index-decoder-custom.xml" and scroll down to the bottom. Paste your copied key after the line:
<!-- *** Please insert your custom keys or modifications below this line *** -->
but before language tag :
</language>
then copy one of the alias entries and insert it at the appropriate location (they don't have to be in numeric order, but it helps for readability):
<alias format="$alias" value="8082">FIX</alias>
<alias format="$alias" value="17472">TANIUM</alias>
<alias format="$alias" value="20000">DNP3</alias>
Save the file (and if you have multiple decoders that might see this traffic, "push" the file to the other decoders.
a restart of the decoder service will be needed for the change to take effect.
Now go to your one of your Concentrators and repeat the above actions copying the key from the "index-concentrator.xml" and pasting into the "index-concentrator-custom.xml", save, push to the other concentrators, and then restart the concentrator services for it to take effect.
