General Tests
The following scenario shows how to place an OSDx router between two machines to allow them to communicate with each other and to provide protection when accessing one another and the external WAN.
Test Simple Ruleset With Queues
Description
Configures the three DUTs that will be used and checks that they are capable of pinging each other but not of connecting via SSH, since these connections are being dropped by the firewall.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.508 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.508/0.508/0.508/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.433 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.433/0.433/0.433/0.000 ms
Step 4: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 5: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(SSH not allowed in this network).+$Show output
01/10/2025-12:15:45.085260 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22 01/10/2025-12:15:45.238248 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22 01/10/2025-12:15:45.707747 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22 01/10/2025-12:15:45.917710 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22 01/10/2025-12:15:47.293263 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:47400 -> 20.0.0.2:22 01/10/2025-12:15:47.371659 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22 01/10/2025-12:15:47.564270 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:47400 -> 20.0.0.2:22 01/10/2025-12:15:47.581468 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22 01/10/2025-12:15:50.877712 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22 01/10/2025-12:15:50.891485 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:35554 -> 40.0.0.2:22
Test Simple Ruleset With Custom Action-order
Description
Configures the three DUTs that will be used and checks that initially they are capable of pinging each other but after changing the priority of rule actions, ICMP traffic is not passed, but dropped by the firewall.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.510 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.510/0.510/0.510/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.451 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
Step 4: Modify the following configuration lines in DUT0 :
set service firewall FW action-order 'drop, reject, alert, pass'
Step 5: Expect a failure in the following command:
Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. --- 20.0.0.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Expect a failure in the following command:
Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. --- 40.0.0.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(ICMP traffic dropped).+$Show output
01/10/2025-12:16:15.201536 [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 40.0.0.2:8 -> 20.0.0.2:0 01/10/2025-12:16:16.307129 [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 20.0.0.2:8 -> 40.0.0.2:0
Test Simple Ruleset With Queues IDS Mode
Description
Configures the three DUTs that will be used and checks that they are capable of pinging each other and of connecting via SSH. Since the firewall is set to IDS mode, these connections are not being dropped.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging outputs fast set service firewall FW mode monitor interfaces eth0,eth1 set service firewall FW ruleset file 'running://base.rules' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.315 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.294 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.294/0.294/0.294/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:07:53 2025 admin@osdx$
Step 5: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:02:44 2025 admin@osdx$
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[wDrop].+(SSH not allowed in this network).+$Show output
01/10/2025-12:16:34.898514 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.898682 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.898799 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.899793 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.937384 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.939140 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.939062 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.939144 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.939214 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22 01/10/2025-12:16:34.940578 [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45506 -> 40.0.0.2:22
Test Encrypted Ruleset
Description
Configures the three DUTs, encrypts an arbitrary ruleset file and checks that the firewall is handling said file as expected. The firewall behaves the same way as for Test Simple Ruleset With Queues but with an encrypted ruleset.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 272 100 272 0 0 51476 0 --:--:-- --:--:-- --:--:-- 54400
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base-enc.rules' digest sha512 set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX193XMoLmjqOKi435H8DCRKYke9VfIkazVi/73sTah3OyLQCYSI2Kbi2 set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000 set service firewall FW ruleset file 'running://base-enc.rules' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.519 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.519/0.519/0.519/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.430 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.430/0.430/0.430/0.000 ms
Step 5: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 6: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+[Drop].+(SSH not allowed in this network).+$Show output
01/10/2025-12:17:04.467731 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22 01/10/2025-12:17:04.628494 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22 01/10/2025-12:17:05.089950 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22 01/10/2025-12:17:05.300055 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22 01/10/2025-12:17:06.753974 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22 01/10/2025-12:17:06.771475 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:55684 -> 20.0.0.2:22 01/10/2025-12:17:06.963739 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22 01/10/2025-12:17:07.042138 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:55684 -> 20.0.0.2:22 01/10/2025-12:17:10.114158 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22 01/10/2025-12:17:10.355953 [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57040 -> 40.0.0.2:22
Test Encrypted Patch
Description
Configures three DUTs, encrypts a patch that allows SSH communication between the DUTs and enables bypass. The original input file was:
drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)
After applying the following patch:
1c1
< drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
---
> alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)
The resulting file must be:
alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)
This not only allows SSH traffic but also enables the bypass feature (not tested here yet).
