General Tests
The following scenario shows how to place an OSDx router between two machines to allow them to communicate with each other and to provide protection when accessing one another and the external WAN.
Test Simple Ruleset With Queues
Description
Configures the three DUTs that will be used and checks that they are capable of pinging each other but not of connecting via SSH, since these connections are being dropped by the firewall.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.891 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.891/0.891/0.891/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.767 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.767/0.767/0.767/0.000 ms
Step 4: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 5: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(SSH not allowed in this network).+$Show output
07/17/2024-17:48:22.390114 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22 07/17/2024-17:48:22.560927 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22 07/17/2024-17:48:23.037799 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22 07/17/2024-17:48:23.222098 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22 07/17/2024-17:48:24.574328 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:47660 -> 20.0.0.2:22 07/17/2024-17:48:24.661551 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:47660 -> 20.0.0.2:22 07/17/2024-17:48:24.669759 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22 07/17/2024-17:48:24.885654 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22 07/17/2024-17:48:27.901775 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22 07/17/2024-17:48:28.245987 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39632 -> 40.0.0.2:22
Test Simple Ruleset With Custom Action-order
Description
Configures the three DUTs that will be used and checks that initially they are capable of pinging each other but after changing the priority of rule actions, ICMP traffic is not passed, but dropped by the firewall.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.941 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.941/0.941/0.941/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=1.02 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.021/1.021/1.021/0.000 ms
Step 4: Modify the following configuration lines in DUT0:
set service firewall FW action-order 'drop, reject, alert, pass'
Step 5: Expect a failure in the following command:
Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. --- 20.0.0.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Expect a failure in the following command:
Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. --- 40.0.0.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(ICMP traffic dropped).+$Show output
07/17/2024-17:48:51.030532 [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 40.0.0.2:8 -> 20.0.0.2:0 07/17/2024-17:48:52.106697 [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 20.0.0.2:8 -> 40.0.0.2:0
Test Simple Ruleset With Queues IDS Mode
Description
Configures the three DUTs that will be used and checks that they are capable of pinging each other and of connecting via SSH. Since the firewall is set to IDS mode, these connections are not being dropped.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging outputs fast set service firewall FW mode monitor interfaces eth0,eth1 set service firewall FW ruleset file 'running://base.rules' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.675 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.675/0.675/0.675/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.477 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.477/0.477/0.477/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ED25519) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 16:08:50 2024 from 10.0.0.2 admin@osdx$
Step 5: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ED25519) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 15:58:37 2024 admin@osdx$
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[wDrop].+(SSH not allowed in this network).+$Show output
07/17/2024-17:49:10.557646 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.558009 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.598334 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.598724 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.598789 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.604415 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.604464 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.604468 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.604730 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22 07/17/2024-17:49:10.606186 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59734 -> 40.0.0.2:22
Test Encrypted Ruleset
Description
Configures the three DUTs, encrypts an arbitrary ruleset file and checks that the firewall is handling said file as expected. The firewall behaves the same way as for Test Simple Ruleset With Queues but with an encrypted ruleset.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 272 100 272 0 0 114k 0 --:--:-- --:--:-- --:--:-- 132k
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base-enc.rules' digest sha512 set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX1//DP6DzyXqbjv0zaK84JA0giNSTEN0/RpkjXmi+sOTYbXRs7ALAWkL set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000 set service firewall FW ruleset file 'running://base-enc.rules' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=1.04 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.037/1.037/1.037/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.629 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.629/0.629/0.629/0.000 ms
Step 5: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 6: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(SSH not allowed in this network).+$Show output
07/17/2024-17:49:40.726667 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22 07/17/2024-17:49:40.893776 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22 07/17/2024-17:49:41.374298 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22 07/17/2024-17:49:41.559351 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22 07/17/2024-17:49:43.038383 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22 07/17/2024-17:49:43.126194 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:33650 -> 20.0.0.2:22 07/17/2024-17:49:43.222505 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22 07/17/2024-17:49:43.294916 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:33650 -> 20.0.0.2:22 07/17/2024-17:49:46.366196 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22 07/17/2024-17:49:46.710275 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53924 -> 40.0.0.2:22
Test Encrypted Patch
Description
Configures three DUTs, encrypts a patch that allows SSH communication between the DUTs and enables bypass. The original input file was:
drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)
After applying the following patch:
1c1
< drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
---
> alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)
The resulting file must be:
alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)
This not only allows SSH traffic but also enables the bypass feature (not tested here yet).
