General Tests
The following scenario shows how to place an OSDx router between two machines to allow them to communicate with each other and to provide protection when accessing one another and the external WAN.
Test Simple Ruleset With Queues
Description
Configures the three DUTs that will be used and checks that they are capable of pinging each other but not of connecting via SSH, since these connections are being dropped by the firewall.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.786 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.786/0.786/0.786/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.706 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.706/0.706/0.706/0.000 ms
Step 4: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 5: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(SSH not allowed in this network).+$Show output
02/03/2025-10:41:06.780453 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22 02/03/2025-10:41:06.927894 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22 02/03/2025-10:41:07.402393 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22 02/03/2025-10:41:07.612407 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22 02/03/2025-10:41:08.988641 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:56794 -> 20.0.0.2:22 02/03/2025-10:41:09.066474 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22 02/03/2025-10:41:09.098792 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:56794 -> 20.0.0.2:22 02/03/2025-10:41:09.278257 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22 02/03/2025-10:41:12.426411 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22 02/03/2025-10:41:12.572477 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39770 -> 40.0.0.2:22
Test Simple Ruleset With Custom Action-order
Description
Configures the three DUTs that will be used and checks that initially they are capable of pinging each other but after changing the priority of rule actions, ICMP traffic is not passed, but dropped by the firewall.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.697 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.697/0.697/0.697/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.630 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.630/0.630/0.630/0.000 ms
Step 4: Modify the following configuration lines in DUT0:
set service firewall FW action-order 'drop, reject, alert, pass'
Step 5: Expect a failure in the following command:
Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. --- 20.0.0.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Expect a failure in the following command:
Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. --- 40.0.0.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(ICMP traffic dropped).+$Show output
02/03/2025-10:41:43.296429 [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 40.0.0.2:8 -> 20.0.0.2:0 02/03/2025-10:41:44.444086 [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 20.0.0.2:8 -> 40.0.0.2:0
Test Simple Ruleset With Queues IDS Mode
Description
Configures the three DUTs that will be used and checks that they are capable of pinging each other and of connecting via SSH. Since the firewall is set to IDS mode, these connections are not being dropped.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging outputs fast set service firewall FW mode monitor interfaces eth0,eth1 set service firewall FW ruleset file 'running://base.rules' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.532 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.532/0.532/0.532/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.487 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:33:14 2025 admin@osdx$
Step 5: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:26:04 2025 admin@osdx$
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[wDrop].+(SSH not allowed in this network).+$Show output
02/03/2025-10:42:11.747435 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.747879 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.748108 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.750401 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.810889 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.811561 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.814274 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.814285 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.814364 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22 02/03/2025-10:42:11.817453 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:55666 -> 40.0.0.2:22
Test Encrypted Ruleset
Description
Configures the three DUTs, encrypts an arbitrary ruleset file and checks that the firewall is handling said file as expected. The firewall behaves the same way as for Test Simple Ruleset With Queues but with an encrypted ruleset.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 272 100 272 0 0 82076 0 --:--:-- --:--:-- --:--:-- 90666
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base-enc.rules' digest sha512 set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX18yLQkShsCtgRgQn9NG2GcHgB78COiPv3gcSR/rTt3i0WH4x/WCqPgP set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000 set service firewall FW ruleset file 'running://base-enc.rules' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.638 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.638/0.638/0.638/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.612 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.612/0.612/0.612/0.000 ms
Step 5: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 6: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(SSH not allowed in this network).+$Show output
02/03/2025-10:42:50.179459 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22 02/03/2025-10:42:50.357078 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22 02/03/2025-10:42:50.833458 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22 02/03/2025-10:42:51.011436 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22 02/03/2025-10:42:52.451157 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:58708 -> 20.0.0.2:22 02/03/2025-10:42:52.497424 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22 02/03/2025-10:42:52.561758 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:58708 -> 20.0.0.2:22 02/03/2025-10:42:52.675396 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22 02/03/2025-10:42:55.889423 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22 02/03/2025-10:42:56.035436 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54070 -> 40.0.0.2:22
Test Encrypted Patch
Description
Configures three DUTs, encrypts a patch that allows SSH communication between the DUTs and enables bypass. The original input file was:
drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)
After applying the following patch:
1c1
< drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
---
> alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)
The resulting file must be:
alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)
This not only allows SSH traffic but also enables the bypass feature (not tested here yet).