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 272 100 272 0 0 54916 0 --:--:-- --:--:-- --:--:-- 68000
Step 2: Run command file copy http://10.215.168.1/~robot/base-enc.diff1 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 256 100 256 0 0 50552 0 --:--:-- --:--:-- --:--:-- 51200
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://base-enc.rules' digest sha512 set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX18vrNMeAQBGSBzNkveY2IlpTanvo0TFXaHI6juf4iprO9EGwRBNOFCG set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000 set service firewall FW ruleset file 'running://base-enc.rules' key-length 256 set service firewall FW ruleset patch 'running://base-enc.diff1' digest sha512 set service firewall FW ruleset patch 'running://base-enc.diff1' encrypted-password U2FsdGVkX18CAuEDPKEtEyveX7Z9W/mW0rU/ajObFmDX25nOmhQqZcqY7p3RerSP set service firewall FW ruleset patch 'running://base-enc.diff1' iterations 100000 set service firewall FW ruleset patch 'running://base-enc.diff1' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.493 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.493/0.493/0.493/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.463 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.463/0.463/0.463/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:16:34 2025 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:16:34 2025 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
01/10/2025-12:17:33.698859 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:36810 -> 20.0.0.2:22 01/10/2025-12:17:34.092976 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:33328 -> 40.0.0.2:22
Test Compressed Ruleset With Patch
Description
Configures three DUTs, places a patch between the DUTs that allows SSH
communication, and enables bypass. In addition, there are two source
rules that are compressed into a tar.gz file whose content is used
by the firewall to define the rules. One of the files is named base.rules``and
is the file that the patch is meant for. The second one
is ``test-performance.rules whose contents are:: The original input file was:
alert tcp any any -> any 5001 (msg: "Skipping test network performance traffic"; bypass; flow: established, to_server; sid: 4;)
This rule simply bypasses traffic that is deemed “performance traffic”,
which is directly associated with the monitor test performance command.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 332 100 332 0 0 65444 0 --:--:-- --:--:-- --:--:-- 66400
Step 2: Run command file copy http://10.215.168.1/~robot/base.diff1 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 238 100 238 0 0 41783 0 --:--:-- --:--:-- --:--:-- 47600
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' set service firewall FW ruleset patch 'running://base.diff1' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.546 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.546/0.546/0.546/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.382 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.382/0.382/0.382/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:17:34 2025 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:17:34 2025 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
01/10/2025-12:17:53.401874 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:47106 -> 20.0.0.2:22 01/10/2025-12:17:53.817699 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43580 -> 40.0.0.2:22
Step 9: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 42088 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 89.0 MBytes 747 Mbits/sec 18 1.82 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-1.00 sec 89.0 MBytes 747 Mbits/sec 18 sender [ 5] 0.00-1.01 sec 87.4 MBytes 725 Mbits/sec receiver iperf Done.
Step 10: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
01/10/2025-12:17:53.401874 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:47106 -> 20.0.0.2:22 01/10/2025-12:17:53.817699 [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43580 -> 40.0.0.2:22 01/10/2025-12:17:54.364335 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42078 -> 40.0.0.2:5001 01/10/2025-12:17:54.365098 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:42088 -> 40.0.0.2:5001
Test Single File In Compressed Ruleset
Description
Compresses two ruleset files but only chooses the test-performance.rules
from within the compressed file. Lastly, checks that performance traffic is detected but
no message is generated for SSH traffic, indicating that only one file is
being used.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 332 100 332 0 0 80798 0 --:--:-- --:--:-- --:--:-- 83000
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' file test-performance.rules set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.516 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.516/0.516/0.516/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.489 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.489/0.489/0.489/0.000 ms
Step 5: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:17:54 2025 from 40.0.0.2 admin@osdx$
Step 6: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:17:53 2025 from 20.0.0.2 admin@osdx$
Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output does not match the following regular expressions:
(?m)^.+(SSH traffic detected - bypassing).+$Show output
No fast logs yet for client "FW"
Step 8: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 46130 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 49.9 MBytes 418 Mbits/sec 0 2.38 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-1.00 sec 49.9 MBytes 418 Mbits/sec 0 sender [ 5] 0.00-1.02 sec 49.3 MBytes 404 Mbits/sec receiver iperf Done.
Step 9: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
01/10/2025-12:18:14.778371 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46122 -> 40.0.0.2:5001 01/10/2025-12:18:14.779261 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46130 -> 40.0.0.2:5001
Test Selectors
Description
Builds a scenario with three DUTs in which some selectors are applied to traffic depending on the network detected. This allows specific selector-based rules to be applied to traffic and with only one firewall instance.