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 272 100 272 0 0 59714 0 --:--:-- --:--:-- --:--:-- 68000
Step 2: Run command file copy http://10.215.168.1/~robot/base-enc.diff1 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 256 100 256 0 0 51118 0 --:--:-- --:--:-- --:--:-- 64000
Step 3: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base-enc.rules' digest sha512 set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX19uj9++hTIt2UzAvZ93rmCVAmYcOMi7KeL4VOVm8wATfbfBLltSllB1 set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000 set service firewall FW ruleset file 'running://base-enc.rules' key-length 256 set service firewall FW ruleset patch 'running://base-enc.diff1' digest sha512 set service firewall FW ruleset patch 'running://base-enc.diff1' encrypted-password U2FsdGVkX1+hQxDSWsk02FDn8erXf+dPU7tJ1au/PKH0S29mZG4BoCpYqaWJJ2fV set service firewall FW ruleset patch 'running://base-enc.diff1' iterations 100000 set service firewall FW ruleset patch 'running://base-enc.diff1' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.762 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.762/0.762/0.762/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=1.04 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.037/1.037/1.037/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ED25519) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:49:09 2024 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ED25519) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:49:10 2024 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
07/17/2024-17:50:08.806754 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:57652 -> 20.0.0.2:22 07/17/2024-17:50:09.195048 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:33864 -> 40.0.0.2:22
Test Compressed Ruleset With Patch
Description
Configures three DUTs, places a patch between the DUTs that allows SSH
communication, and enables bypass. In addition, there are two source
rules that are compressed into a tar.gz file whose content is used
by the firewall to define the rules. One of the files is named base.rules``and
is the file that the patch is meant for. The second one
is ``test-performance.rules whose contents are:: The original input file was:
alert tcp any any -> any 5001 (msg: "Skipping test network performance traffic"; bypass; flow: established, to_server; sid: 4;)
This rule simply bypasses traffic that is deemed “performance traffic”,
which is directly associated with the monitor test performance command.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 332 100 332 0 0 59852 0 --:--:-- --:--:-- --:--:-- 66400
Step 2: Run command file copy http://10.215.168.1/~robot/base.diff1 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 238 100 238 0 0 79412 0 --:--:-- --:--:-- --:--:-- 116k
Step 3: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' set service firewall FW ruleset patch 'running://base.diff1' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.730 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.730/0.730/0.730/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.910 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.910/0.910/0.910/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ED25519) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:50:08 2024 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ED25519) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:50:09 2024 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
07/17/2024-17:50:28.139125 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:40066 -> 20.0.0.2:22 07/17/2024-17:50:28.547167 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34310 -> 40.0.0.2:22
Step 9: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 37000 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 70.4 MBytes 590 Mbits/sec 80 1.50 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-1.00 sec 70.4 MBytes 590 Mbits/sec 80 sender [ 5] 0.00-1.00 sec 68.4 MBytes 571 Mbits/sec receiver iperf Done.
Step 10: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
07/17/2024-17:50:28.139125 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:40066 -> 20.0.0.2:22 07/17/2024-17:50:28.547167 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34310 -> 40.0.0.2:22 07/17/2024-17:50:29.092112 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:36990 -> 40.0.0.2:5001 07/17/2024-17:50:29.093277 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:37000 -> 40.0.0.2:5001
Test Single File In Compressed Ruleset
Description
Compresses two ruleset files but only chooses the test-performance.rules
from within the compressed file. Lastly, checks that performance traffic is detected but
no message is generated for SSH traffic, indicating that only one file is
being used.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 332 100 332 0 0 148k 0 --:--:-- --:--:-- --:--:-- 162k
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' file test-performance.rules set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.878 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.878/0.878/0.878/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.697 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.697/0.697/0.697/0.000 ms
Step 5: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ED25519) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:50:28 2024 from 40.0.0.2 admin@osdx$
Step 6: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ED25519) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:50:28 2024 from 20.0.0.2 admin@osdx$
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output does not match the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
No fast logs yet for client "FW"
Step 8: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 58852 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 82.1 MBytes 689 Mbits/sec 62 1.56 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-1.00 sec 82.1 MBytes 689 Mbits/sec 62 sender [ 5] 0.00-1.01 sec 80.9 MBytes 674 Mbits/sec receiver iperf Done.
