App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.295 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.295/0.295/0.295/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from teldat.it (82.223.148.162): icmp_seq=1 ttl=43 time=36.0 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 36.031/36.031/36.031/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 1310 0 --:--:-- --:--:-- --:--:-- 1313
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Mar 18 10:44:22.357584 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1) is 2.0M, max 15.3M, 13.2M free. Mar 18 10:44:22.361330 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Mar 18 10:44:22.361406 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1. Mar 18 10:44:22.371505 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal clear'. Mar 18 10:44:22.807150 osdx osdx-coredump[50242]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 10:44:22.817790 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 10:44:23.432502 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:23.553737 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 18 10:44:23.642402 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 18 10:44:23.733240 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 18 10:44:23.825978 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Mar 18 10:44:23.910534 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 18 10:44:24.005137 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 18 10:44:24.088321 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 18 10:44:24.169185 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 18 10:44:24.284186 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 18 10:44:24.373506 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 10:44:24.490688 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 18 10:44:24.592826 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 10:44:24.715649 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show working'. Mar 18 10:44:24.878000 osdx INFO[50290]: FRR daemons did not change Mar 18 10:44:25.041332 osdx kernel: app-detect: module init Mar 18 10:44:25.041422 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 18 10:44:25.041472 osdx kernel: app-detect: expression init Mar 18 10:44:25.041502 osdx kernel: app-detect: appid cache initialized Mar 18 10:44:25.041532 osdx kernel: app-detect: appid cache changes counter initialized Mar 18 10:44:25.117320 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 10:44:25.462453 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:25.502223 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:25.533722 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:25.709784 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 18 10:44:25.869477 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Mar 18 10:44:26.068011 osdx file_operation[50490]: using src url: https://teldat.es dst url: running://index.html Mar 18 10:44:26.150810 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=6326 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.153329 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=6327 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.153374 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=6328 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.153395 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=6329 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.155156 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=6331 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.155188 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=6332 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.212919 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=6333 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.257315 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=6334 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.269330 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=6335 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.269409 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=6336 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.269430 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=6337 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.282547 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 845 0 845 0 0 322k 0 --:--:-- --:--:-- --:--:-- 412k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Mar 18 10:44:22.357584 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1) is 2.0M, max 15.3M, 13.2M free. Mar 18 10:44:22.361330 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Mar 18 10:44:22.361406 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1. Mar 18 10:44:22.371505 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal clear'. Mar 18 10:44:22.807150 osdx osdx-coredump[50242]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 10:44:22.817790 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 10:44:23.432502 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:23.553737 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 18 10:44:23.642402 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 18 10:44:23.733240 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 18 10:44:23.825978 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Mar 18 10:44:23.910534 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 18 10:44:24.005137 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 18 10:44:24.088321 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 18 10:44:24.169185 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 18 10:44:24.284186 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 18 10:44:24.373506 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 10:44:24.490688 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 18 10:44:24.592826 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 10:44:24.715649 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show working'. Mar 18 10:44:24.878000 osdx INFO[50290]: FRR daemons did not change Mar 18 10:44:25.041332 osdx kernel: app-detect: module init Mar 18 10:44:25.041422 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 18 10:44:25.041472 osdx kernel: app-detect: expression init Mar 18 10:44:25.041502 osdx kernel: app-detect: appid cache initialized Mar 18 10:44:25.041532 osdx kernel: app-detect: appid cache changes counter initialized Mar 18 10:44:25.117320 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 10:44:25.462453 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:25.502223 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:25.533722 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:25.709784 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 18 10:44:25.869477 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Mar 18 10:44:26.068011 osdx file_operation[50490]: using src url: https://teldat.es dst url: running://index.html Mar 18 10:44:26.150810 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=6326 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.153329 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=6327 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.153374 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=6328 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.153395 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=6329 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.155156 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=6331 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.155188 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=6332 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.212919 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=6333 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.257315 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=6334 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.269330 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=6335 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.269409 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=6336 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.269430 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=6337 DF PROTO=TCP SPT=443 DPT=46402 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 18 10:44:26.282547 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Mar 18 10:44:26.413999 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal show | cat'. Mar 18 10:44:26.661148 osdx file_operation[50512]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Mar 18 10:44:26.665316 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1296 DF PROTO=TCP SPT=80 DPT=32864 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Mar 18 10:44:26.665389 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1064 TOS=0x00 PREC=0x00 TTL=64 ID=1297 DF PROTO=TCP SPT=80 DPT=32864 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Mar 18 10:44:26.665428 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1298 DF PROTO=TCP SPT=80 DPT=32864 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Mar 18 10:44:26.687431 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.238 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.185.4) 56(84) bytes of data. 64 bytes from mad41s11-in-f4.1e100.net (142.250.185.4): icmp_seq=1 ttl=109 time=36.6 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 36.646/36.646/36.646/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 18.3M 0 --:--:-- --:--:-- --:--:-- 21.6M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 17982 0 17982 0 0 62657 0 --:--:-- --:--:-- --:--:-- 62874
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Mar 18 10:44:32.401652 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1) is 2.0M, max 15.3M, 13.3M free. Mar 18 10:44:32.404317 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Mar 18 10:44:32.404383 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1. Mar 18 10:44:32.416547 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal clear'. Mar 18 10:44:32.834084 osdx osdx-coredump[50723]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 10:44:32.844815 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 10:44:33.466581 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:33.567908 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 18 10:44:33.682647 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 18 10:44:33.796633 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 18 10:44:33.895224 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Mar 18 10:44:33.981963 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 18 10:44:34.098817 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 10:44:34.187577 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 18 10:44:34.335447 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 10:44:34.443031 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show working'. Mar 18 10:44:34.573984 osdx INFO[50767]: FRR daemons did not change Mar 18 10:44:34.604302 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 10:44:34.981787 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:35.025722 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:35.052607 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:35.225871 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 18 10:44:35.378567 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 18 10:44:35.571926 osdx file_operation[50933]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Mar 18 10:44:35.598269 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Mar 18 