To demonstrate this behavior, two labels will be set:
WANlabel that is applied to every packet going outside the local network.
LANlabel that marks every packet present in the underlying network.
For this purpose, a whole scenario will be used to enable all the features to work:
A compressed, encrypted ruleset will be created that contains
base.rulesas well astest-performance.rules.A patch that will upgrade
base.rulesso it contains rules based on labels. The expected final result will be:alert ssh any any -> any any (msg: "Local SSH traffic - bypassing..."; selector: LOCAL; bypass; sid: 1; flow: established, to_server;) drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23; selector: WAN;) pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;) drop tcp any any -> any 5000 (msg: "Dropping TCP performance test traffic"; selector: WAN, LOCAL; sid: 4; flow: established, to_server;)
Hence, the following will be tested:
SSH connection is working between the LAN nodes - DUT1 and DUT2
It is impossible to get the
nids.htmlfile (i.e., a malicious file) from the WAN.ICMP messages are allowed from any node within the network.
Traffic performance tests are allowed for both the WAN and LOCAL selectors but not on port 5000.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz.aes256 running://ruleset.tar.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 352 100 352 0 0 111k 0 --:--:-- --:--:-- --:--:-- 114k
Step 2: Run command file copy http://10.215.168.1/~robot/base.diff2-aes256 running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 528 100 528 0 0 237k 0 --:--:-- --:--:-- --:--:-- 257k
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic policy in FW_PWAN set interfaces ethernet eth0 traffic policy out FW_PWAN set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset compressed 'running://ruleset.tar.gz' digest sha512 set service firewall FW ruleset compressed 'running://ruleset.tar.gz' encrypted-password U2FsdGVkX184oBRKXGDcsFhA1GHLacyhrzWjEejc8+gk4iCo0rH0tsienF1FKffk set service firewall FW ruleset compressed 'running://ruleset.tar.gz' iterations 100000 set service firewall FW ruleset compressed 'running://ruleset.tar.gz' key-length 256 set service firewall FW ruleset patch 'running://base.diff2-aes256' digest sha512 set service firewall FW ruleset patch 'running://base.diff2-aes256' encrypted-password U2FsdGVkX19ozwIlocQKz3bdalGsmoSLLtOH+kTbMRCT1PYyU/kYbbOZGWJF46MG set service firewall FW ruleset patch 'running://base.diff2-aes256' iterations 100000 set service firewall FW ruleset patch 'running://base.diff2-aes256' key-length 256 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group address LAN element 20.0.0.0/24 set traffic group address LAN element 40.0.0.0/24 set traffic label LOCAL set traffic label WAN set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic policy FW_PLAN rule 1 selector LAN set traffic policy FW_PLAN rule 1 set label LOCAL set traffic policy FW_PWAN rule 1 action enqueue FW_Q set traffic policy FW_PWAN rule 1 set label WAN set traffic queue FW_Q elements 1 set traffic selector LAN rule 1 destination address-group LAN set traffic selector LAN rule 1 source address-group LAN
Step 4: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.523 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.523/0.523/0.523/0.000 ms
Step 5: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.633 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.633/0.633/0.633/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:
admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts. admin@20.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:18:14 2025 from 40.0.0.2 admin@osdx$
Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:
admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts. admin@40.0.0.2's password: Welcome to Teldat OSDx v4.2.2.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Jan 10 12:18:15 2025 from 20.0.0.2 admin@osdx$
Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Local SSH traffic - bypassing...).+$Show output
01/10/2025-12:18:36.493223 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:54558 -> 20.0.0.2:22 01/10/2025-12:18:36.905626 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43642 -> 40.0.0.2:22
Step 9: Expect a failure in the following command:
Init an SSH connection from DUT1 to IP address 10.215.168.1 with the user admin:
admin@DUT1$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 10: Expect a failure in the following command:
Init an SSH connection from DUT2 to IP address 10.215.168.1 with the user admin:
admin@DUT2$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Step 11: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Outgoing TCP traffic to port 22 from LAN to WAN).+$Show output
01/10/2025-12:18:36.493223 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:54558 -> 20.0.0.2:22 01/10/2025-12:18:36.905626 [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43642 -> 40.0.0.2:22 01/10/2025-12:18:37.400448 [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:57300 -> 10.215.168.1:22 01/10/2025-12:18:47.525074 [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:53304 -> 10.215.168.1:22