Step 9: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
07/17/2024-17:50:48.750370 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58844 -> 40.0.0.2:5001 07/17/2024-17:50:48.751790 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58852 -> 40.0.0.2:5001
Test Selectors
Description
Builds a scenario with three DUTs in which some selectors are applied to traffic depending on the network detected. This allows specific selector-based rules to be applied to traffic and with only one firewall instance.
To demonstrate this behavior, two labels will be set:
WANlabel that is applied to every packet going outside the local network.
LANlabel that marks every packet present in the underlying network.
For this purpose, a whole scenario will be used to enable all the features to work:
A compressed, encrypted ruleset will be created that contains
base.rulesas well astest-performance.rules.A patch that will upgrade
base.rulesso it contains rules based on labels. The expected final result will be:alert ssh any any -> any any (msg: "Local SSH traffic - bypassing..."; selector: LOCAL; bypass; sid: 1; flow: established, to_server;) drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23; selector: WAN;) pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;) drop tcp any any -> any 5000 (msg: "Dropping TCP performance test traffic"; selector: WAN, LOCAL; sid: 4; flow: established, to_server;)
Hence, the following will be tested:
SSH connection is working between the LAN nodes - DUT1 and DUT2
It is impossible to get the
nids.htmlfile (i.e., a malicious file) from the WAN.ICMP messages are allowed from any node within the network.
Traffic performance tests are allowed for both the WAN and LOCAL selectors but not on port 5000.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz.aes256 running://ruleset.tar.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 352 100 352 0 0 83432 0 --:--:-- --:--:-- --:--:-- 88000
Step 2: Run command file copy http://10.215.168.1/~robot/base.diff2-aes256 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 528 100 528 0 0 87912 0 --:--:-- --:--:-- --:--:-- 103k
Step 3: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic policy in FW_PWAN set interfaces ethernet eth0 traffic policy out FW_PWAN set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' digest sha512 set service firewall FW ruleset compressed 'running://ruleset.tar.gz' encrypted-password U2FsdGVkX187a2NrR78CU3ZrV4agNJYnYB2Ilo7gqpRGZ6WICiLluDIeQr64GT71 set service firewall FW ruleset compressed 'running://ruleset.tar.gz' iterations 100000 set service firewall FW ruleset compressed 'running://ruleset.tar.gz' key-length 256 set service firewall FW ruleset patch 'running://base.diff2-aes256' digest sha512 set service firewall FW ruleset patch 'running://base.diff2-aes256' encrypted-password U2FsdGVkX19ZX8mikMM8KZrNjI07KKOpFGPofScyLQQBL9JMrTqduAZE/omus3Qn set service firewall FW ruleset patch 'running://base.diff2-aes256' iterations 100000 set service firewall FW ruleset patch 'running://base.diff2-aes256' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group address LAN element 20.0.0.0/24 set traffic group address LAN element 40.0.0.0/24 set traffic label LOCAL set traffic label WAN set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic policy FW_PLAN rule 1 selector LAN set traffic policy FW_PLAN rule 1 set label LOCAL set traffic policy FW_PWAN rule 1 action enqueue FW_Q set traffic policy FW_PWAN rule 1 set label WAN set traffic queue FW_Q elements 1 set traffic selector LAN rule 1 destination address-group LAN set traffic selector LAN rule 1 source address-group LAN
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.811 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.811/0.811/0.811/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.510 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.510/0.510/0.510/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ED25519) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:50:47 2024 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ED25519) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.1.1.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jul 17 17:50:48 2024 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Local SSH traffic - bypassing...).+$Show output
07/17/2024-17:51:09.664481 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:45020 -> 20.0.0.2:22 07/17/2024-17:51:10.111287 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:41646 -> 40.0.0.2:22
Step 9: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 10.215.168.1 with the user admin:
admin@DUT1$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 10: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 10.215.168.1 with the user admin:
admin@DUT2$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 11: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Outgoing TCP traffic to port 22 from LAN to WAN).+$Show output
07/17/2024-17:51:09.664481 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:45020 -> 20.0.0.2:22 07/17/2024-17:51:10.111287 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:41646 -> 40.0.0.2:22 07/17/2024-17:51:10.638335 [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:36656 -> 10.215.168.1:22 07/17/2024-17:51:20.735722 [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:49158 -> 10.215.168.1:22
Step 12: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 50420 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 90.0 MBytes 755 Mbits/sec 71 1.51 MBytes [ 5] 1.00-2.00 sec 96.2 MBytes 807 Mbits/sec 186 1.16 MBytes [ 5] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 1.24 MBytes [ 5] 3.00-4.00 sec 91.2 MBytes 765 Mbits/sec 0 1.30 MBytes [ 5] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 1.35 MBytes [ 5] 5.00-6.00 sec 93.8 MBytes 787 Mbits/sec 0 1.37 MBytes [ 5] 6.00-7.00 sec 93.8 MBytes 786 Mbits/sec 0 1.42 MBytes [ 5] 7.00-8.00 sec 91.2 MBytes 765 Mbits/sec 0 1.46 MBytes [ 5] 8.00-9.00 sec 92.5 MBytes 776 Mbits/sec 0 1.51 MBytes [ 5] 9.00-10.00 sec 93.8 MBytes 786 Mbits/sec 0 1.55 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 926 MBytes 777 Mbits/sec 257 sender [ 5] 0.00-10.01 sec 924 MBytes 775 Mbits/sec receiver iperf Done.
