App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.199 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.199/0.199/0.199/0.000 ms
Step 3: Ping IP address www.teldat.es from DUT0:
admin@DUT0$ ping www.teldat.es count 1 size 56 timeout 1Show output
PING www.teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=43 time=10.1 ms --- www.teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 10.078/10.078/10.078/0.000 ms
Step 4: Run command file copy https://www.teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 3243 0 --:--:-- --:--:-- --:--:-- 3240
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:www.teldat.es\]Show output
Jan 10 15:24:10.296776 osdx systemd-journald[24675]: Runtime Journal (/run/log/journal/dd2bda757d8d4ac3988ff4b660081a06) is 2.0M, max 15.3M, 13.3M free. Jan 10 15:24:10.297742 osdx systemd-journald[24675]: Received client request to rotate journal, rotating. Jan 10 15:24:10.297797 osdx systemd-journald[24675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd2bda757d8d4ac3988ff4b660081a06. Jan 10 15:24:10.306015 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal clear'. Jan 10 15:24:10.619195 osdx osdx-coredump[94420]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 15:24:10.626883 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 15:24:11.089420 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:11.154776 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jan 10 15:24:11.253161 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jan 10 15:24:11.305679 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jan 10 15:24:11.405185 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jan 10 15:24:11.456002 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jan 10 15:24:11.561441 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jan 10 15:24:11.616316 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jan 10 15:24:11.707006 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jan 10 15:24:11.761400 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jan 10 15:24:11.861742 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 15:24:11.920854 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jan 10 15:24:12.026118 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 15:24:12.099550 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show working'. Jan 10 15:24:12.247511 osdx INFO[94468]: FRR daemons did not change Jan 10 15:24:12.417735 osdx kernel: app-detect: module init Jan 10 15:24:12.417782 osdx kernel: app-detect: registered: sysctl net.appdetect Jan 10 15:24:12.421733 osdx kernel: app-detect: expression init Jan 10 15:24:12.421753 osdx kernel: app-detect: appid cache initialized Jan 10 15:24:12.421762 osdx kernel: app-detect: appid cache changes counter initialized Jan 10 15:24:12.465749 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 15:24:12.790508 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:12.817442 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:12.833940 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:12.996328 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 15:24:13.233912 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.teldat.es count 1 size 56 timeout 1'. Jan 10 15:24:13.378311 osdx file_operation[94671]: using src url: https://www.teldat.es dst url: running://index.html Jan 10 15:24:13.409755 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=54101 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.413739 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=54102 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.413767 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=54103 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.413779 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=54104 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.417754 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=54106 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.429755 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=54108 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.453536 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=54109 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.469756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=54110 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.469812 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=54111 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.469823 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=54112 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.474024 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy https://www.teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4352 0 4352 0 0 755k 0 --:--:-- --:--:-- --:--:-- 850k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Jan 10 15:24:10.296776 osdx systemd-journald[24675]: Runtime Journal (/run/log/journal/dd2bda757d8d4ac3988ff4b660081a06) is 2.0M, max 15.3M, 13.3M free. Jan 10 15:24:10.297742 osdx systemd-journald[24675]: Received client request to rotate journal, rotating. Jan 10 15:24:10.297797 osdx systemd-journald[24675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd2bda757d8d4ac3988ff4b660081a06. Jan 10 15:24:10.306015 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal clear'. Jan 10 15:24:10.619195 osdx osdx-coredump[94420]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 15:24:10.626883 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 15:24:11.089420 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:11.154776 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jan 10 15:24:11.253161 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jan 10 15:24:11.305679 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jan 10 15:24:11.405185 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jan 10 15:24:11.456002 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jan 10 15:24:11.561441 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jan 10 15:24:11.616316 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jan 10 15:24:11.707006 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jan 10 15:24:11.761400 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jan 10 15:24:11.861742 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 15:24:11.920854 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jan 10 15:24:12.026118 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 15:24:12.099550 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show working'. Jan 10 15:24:12.247511 osdx INFO[94468]: FRR daemons did not change Jan 10 15:24:12.417735 osdx kernel: app-detect: module init Jan 10 15:24:12.417782 osdx kernel: app-detect: registered: sysctl net.appdetect Jan 10 15:24:12.421733 osdx kernel: app-detect: expression init Jan 10 15:24:12.421753 osdx kernel: app-detect: appid cache initialized Jan 10 15:24:12.421762 osdx kernel: app-detect: appid cache changes counter initialized Jan 10 15:24:12.465749 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 15:24:12.790508 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:12.817442 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:12.833940 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:12.996328 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 15:24:13.233912 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.teldat.es count 1 size 56 timeout 1'. Jan 10 15:24:13.378311 osdx file_operation[94671]: using src url: https://www.teldat.es dst url: running://index.html Jan 10 15:24:13.409755 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=54101 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.413739 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=54102 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.413767 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=54103 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.413779 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=54104 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.417754 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=54106 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.429755 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=54108 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.453536 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=54109 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.469756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=54110 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.469812 