Step 12: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5001 parallel 1Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 56834 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 52.1 MBytes 437 Mbits/sec 0 2.52 MBytes [ 5] 1.00-2.00 sec 47.5 MBytes 398 Mbits/sec 0 2.54 MBytes [ 5] 2.00-3.00 sec 53.8 MBytes 451 Mbits/sec 224 1.78 MBytes [ 5] 3.00-4.00 sec 86.2 MBytes 724 Mbits/sec 0 1.97 MBytes [ 5] 4.00-5.00 sec 86.2 MBytes 724 Mbits/sec 32 1.48 MBytes [ 5] 5.00-6.00 sec 87.5 MBytes 734 Mbits/sec 0 1.58 MBytes [ 5] 6.00-7.00 sec 82.5 MBytes 692 Mbits/sec 0 1.66 MBytes [ 5] 7.00-8.00 sec 83.8 MBytes 703 Mbits/sec 0 1.72 MBytes [ 5] 8.00-9.00 sec 82.5 MBytes 692 Mbits/sec 0 1.76 MBytes [ 5] 9.00-10.00 sec 86.2 MBytes 724 Mbits/sec 0 1.78 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 748 MBytes 628 Mbits/sec 256 sender [ 5] 0.00-10.01 sec 746 MBytes 626 Mbits/sec receiver iperf Done.
Step 13: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5000 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5000 parallel 1Expect this output in
DUT2:^C- - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr iperf3: interrupt - the client has terminated admin@osdx$
Step 14: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Dropping TCP performance test traffic).+$Show output
01/10/2025-12:18:57.765442 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:56820 -> 40.0.0.2:5001 01/10/2025-12:18:57.766211 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:56834 -> 40.0.0.2:5001 01/10/2025-12:19:08.071496 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000 01/10/2025-12:19:08.278225 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000 01/10/2025-12:19:08.486227 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000 01/10/2025-12:19:08.918226 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000 01/10/2025-12:19:09.750191 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000 01/10/2025-12:19:11.108331 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000 01/10/2025-12:19:11.132894 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000 01/10/2025-12:19:11.139785 [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57550 -> 40.0.0.2:5000
Test Hashset
Description
Configures the three DUTs although only DUT0 is used for the test. First, a probe file is downloaded by DUT0. The probe file is detected by the service firewall running in DUT0 and md5, sha1 and sha256 hashes are logged. Lastly, the service firewall is configured for blocking the download of the probe file when is recognized through the configured md5, sha1 or sha256 hashset files.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic policy in FW_PWAN set interfaces ethernet eth0 traffic policy out FW_PWAN set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs eve types files force-hash md5 set service firewall FW logging outputs eve types files force-hash sha1 set service firewall FW logging outputs eve types files force-hash sha256 set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://http-alert.rules' set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PWAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.346 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.346/0.346/0.346/0.000 ms
Step 3: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.373 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.373/0.373/0.373/0.000 ms
Step 4: Run command file show running://http-alert.rules at DUT0 and expect this output:
Show output
alert http any any -> any any (msg:"HTTP ALERT Test by Teldat"; sid:10001 ; rev: 1;)
Step 5: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 220 100 220 0 0 44026 0 --:--:-- --:--:-- --:--:-- 55000
Step 6: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2025-01-10T12:19:30.588283+0000","flow_id":835457324724438,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":58472,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7 e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-01-10T12:19:30.587736+0000","src_ip":"10.215.168.64","dest_ip":"10.215.1 68.1","src_port":58472,"dest_port":80}}
Step 7: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha1.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2025-01-10T12:19:30.588283+0000","flow_id":835457324724438,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":58472,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7 e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-01-10T12:19:30.587736+0000","src_ip":"10.215.168.64","dest_ip":"10.215.1 68.1","src_port":58472,"dest_port":80}}
Step 8: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha256.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10001).+$Show output
{"timestamp":"2025-01-10T12:19:30.588283+0000","flow_id":835457324724438,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":58472,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.h tml","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d7 e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-01-10T12:19:30.587736+0000","src_ip":"10.215.168.64","dest_ip":"10.215.1 68.1","src_port":58472,"dest_port":80}}
Step 9: Run command file copy http://10.215.168.1/~robot/hashset-md5.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 33 100 33 0 0 7494 0 --:--:-- --:--:-- --:--:-- 8250