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 272 100 272 0 0 34231 0 --:--:-- --:--:-- --:--:-- 38857
Step 2: Run command file copy http://10.215.168.1/~robot/base-enc.diff1 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 256 100 256 0 0 49990 0 --:--:-- --:--:-- --:--:-- 51200
Step 3: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base-enc.rules' digest sha512 set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX18Jg3YQV55ik/M59Yu7upxxT1q9zxnRADpmXTUmN/UtZFk2NcIEJGSm set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000 set service firewall FW ruleset file 'running://base-enc.rules' key-length 256 set service firewall FW ruleset patch 'running://base-enc.diff1' digest sha512 set service firewall FW ruleset patch 'running://base-enc.diff1' encrypted-password U2FsdGVkX19RObHntIwjtj5Sr9WlnO+GGH1NlDXKYSvHVsZm96czXQlajvenJMDM set service firewall FW ruleset patch 'running://base-enc.diff1' iterations 100000 set service firewall FW ruleset patch 'running://base-enc.diff1' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.664 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.664/0.664/0.664/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.598 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.598/0.598/0.598/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:42:11 2025 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:42:11 2025 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
02/03/2025-10:43:28.498666 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:38384 -> 20.0.0.2:22 02/03/2025-10:43:29.086949 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42076 -> 40.0.0.2:22
Test Compressed Ruleset With Patch
Description
Configures three DUTs, places a patch between the DUTs that allows SSH
communication, and enables bypass. In addition, there are two source
rules that are compressed into a tar.gz file whose content is used
by the firewall to define the rules. One of the files is named base.rules``and
is the file that the patch is meant for. The second one
is ``test-performance.rules whose contents are:: The original input file was:
alert tcp any any -> any 5001 (msg: "Skipping test network performance traffic"; bypass; flow: established, to_server; sid: 4;)
This rule simply bypasses traffic that is deemed “performance traffic”,
which is directly associated with the monitor test performance command.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 331 100 331 0 0 32349 0 --:--:-- --:--:-- --:--:-- 33100
Step 2: Run command file copy http://10.215.168.1/~robot/base.diff1 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 238 100 238 0 0 79227 0 --:--:-- --:--:-- --:--:-- 116k
Step 3: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' set service firewall FW ruleset patch 'running://base.diff1' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.757 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.757/0.757/0.757/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.649 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.649/0.649/0.649/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:43:28 2025 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:43:29 2025 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
02/03/2025-10:43:56.085031 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:56466 -> 20.0.0.2:22 02/03/2025-10:43:56.772090 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:51222 -> 40.0.0.2:22
Step 9: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 34524 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 69.6 MBytes 584 Mbits/sec 42 1.68 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-1.00 sec 69.6 MBytes 584 Mbits/sec 42 sender [ 5] 0.00-1.02 sec 68.3 MBytes 561 Mbits/sec receiver iperf Done.
Step 10: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
02/03/2025-10:43:56.085031 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:56466 -> 20.0.0.2:22 02/03/2025-10:43:56.772090 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:51222 -> 40.0.0.2:22 02/03/2025-10:43:57.648828 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34520 -> 40.0.0.2:5001 02/03/2025-10:43:57.651790 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34524 -> 40.0.0.2:5001
Test Single File In Compressed Ruleset
Description
Compresses two ruleset files but only chooses the test-performance.rules
from within the compressed file. Lastly, checks that performance traffic is detected but
no message is generated for SSH traffic, indicating that only one file is
being used.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 331 100 331 0 0 88573 0 --:--:-- --:--:-- --:--:-- 107k
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' file test-performance.rules set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.744 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.744/0.744/0.744/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.876 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.876/0.876/0.876/0.000 ms
Step 5: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:43:56 2025 from 40.0.0.2 admin@osdx$
Step 6: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:43:56 2025 from 20.0.0.2 admin@osdx$
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output does not match the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
No fast logs yet for client "FW"
Step 8: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 52426 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 71.5 MBytes 600 Mbits/sec 90 1.54 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-1.00 sec 71.5 MBytes 600 Mbits/sec 90 sender [ 5] 0.00-1.01 sec 70.1 MBytes 582 Mbits/sec receiver iperf Done.