Step 13: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5000 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5000 parallel 1Expect this output in
DUT2:^C- - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr iperf3: interrupt - the client has terminated admin@osdx$
Step 14: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Dropping TCP performance test traffic).+$Show output
07/17/2024-17:51:31.019282 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:50420 -> 40.0.0.2:5001 07/17/2024-17:51:41.305333 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:41.510498 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:41.718338 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:42.158329 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:42.990325 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:44.321110 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:44.345667 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:44.345791 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000 07/17/2024-17:51:44.349825 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:58732 -> 40.0.0.2:5000
Test Hashset
Description
Configures the three DUTs although only DUT0 is used for the test. First, a probe file is downloaded by DUT0. The probe file is detected by the service firewall running in DUT0 and md5, sha1 and sha256 hashes are logged. Lastly, the service firewall is configured for blocking the download of the probe file when is recognized through the configured md5, sha1 or sha256 hashset files.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic policy in FW_PWAN set interfaces ethernet eth0 traffic policy out FW_PWAN set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs eve types files force-hash md5 set service firewall FW logging outputs eve types files force-hash sha1 set service firewall FW logging outputs eve types files force-hash sha256 set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://http-alert.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PWAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.496 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.496/0.496/0.496/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.528 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.528/0.528/0.528/0.000 ms
Step 4: Run command file show running://http-alert.rules at DUT0 and expect this output:
Show output
alert http any any -> any any (msg:"HTTP ALERT Test by Teldat"; sid:10001 ; rev: 1;)
Step 5: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 220 100 220 0 0 43798 0 --:--:-- --:--:-- --:--:-- 44000
Step 6: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2024-07-17T17:52:02.988205+0000","flow_id":582237375117937,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":49062,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 GnuTLS/3.7.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7e9 9b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":425,"bytes_toclient":621,"start":"2024-07-17T17:52:02.987530+0000","src_ip":"10.215.168.64","dest_ip":"10.215.168 .1","src_port":49062,"dest_port":80}}
Step 7: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha1.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2024-07-17T17:52:02.988205+0000","flow_id":582237375117937,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":49062,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 GnuTLS/3.7.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7e9 9b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":425,"bytes_toclient":621,"start":"2024-07-17T17:52:02.987530+0000","src_ip":"10.215.168.64","dest_ip":"10.215.168 .1","src_port":49062,"dest_port":80}}
Step 8: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha256.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2024-07-17T17:52:02.988205+0000","flow_id":582237375117937,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":49062,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 GnuTLS/3.7.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7e9 9b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":425,"bytes_toclient":621,"start":"2024-07-17T17:52:02.987530+0000","src_ip":"10.215.168.64","dest_ip":"10.215.168 .1","src_port":49062,"dest_port":80}}
Step 9: Run command file copy http://10.215.168.1/~robot/hashset-md5.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 33 100 33 0 0 1075 0 --:--:-- --:--:-- --:--:-- 1100
Step 10: Run command file copy http://10.215.168.1/~robot/filehash-md5-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 113 100 113 0 0 16549 0 --:--:-- --:--:-- --:--:-- 18833
Step 11: Run command file show running://hashset-md5.list at DUT0 and expect this output:
Show output
c533c963702d7e99b2aa52713d3cf63c
Step 12: Run command file show running://filehash-md5-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP MD5 DROP Test by Teldat"; filemd5:hashset-md5.list; sid:10002 ; rev: 1;)