Step 10: Run command file copy http://10.215.168.1/~robot/filehash-md5-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 113 100 113 0 0 18924 0 --:--:-- --:--:-- --:--:-- 22600
Step 11: Run command file show running://hashset-md5.list at DUT0 and expect this output:
Show output
c533c963702d7e99b2aa52713d3cf63c
Step 12: Run command file show running://filehash-md5-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP MD5 DROP Test by Teldat"; filemd5:hashset-md5.list; sid:10002 ; rev: 1;)
Step 13: Modify the following configuration lines in DUT0 :
set service firewall FW hashset file 'running://hashset-md5.list' set service firewall FW ruleset file 'running://filehash-md5-drop.rules'
Step 14: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 15: Run command service firewall FW show logging eve | grep -E "HTTP MD5 DROP Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10002).+$Show output
{"timestamp":"2025-01-10T12:19:34.388728+0000","flow_id":1948941990643532,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":58504,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10002,"rev":1,"signature":"HTTP MD5 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":" /~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5": "c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-01-10T12:19:34.388237+0000","src_ip":"10.215.168.64","dest _ip":"10.215.168.1","src_port":58504,"dest_port":80}}
Step 16: Run command file copy http://10.215.168.1/~robot/hashset-sha1.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 40 100 40 0 0 7039 0 --:--:-- --:--:-- --:--:-- 8000
Step 17: Run command file copy http://10.215.168.1/~robot/filehash-sha1-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 116 100 116 0 0 22581 0 --:--:-- --:--:-- --:--:-- 23200
Step 18: Run command file show running://hashset-sha1.list at DUT0 and expect this output:
Show output
edbfd7fc5eba4b93b8299e4b31352578a74f5773
Step 19: Run command file show running://filehash-sha1-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP SHA1 DROP Test by Teldat"; filesha1:hashset-sha1.list; sid:10003 ; rev: 1;)
Step 20: Modify the following configuration lines in DUT0 :
delete service firewall FW hashset file 'running://hashset-md5.list' delete service firewall FW ruleset file 'running://filehash-md5-drop.rules' set service firewall FW hashset file 'running://hashset-sha1.list' set service firewall FW ruleset file 'running://filehash-sha1-drop.rules'
Step 21: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 22: Run command service firewall FW show logging eve | grep -E "HTTP SHA1 DROP Test by Teldat.*md5.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10003).+$Show output
{"timestamp":"2025-01-10T12:19:48.404245+0000","flow_id":1171095139616917,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":45844,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10003,"rev":1,"signature":"HTTP SHA1 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url": "/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5" :"c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-01-10T12:19:48.403738+0000","src_ip":"10.215.168.64","des t_ip":"10.215.168.1","src_port":45844,"dest_port":80}}
Step 23: Run command file copy http://10.215.168.1/~robot/hashset-sha256.list running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 65 100 65 0 0 12582 0 --:--:-- --:--:-- --:--:-- 13000
Step 24: Run command file copy http://10.215.168.1/~robot/filehash-sha256-drop.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 122 100 122 0 0 27075 0 --:--:-- --:--:-- --:--:-- 30500
Step 25: Run command file show running://hashset-sha256.list at DUT0 and expect this output:
Show output
11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d
Step 26: Run command file show running://filehash-sha256-drop.rules at DUT0 and expect this output:
Show output
drop http any any -> any any (msg:"HTTP SHA256 DROP Test by Teldat"; filesha256:hashset-sha256.list; sid:10004 ; rev: 1;)
Step 27: Modify the following configuration lines in DUT0 :
delete service firewall FW hashset file 'running://hashset-sha1.list' delete service firewall FW ruleset file 'running://filehash-sha1-drop.rules' set service firewall FW hashset file 'running://hashset-sha256.list' set service firewall FW ruleset file 'running://filehash-sha256-drop.rules'
Step 28: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0^C Operation aborted by user. admin@osdx$
Step 29: Run command service firewall FW show logging eve | grep -E "HTTP SHA256 DROP Test by Teldat.*md5.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:
(?m)^.+("signature_id":10004).+$Show output
{"timestamp":"2025-01-10T12:20:01.564593+0000","flow_id":452269684147645,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":59922,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10004,"rev":1,"signature":"HTTP SHA256 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url" :"/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.14 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5 ":"c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-01-10T12:20:01.564054+0000","src_ip":"10.215.168.64","de st_ip":"10.215.168.1","src_port":59922,"dest_port":80}}