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=54111 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.469823 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=54112 DF PROTO=TCP SPT=443 DPT=35432 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.teldat.es] Jan 10 15:24:13.474024 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy https://www.teldat.es running://index.html force'. Jan 10 15:24:13.578621 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal show | cat'. Jan 10 15:24:13.797263 osdx file_operation[94693]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jan 10 15:24:13.805741 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3974 DF PROTO=TCP SPT=80 DPT=52312 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jan 10 15:24:13.805792 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=4572 TOS=0x00 PREC=0x00 TTL=64 ID=3975 DF PROTO=TCP SPT=80 DPT=52312 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jan 10 15:24:13.805803 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3979 DF PROTO=TCP SPT=80 DPT=52312 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jan 10 15:24:13.825790 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.207 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.207/0.207/0.207/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.179.164) 56(84) bytes of data. 64 bytes from ams15s41-in-f4.1e100.net (142.250.179.164): icmp_seq=1 ttl=47 time=31.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.067/31.067/31.067/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 11.2M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 19836 0 19836 0 0 107k 0 --:--:-- --:--:-- --:--:-- 108k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Jan 10 15:24:18.300914 osdx systemd-journald[24675]: Runtime Journal (/run/log/journal/dd2bda757d8d4ac3988ff4b660081a06) is 2.0M, max 15.3M, 13.3M free. Jan 10 15:24:18.304826 osdx systemd-journald[24675]: Received client request to rotate journal, rotating. Jan 10 15:24:18.304897 osdx systemd-journald[24675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd2bda757d8d4ac3988ff4b660081a06. Jan 10 15:24:18.310078 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal clear'. Jan 10 15:24:18.618422 osdx osdx-coredump[94904]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 15:24:18.625884 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 15:24:19.107348 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:19.166613 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jan 10 15:24:19.263383 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jan 10 15:24:19.318233 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jan 10 15:24:19.416155 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jan 10 15:24:19.468998 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jan 10 15:24:19.566475 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 15:24:19.619611 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jan 10 15:24:19.731143 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 15:24:19.804677 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show working'. Jan 10 15:24:19.926643 osdx INFO[94948]: FRR daemons did not change Jan 10 15:24:19.948854 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 15:24:20.257662 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:20.283392 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:20.305435 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:20.439222 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 15:24:20.588692 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jan 10 15:24:20.743811 osdx file_operation[95114]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jan 10 15:24:20.770801 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jan 10 15:24:20.916730 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:20.987320 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jan 10 15:24:21.084562 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jan 10 15:24:21.149016 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jan 10 15:24:21.244767 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show changes'. Jan 10 15:24:21.313369 osdx INFO[95131]: FRR daemons did not change Jan 10 15:24:21.472833 osdx kernel: app-detect: module init Jan 10 15:24:21.472882 osdx kernel: app-detect: registered: sysctl net.appdetect Jan 10 15:24:21.472900 osdx kernel: app-detect: expression init Jan 10 15:24:21.472911 osdx kernel: app-detect: appid cache initialized Jan 10 15:24:21.472922 osdx kernel: app-detect: appid cache changes counter initialized Jan 10 15:24:21.655809 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:21.657510 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:21.683356 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:21.883170 osdx file_operation[95184]: using src url: https://www.google.com dst url: running://index.html Jan 10 15:24:21.959889 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=19481 PROTO=TCP SPT=443 DPT=38476 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.963597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19482 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.963700 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19483 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.964832 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=47 ID=19484 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.999696 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=47 ID=19486 PROTO=TCP SPT=443 DPT=38476 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.000823 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=47 ID=19487 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.038625 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=19488 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052833 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1022 TOS=0x00 PREC=0x00 TTL=47 ID=19489 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052944 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19490 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052960 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19491 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052986 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19492 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.053005 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19493 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056840 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19494 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056888 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19495 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056902 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19496 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056914 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19497 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060819 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19498 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060843 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19499 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060856 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=778 TOS=0x00 PREC=0x00 TTL=47 ID=19500 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060873 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19501 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060885 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19502 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.064821 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19503 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.064844 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19504 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.064857 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=979 TOS=0x00 PREC=0x00 TTL=47 ID=19505 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.085395 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jan 10 15:24:22.100861 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=19506 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4469 0 4469 0 0 1061k 0 --:--:-- --:--:-- --:--:-- 1091k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Jan 10 15:24:18.300914 osdx systemd-journald[24675]: Runtime Journal (/run/log/journal/dd2bda757d8d4ac3988ff4b660081a06) is 2.0M, max 15.3M, 13.3M free. Jan 10 15:24:18.304826 osdx systemd-journald[24675]: Received client request to rotate journal, rotating. Jan 