Step 9: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
02/03/2025-10:44:26.314404 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:52412 -> 40.0.0.2:5001 02/03/2025-10:44:26.316049 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:52426 -> 40.0.0.2:5001
Test Selectors
Description
Builds a scenario with three DUTs in which some selectors are applied to traffic depending on the network detected. This allows specific selector-based rules to be applied to traffic and with only one firewall instance.
To demonstrate this behavior, two labels will be set:
WANlabel that is applied to every packet going outside the local network.
LANlabel that marks every packet present in the underlying network.
For this purpose, a whole scenario will be used to enable all the features to work:
A compressed, encrypted ruleset will be created that contains
base.rulesas well astest-performance.rules.A patch that will upgrade
base.rulesso it contains rules based on labels. The expected final result will be:alert ssh any any -> any any (msg: "Local SSH traffic - bypassing..."; selector: LOCAL; bypass; sid: 1; flow: established, to_server;) drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23; selector: WAN;) pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;) drop tcp any any -> any 5000 (msg: "Dropping TCP performance test traffic"; selector: WAN, LOCAL; sid: 4; flow: established, to_server;)
Hence, the following will be tested:
SSH connection is working between the LAN nodes - DUT1 and DUT2
It is impossible to get the
nids.htmlfile (i.e., a malicious file) from the WAN.ICMP messages are allowed from any node within the network.
Traffic performance tests are allowed for both the WAN and LOCAL selectors but not on port 5000.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz.aes256 running://ruleset.tar.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 352 100 352 0 0 43349 0 --:--:-- --:--:-- --:--:-- 44000
Step 2: Run command file copy http://10.215.168.1/~robot/base.diff2-aes256 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 528 100 528 0 0 65917 0 --:--:-- --:--:-- --:--:-- 75428
Step 3: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic policy in FW_PWAN set interfaces ethernet eth0 traffic policy out FW_PWAN set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' digest sha512 set service firewall FW ruleset compressed 'running://ruleset.tar.gz' encrypted-password U2FsdGVkX19NUVEMXvYmp/uiIQZn5khCu2iUfcJk5V8mzWDtjpS7gRIXoN51oXOZ set service firewall FW ruleset compressed 'running://ruleset.tar.gz' iterations 100000 set service firewall FW ruleset compressed 'running://ruleset.tar.gz' key-length 256 set service firewall FW ruleset patch 'running://base.diff2-aes256' digest sha512 set service firewall FW ruleset patch 'running://base.diff2-aes256' encrypted-password U2FsdGVkX18aYX9OBO1nY3JrXGymh6wwIqA+e5rLn4ogdXG0ek1ypPPKCUerbRN3 set service firewall FW ruleset patch 'running://base.diff2-aes256' iterations 100000 set service firewall FW ruleset patch 'running://base.diff2-aes256' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group address LAN element 20.0.0.0/24 set traffic group address LAN element 40.0.0.0/24 set traffic label LOCAL set traffic label WAN set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic policy FW_PLAN rule 1 selector LAN set traffic policy FW_PLAN rule 1 set label LOCAL set traffic policy FW_PWAN rule 1 action enqueue FW_Q set traffic policy FW_PWAN rule 1 set label WAN set traffic queue FW_Q elements 1 set traffic selector LAN rule 1 destination address-group LAN set traffic selector LAN rule 1 source address-group LAN
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.660 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.660/0.660/0.660/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.721 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.721/0.721/0.721/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:44:24 2025 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.1.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Feb 3 10:44:25 2025 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Local SSH traffic - bypassing...).+$Show output
02/03/2025-10:44:59.365707 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:57470 -> 20.0.0.2:22 02/03/2025-10:45:00.003230 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:33664 -> 40.0.0.2:22
Step 9: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 10.215.168.1 with the user admin:
admin@DUT1$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 10: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 10.215.168.1 with the user admin:
admin@DUT2$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 11: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Outgoing TCP traffic to port 22 from LAN to WAN).+$Show output
02/03/2025-10:44:59.365707 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:57470 -> 20.0.0.2:22 02/03/2025-10:45:00.003230 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:33664 -> 40.0.0.2:22 02/03/2025-10:45:00.770020 [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:43644 -> 10.215.168.1:22 02/03/2025-10:45:10.923793 [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46202 -> 10.215.168.1:22