Step 13: Modify the following configuration lines in DUT0:
set service firewall FW hashset file 'running://hashset-md5.list' set service firewall FW ruleset file 'running://filehash-md5-drop.rules'
Step 14: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 15: Run command service firewall FW show logging eve | grep -E "HTTP MD5 DROP Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10002).+$Show output
{"timestamp":"2024-07-17T17:52:06.790140+0000","flow_id":1700815711372901,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":49080,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10002,"rev":1,"signature":"HTTP MD5 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":" /~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 GnuTLS/3.7.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c 533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":425,"bytes_toclient":621,"start":"2024-07-17T17:52:06.789218+0000","src_ip":"10.215.168.64","dest_i p":"10.215.168.1","src_port":49080,"dest_port":80}}
Step 16: Run command file copy http://10.215.168.1/~robot/hashset-sha1.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 40 100 40 0 0 7593 0 --:--:-- --:--:-- --:--:-- 8000
Step 17: Run command file copy http://10.215.168.1/~robot/filehash-sha1-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 116 100 116 0 0 20000 0 --:--:-- --:--:-- --:--:-- 23200
Step 18: Run command file show running://hashset-sha1.list at DUT0 and expect this output:
Show output
edbfd7fc5eba4b93b8299e4b31352578a74f5773
Step 19: Run command file show running://filehash-sha1-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP SHA1 DROP Test by Teldat"; filesha1:hashset-sha1.list; sid:10003 ; rev: 1;)
Step 20: Modify the following configuration lines in DUT0:
delete service firewall FW hashset file 'running://hashset-md5.list' delete service firewall FW ruleset file 'running://filehash-md5-drop.rules' set service firewall FW hashset file 'running://hashset-sha1.list' set service firewall FW ruleset file 'running://filehash-sha1-drop.rules'
Step 21: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 22: Run command service firewall FW show logging eve | grep -E "HTTP SHA1 DROP Test by Teldat.*md5.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10003).+$Show output
{"timestamp":"2024-07-17T17:52:20.950157+0000","flow_id":1263154080447065,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":48670,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10003,"rev":1,"signature":"HTTP SHA1 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url": "/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 GnuTLS/3.7.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":" c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":425,"bytes_toclient":621,"start":"2024-07-17T17:52:20.949460+0000","src_ip":"10.215.168.64","dest_ ip":"10.215.168.1","src_port":48670,"dest_port":80}}
Step 23: Run command file copy http://10.215.168.1/~robot/hashset-sha256.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 65 100 65 0 0 10617 0 --:--:-- --:--:-- --:--:-- 10833
Step 24: Run command file copy http://10.215.168.1/~robot/filehash-sha256-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 122 100 122 0 0 20783 0 --:--:-- --:--:-- --:--:-- 24400
Step 25: Run command file show running://hashset-sha256.list at DUT0 and expect this output:
Show output
11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d
Step 26: Run command file show running://filehash-sha256-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP SHA256 DROP Test by Teldat"; filesha256:hashset-sha256.list; sid:10004 ; rev: 1;)
Step 27: Modify the following configuration lines in DUT0:
delete service firewall FW hashset file 'running://hashset-sha1.list' delete service firewall FW ruleset file 'running://filehash-sha1-drop.rules' set service firewall FW hashset file 'running://hashset-sha256.list' set service firewall FW ruleset file 'running://filehash-sha256-drop.rules'
Step 28: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 29: Run command service firewall FW show logging eve | grep -E "HTTP SHA256 DROP Test by Teldat.*md5.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10004).+$Show output
{"timestamp":"2024-07-17T17:52:34.897354+0000","flow_id":754031812750484,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":56726,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10004,"rev":1,"signature":"HTTP SHA256 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url" :"/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 GnuTLS/3.7.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5": "c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":425,"bytes_toclient":621,"start":"2024-07-17T17:52:34.896457+0000","src_ip":"10.215.168.64","dest _ip":"10.215.168.1","src_port":56726,"dest_port":80}}