10 15:24:18.304897 osdx systemd-journald[24675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd2bda757d8d4ac3988ff4b660081a06. Jan 10 15:24:18.310078 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal clear'. Jan 10 15:24:18.618422 osdx osdx-coredump[94904]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 15:24:18.625884 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 15:24:19.107348 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:19.166613 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jan 10 15:24:19.263383 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jan 10 15:24:19.318233 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jan 10 15:24:19.416155 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jan 10 15:24:19.468998 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jan 10 15:24:19.566475 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 15:24:19.619611 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jan 10 15:24:19.731143 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 15:24:19.804677 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show working'. Jan 10 15:24:19.926643 osdx INFO[94948]: FRR daemons did not change Jan 10 15:24:19.948854 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 15:24:20.257662 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:20.283392 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:20.305435 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:20.439222 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 15:24:20.588692 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jan 10 15:24:20.743811 osdx file_operation[95114]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jan 10 15:24:20.770801 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jan 10 15:24:20.916730 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:20.987320 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jan 10 15:24:21.084562 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jan 10 15:24:21.149016 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jan 10 15:24:21.244767 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show changes'. Jan 10 15:24:21.313369 osdx INFO[95131]: FRR daemons did not change Jan 10 15:24:21.472833 osdx kernel: app-detect: module init Jan 10 15:24:21.472882 osdx kernel: app-detect: registered: sysctl net.appdetect Jan 10 15:24:21.472900 osdx kernel: app-detect: expression init Jan 10 15:24:21.472911 osdx kernel: app-detect: appid cache initialized Jan 10 15:24:21.472922 osdx kernel: app-detect: appid cache changes counter initialized Jan 10 15:24:21.655809 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:21.657510 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:21.683356 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:21.883170 osdx file_operation[95184]: using src url: https://www.google.com dst url: running://index.html Jan 10 15:24:21.959889 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=19481 PROTO=TCP SPT=443 DPT=38476 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.963597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19482 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.963700 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19483 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.964832 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=47 ID=19484 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:21.999696 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=47 ID=19486 PROTO=TCP SPT=443 DPT=38476 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.000823 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=47 ID=19487 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.038625 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=19488 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052833 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1022 TOS=0x00 PREC=0x00 TTL=47 ID=19489 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052944 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19490 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052960 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19491 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.052986 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19492 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.053005 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19493 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056840 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19494 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056888 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19495 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056902 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19496 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.056914 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19497 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060819 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19498 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060843 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19499 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060856 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=778 TOS=0x00 PREC=0x00 TTL=47 ID=19500 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060873 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19501 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.060885 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19502 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.064821 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19503 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.064844 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=19504 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.064857 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=979 TOS=0x00 PREC=0x00 TTL=47 ID=19505 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.085395 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jan 10 15:24:22.100861 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=19506 PROTO=TCP SPT=443 DPT=38476 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jan 10 15:24:22.206505 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal show | cat'. Jan 10 15:24:22.480102 osdx file_operation[95206]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jan 10 15:24:22.484824 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=22212 DF PROTO=TCP SPT=80 DPT=55030 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jan 10 15:24:22.484873 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=4689 TOS=0x00 PREC=0x00 TTL=64 ID=22213 DF PROTO=TCP SPT=80 DPT=55030 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jan 10 15:24:22.488823 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=22217 DF PROTO=TCP SPT=80 DPT=55030 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jan 10 15:24:22.501992 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=49 time=3.42 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.422/3.422/3.422/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.179.164) 56(84) bytes of data. 64 bytes from ams15s41-in-f4.1e100.net (142.250.179.164): icmp_seq=1 ttl=47 time=31.0 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.022/31.022/31.022/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jan 10 15:24:27.297999 osdx systemd-journald[24675]: Runtime Journal (/run/log/journal/dd2bda757d8d4ac3988ff4b660081a06) is 2.0M, max 15.3M, 13.2M free. Jan 10 15:24:27.301509 osdx systemd-journald[24675]: Received client request to rotate journal, rotating. Jan 10 15:24:27.301561 osdx systemd-journald[24675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd2bda757d8d4ac3988ff4b660081a06. Jan 10 15:24:27.307138 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal clear'. Jan 10 15:24:27.617597 osdx osdx-coredump[95419]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 15:24:27.624944 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 15:24:28.089495 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:28.153149 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jan 10 15:24:28.248788 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jan 10 15:24:28.311213 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jan 10 15:24:28.400395 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jan 10 15:24:28.471653 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jan 10 15:24:28.563958 