Step 12: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 52664 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 62.6 MBytes 525 Mbits/sec 87 1.74 MBytes [ 5] 1.00-2.00 sec 66.2 MBytes 556 Mbits/sec 58 1.34 MBytes [ 5] 2.00-3.00 sec 65.0 MBytes 545 Mbits/sec 0 1.43 MBytes [ 5] 3.00-4.00 sec 73.8 MBytes 619 Mbits/sec 0 1.51 MBytes [ 5] 4.00-5.00 sec 70.0 MBytes 587 Mbits/sec 0 1.56 MBytes [ 5] 5.00-6.00 sec 73.8 MBytes 619 Mbits/sec 0 1.59 MBytes [ 5] 6.00-7.00 sec 82.5 MBytes 692 Mbits/sec 0 1.61 MBytes [ 5] 7.00-8.00 sec 72.5 MBytes 608 Mbits/sec 0 1.62 MBytes [ 5] 8.00-9.00 sec 75.0 MBytes 629 Mbits/sec 0 1.63 MBytes [ 5] 9.00-10.00 sec 75.0 MBytes 629 Mbits/sec 0 1.63 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 716 MBytes 601 Mbits/sec 145 sender [ 5] 0.00-10.02 sec 715 MBytes 599 Mbits/sec receiver iperf Done.
Step 13: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5000 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5000 parallel 1Expect this output in
DUT2:^C- - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr iperf3: interrupt - the client has terminated admin@osdx$
Step 14: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Dropping TCP performance test traffic).+$Show output
02/03/2025-10:45:21.415939 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:52664 -> 40.0.0.2:5001 02/03/2025-10:45:31.839895 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:32.044304 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:32.252328 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:32.680388 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:33.512295 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:34.881135 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:34.924586 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:34.930234 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000 02/03/2025-10:45:35.142316 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5000
Test Hashset
Description
Configures the three DUTs although only DUT0 is used for the test. First, a probe file is downloaded by DUT0. The probe file is detected by the service firewall running in DUT0 and md5, sha1 and sha256 hashes are logged. Lastly, the service firewall is configured for blocking the download of the probe file when is recognized through the configured md5, sha1 or sha256 hashset files.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic policy in FW_PWAN set interfaces ethernet eth0 traffic policy out FW_PWAN set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs eve types files force-hash md5 set service firewall FW logging outputs eve types files force-hash sha1 set service firewall FW logging outputs eve types files force-hash sha256 set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://http-alert.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PWAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.639 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.639/0.639/0.639/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=1.50 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.497/1.497/1.497/0.000 ms
Step 4: Run command file show running://http-alert.rules at DUT0 and expect this output:
Show output
alert http any any -> any any (msg:"HTTP ALERT Test by Teldat"; sid:10001 ; rev: 1;)
Step 5: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 220 100 220 0 0 56569 0 --:--:-- --:--:-- --:--:-- 73333
Step 6: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2025-02-03T10:46:02.212955+0000","flow_id":629758018808795,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":36074,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7 e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-02-03T10:46:02.212162+0000","src_ip":"10.215.168.64","dest_ip":"10.215.1 68.1","src_port":36074,"dest_port":80}}
Step 7: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha1.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2025-02-03T10:46:02.212955+0000","flow_id":629758018808795,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":36074,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7 e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-02-03T10:46:02.212162+0000","src_ip":"10.215.168.64","dest_ip":"10.215.1 68.1","src_port":36074,"dest_port":80}}
Step 8: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha256.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2025-02-03T10:46:02.212955+0000","flow_id":629758018808795,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":36074,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7 e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-02-03T10:46:02.212162+0000","src_ip":"10.215.168.64","dest_ip":"10.215.1 68.1","src_port":36074,"dest_port":80}}
Step 9: Run command file copy http://10.215.168.1/~robot/hashset-md5.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 33 100 33 0 0 8686 0 --:--:-- --:--:-- --:--:-- 11000