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jan 10 15:24:28.630358 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jan 10 15:24:28.729026 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jan 10 15:24:28.788518 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jan 10 15:24:28.876724 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jan 10 15:24:28.935442 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 15:24:29.028777 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jan 10 15:24:29.105648 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 15:24:29.208910 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show working'. Jan 10 15:24:29.308342 osdx INFO[95468]: FRR daemons did not change Jan 10 15:24:29.481562 osdx kernel: app-detect: module init Jan 10 15:24:29.481620 osdx kernel: app-detect: registered: sysctl net.appdetect Jan 10 15:24:29.481635 osdx kernel: app-detect: expression init Jan 10 15:24:29.481646 osdx kernel: app-detect: appid cache initialized Jan 10 15:24:29.481658 osdx kernel: app-detect: appid cache changes counter initialized Jan 10 15:24:29.541505 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 15:24:29.830278 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:29.856995 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:29.883450 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:30.180303 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jan 10 15:24:30.295747 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jan 10 15:24:30.443013 osdx file_operation[95665]: using src url: https://www.marca.com dst url: running://index.html Jan 10 15:24:30.461518 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=59776 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.461595 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59777 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.461610 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59778 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.461620 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=49 ID=59779 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.474324 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=59781 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.664650 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59782 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.683543 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59783 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.872949 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59784 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:31.100887 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59785 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:31.305021 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59786 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:31.964598 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59787 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.136985 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59788 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.429019 osdx file_operation.py[95665]: Operation aborted by user. Jan 10 15:24:32.441503 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=59789 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.441554 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=59790 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.442922 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Jan 10 15:24:27.297999 osdx systemd-journald[24675]: Runtime Journal (/run/log/journal/dd2bda757d8d4ac3988ff4b660081a06) is 2.0M, max 15.3M, 13.2M free. Jan 10 15:24:27.301509 osdx systemd-journald[24675]: Received client request to rotate journal, rotating. Jan 10 15:24:27.301561 osdx systemd-journald[24675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd2bda757d8d4ac3988ff4b660081a06. Jan 10 15:24:27.307138 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal clear'. Jan 10 15:24:27.617597 osdx osdx-coredump[95419]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 15:24:27.624944 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 15:24:28.089495 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:28.153149 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jan 10 15:24:28.248788 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jan 10 15:24:28.311213 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jan 10 15:24:28.400395 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jan 10 15:24:28.471653 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jan 10 15:24:28.563958 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jan 10 15:24:28.630358 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jan 10 15:24:28.729026 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jan 10 15:24:28.788518 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jan 10 15:24:28.876724 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jan 10 15:24:28.935442 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 15:24:29.028777 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jan 10 15:24:29.105648 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 15:24:29.208910 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show working'. Jan 10 15:24:29.308342 osdx INFO[95468]: FRR daemons did not change Jan 10 15:24:29.481562 osdx kernel: app-detect: module init Jan 10 15:24:29.481620 osdx kernel: app-detect: registered: sysctl net.appdetect Jan 10 15:24:29.481635 osdx kernel: app-detect: expression init Jan 10 15:24:29.481646 osdx kernel: app-detect: appid cache initialized Jan 10 15:24:29.481658 osdx kernel: app-detect: appid cache changes counter initialized Jan 10 15:24:29.541505 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 15:24:29.830278 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:29.856995 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:29.883450 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:30.180303 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jan 10 15:24:30.295747 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jan 10 15:24:30.443013 osdx file_operation[95665]: using src url: https://www.marca.com dst url: running://index.html Jan 10 15:24:30.461518 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=59776 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.461595 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59777 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.461610 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59778 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.461620 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=49 ID=59779 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.474324 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=59781 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.664650 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59782 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.683543 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59783 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:30.872949 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59784 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:31.100887 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59785 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:31.305021 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59786 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:31.964598 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59787 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.136985 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=59788 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.429019 osdx file_operation.py[95665]: Operation aborted by user. Jan 10 15:24:32.441503 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=59789 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.441554 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=59790 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:32.442922 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jan 10 15:24:32.633620 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal show | cat'. Jan 10 15:24:32.811403 osdx file_operation[95685]: using src url: http://www.google.com dst url: running://index.html Jan 10 15:24:32.887291 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=51098 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.939106 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51099 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.939163 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51100 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941496 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51101 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941518 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51102 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941530 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51103 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941545 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51104 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941553 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51105 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941563 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51106 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941572 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51107 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:32.941580 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51108 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:33.015579 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51109 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:33.119623 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=51110 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:33.255608 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51111 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:33.355292 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=51112 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:33.628469 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=59791 DF PROTO=TCP SPT=443 DPT=37142 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:33.727492 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51113 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:33.831269 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=51114 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:34.687191 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=47 ID=51115 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:34.792094 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=51116 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jan 10 15:24:34.801162 osdx file_operation.py[95685]: Operation aborted by user. Jan 10 15:24:34.814922 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Jan 10 15:24:34.849501 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=142.250.179.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=51117 PROTO=TCP SPT=80 DPT=41028 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.178 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.178/0.178/0.178/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=49 time=10.2 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 10.165/10.165/10.165/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 12.0M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jan 10 15:24:39.321084 osdx systemd-journald[24675]: Runtime Journal (/run/log/journal/dd2bda757d8d4ac3988ff4b660081a06) is 2.0M, max 15.3M, 13.2M free. Jan 10 15:24:39.324999 osdx systemd-journald[24675]: Received client request to rotate journal, rotating. Jan 10 15:24:39.325056 osdx systemd-journald[24675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd2bda757d8d4ac3988ff4b660081a06. Jan 10 15:24:39.331005 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system journal clear'. Jan 10 15:24:39.652083 osdx osdx-coredump[95890]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 15:24:39.659548 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 15:24:40.131753 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:40.193670 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 15:24:40.287666 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jan 10 15:24:40.357314 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 15:24:40.456258 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show working'. Jan 10 15:24:40.523376 osdx INFO[95915]: FRR daemons did not change Jan 10 15:24:40.541007 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 15:24:40.670995 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:40.696287 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:40.712480 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:40.858252 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 15:24:40.985040 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jan 10 15:24:41.127938 osdx file_operation[96061]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jan 10 15:24:41.151840 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jan 10 15:24:41.290581 osdx OSDxCLI[26131]: User 'admin' entered the configuration menu. Jan 10 15:24:41.350685 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jan 10 15:24:41.448665 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jan 10 15:24:41.502367 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jan 10 15:24:41.601125 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jan 10 15:24:41.657622 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jan 10 15:24:41.763755 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Jan 10 15:24:41.816278 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jan 10 15:24:41.915586 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jan 10 15:24:41.970862 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jan 10 15:24:42.064114 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jan 10 15:24:42.127593 osdx OSDxCLI[26131]: User 'admin' added a new cfg line: 'show changes'. Jan 10 15:24:42.260064 osdx INFO[96102]: FRR daemons did not change Jan 10 15:24:42.445009 osdx kernel: app-detect: module init Jan 10 15:24:42.445059 osdx kernel: app-detect: registered: sysctl net.appdetect Jan 10 15:24:42.445073 osdx kernel: app-detect: expression init Jan 10 15:24:42.445084 osdx kernel: app-detect: appid cache initialized Jan 10 15:24:42.445095 osdx kernel: app-detect: appid cache changes counter initialized Jan 10 15:24:42.786208 osdx cfgd[1453]: [26131]Completed change to active configuration Jan 10 15:24:42.788222 osdx OSDxCLI[26131]: User 'admin' committed the configuration. Jan 10 15:24:42.806872 osdx OSDxCLI[26131]: User 'admin' left the configuration menu. Jan 10 15:24:43.050829 osdx file_operation[96175]: using src url: https://www.marca.com dst url: running://index.html Jan 10 15:24:43.065525 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=43029 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.068999 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=43030 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.069018 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=43031 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.069034 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=43032 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.069042 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=43033 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.085001 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=43034 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.272046 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=43035 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.294122 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=43036 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.480570 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=43037 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.710011 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=43038 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:43.900030 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=43039 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:44.581044 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=43040 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:44.732437 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=43041 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:44.990076 osdx file_operation.py[96175]: Operation aborted by user. Jan 10 15:24:45.003974 osdx OSDxCLI[26131]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jan 10 15:24:45.005038 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=43042 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jan 10 15:24:45.005057 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:36:24:44:65:7b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=43043 DF PROTO=TCP SPT=443 DPT=37550 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]