Step 10: Run command file copy http://10.215.168.1/~robot/filehash-md5-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 113 100 113 0 0 28032 0 --:--:-- --:--:-- --:--:-- 28250
Step 11: Run command file show running://hashset-md5.list at DUT0 and expect this output:
Show output
c533c963702d7e99b2aa52713d3cf63c
Step 12: Run command file show running://filehash-md5-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP MD5 DROP Test by Teldat"; filemd5:hashset-md5.list; sid:10002 ; rev: 1;)
Step 13: Modify the following configuration lines in DUT0:
set service firewall FW hashset file 'running://hashset-md5.list' set service firewall FW ruleset file 'running://filehash-md5-drop.rules'
Step 14: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 15: Run command service firewall FW show logging eve | grep -E "HTTP MD5 DROP Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10002).+$Show output
{"timestamp":"2025-02-03T10:46:07.478625+0000","flow_id":2052603414856509,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":52078,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10002,"rev":1,"signature":"HTTP MD5 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":" /~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5": "c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-02-03T10:46:07.477908+0000","src_ip":"10.215.168.64","dest _ip":"10.215.168.1","src_port":52078,"dest_port":80}}
Step 16: Run command file copy http://10.215.168.1/~robot/hashset-sha1.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 40 100 40 0 0 10365 0 --:--:-- --:--:-- --:--:-- 13333
Step 17: Run command file copy http://10.215.168.1/~robot/filehash-sha1-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 116 100 116 0 0 31325 0 --:--:-- --:--:-- --:--:-- 38666
Step 18: Run command file show running://hashset-sha1.list at DUT0 and expect this output:
Show output
edbfd7fc5eba4b93b8299e4b31352578a74f5773
Step 19: Run command file show running://filehash-sha1-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP SHA1 DROP Test by Teldat"; filesha1:hashset-sha1.list; sid:10003 ; rev: 1;)
Step 20: Modify the following configuration lines in DUT0:
delete service firewall FW hashset file 'running://hashset-md5.list' delete service firewall FW ruleset file 'running://filehash-md5-drop.rules' set service firewall FW hashset file 'running://hashset-sha1.list' set service firewall FW ruleset file 'running://filehash-sha1-drop.rules'
Step 21: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 22: Run command service firewall FW show logging eve | grep -E "HTTP SHA1 DROP Test by Teldat.*md5.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10003).+$Show output
{"timestamp":"2025-02-03T10:46:22.622085+0000","flow_id":1824266486762426,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":41472,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10003,"rev":1,"signature":"HTTP SHA1 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url": "/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5" :"c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-02-03T10:46:22.621353+0000","src_ip":"10.215.168.64","des t_ip":"10.215.168.1","src_port":41472,"dest_port":80}}
Step 23: Run command file copy http://10.215.168.1/~robot/hashset-sha256.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 65 100 65 0 0 5583 0 --:--:-- --:--:-- --:--:-- 5909
Step 24: Run command file copy http://10.215.168.1/~robot/filehash-sha256-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 122 100 122 0 0 30049 0 --:--:-- --:--:-- --:--:-- 30500
Step 25: Run command file show running://hashset-sha256.list at DUT0 and expect this output:
Show output
11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d
Step 26: Run command file show running://filehash-sha256-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP SHA256 DROP Test by Teldat"; filesha256:hashset-sha256.list; sid:10004 ; rev: 1;)
Step 27: Modify the following configuration lines in DUT0:
delete service firewall FW hashset file 'running://hashset-sha1.list' delete service firewall FW ruleset file 'running://filehash-sha1-drop.rules' set service firewall FW hashset file 'running://hashset-sha256.list' set service firewall FW ruleset file 'running://filehash-sha256-drop.rules'
Step 28: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 29: Run command service firewall FW show logging eve | grep -E "HTTP SHA256 DROP Test by Teldat.*md5.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10004).+$Show output
{"timestamp":"2025-02-03T10:46:37.719526+0000","flow_id":1679336675819712,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":55736,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10004,"rev":1,"signature":"HTTP SHA256 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url ":"/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md 5":"c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-02-03T10:46:37.718681+0000","src_ip":"10.215.168.64","d est_ip":"10.215.168.1","src_port":55736,"dest_port":80}}