10:44:35.768520 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:35.872044 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Mar 18 10:44:35.982210 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 18 10:44:36.099246 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 18 10:44:36.209556 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show changes'. Mar 18 10:44:36.338923 osdx INFO[50950]: FRR daemons did not change Mar 18 10:44:36.492308 osdx kernel: app-detect: module init Mar 18 10:44:36.492388 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 18 10:44:36.492415 osdx kernel: app-detect: expression init Mar 18 10:44:36.492437 osdx kernel: app-detect: appid cache initialized Mar 18 10:44:36.492459 osdx kernel: app-detect: appid cache changes counter initialized Mar 18 10:44:36.772154 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:36.774617 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:36.798526 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:37.040983 osdx file_operation[51003]: using src url: https://www.google.com dst url: running://index.html Mar 18 10:44:37.136321 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57537 PROTO=TCP SPT=443 DPT=38792 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.152324 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57538 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.152386 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57539 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.152418 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=112 ID=57540 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.199273 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57542 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.199370 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=57543 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.199407 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=57544 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.202777 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57545 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.207229 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57546 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319355 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=112 ID=57547 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319456 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57548 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319622 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57549 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319656 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57550 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319789 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57551 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.321012 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57552 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.321657 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57553 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.322999 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57554 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.323113 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57555 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.324994 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57556 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.325039 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=931 TOS=0x00 PREC=0x00 TTL=112 ID=57557 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.326292 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57558 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.326348 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57559 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.326464 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57560 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.327163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57561 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.328208 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=278 TOS=0x00 PREC=0x00 TTL=112 ID=57562 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.344314 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57563 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.348328 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57564 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.358784 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'.
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 962 0 962 0 0 335k 0 --:--:-- --:--:-- --:--:-- 469k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Mar 18 10:44:32.401652 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1) is 2.0M, max 15.3M, 13.3M free. Mar 18 10:44:32.404317 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Mar 18 10:44:32.404383 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1. Mar 18 10:44:32.416547 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal clear'. Mar 18 10:44:32.834084 osdx osdx-coredump[50723]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 10:44:32.844815 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 10:44:33.466581 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:33.567908 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 18 10:44:33.682647 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 18 10:44:33.796633 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 18 10:44:33.895224 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Mar 18 10:44:33.981963 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 18 10:44:34.098817 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 10:44:34.187577 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 18 10:44:34.335447 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 10:44:34.443031 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show working'. Mar 18 10:44:34.573984 osdx INFO[50767]: FRR daemons did not change Mar 18 10:44:34.604302 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 10:44:34.981787 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:35.025722 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:35.052607 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:35.225871 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 18 10:44:35.378567 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 18 10:44:35.571926 osdx file_operation[50933]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Mar 18 10:44:35.598269 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Mar 18 10:44:35.768520 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:35.872044 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Mar 18 10:44:35.982210 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 18 10:44:36.099246 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 18 10:44:36.209556 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show changes'. Mar 18 10:44:36.338923 osdx INFO[50950]: FRR daemons did not change Mar 18 10:44:36.492308 osdx kernel: app-detect: module init Mar 18 10:44:36.492388 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 18 10:44:36.492415 osdx kernel: app-detect: expression init Mar 18 10:44:36.492437 osdx kernel: app-detect: appid cache initialized Mar 18 10:44:36.492459 osdx kernel: app-detect: appid cache changes counter initialized Mar 18 10:44:36.772154 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:36.774617 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:36.798526 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:37.040983 osdx file_operation[51003]: using src url: https://www.google.com dst url: running://index.html Mar 18 10:44:37.136321 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57537 PROTO=TCP SPT=443 DPT=38792 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.152324 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57538 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.152386 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57539 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.152418 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=112 ID=57540 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.199273 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57542 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.199370 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=57543 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.199407 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=57544 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.202777 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57545 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.207229 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57546 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319355 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=112 ID=57547 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319456 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57548 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319622 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57549 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319656 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57550 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.319789 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57551 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.321012 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57552 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.321657 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57553 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.322999 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57554 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.323113 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57555 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.324994 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57556 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.325039 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=931 TOS=0x00 PREC=0x00 TTL=112 ID=57557 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.326292 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57558 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.326348 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57559 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.326464 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57560 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.327163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=57561 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.328208 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=278 TOS=0x00 PREC=0x00 TTL=112 ID=57562 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.344314 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57563 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.348328 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=57564 PROTO=TCP SPT=443 DPT=38792 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 18 10:44:37.358784 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Mar 18 10:44:37.519083 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal show | cat'. Mar 18 10:44:37.786866 osdx file_operation[51025]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Mar 18 10:44:37.792312 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=54861 DF PROTO=TCP SPT=80 DPT=34606 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Mar 18 10:44:37.792373 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1181 TOS=0x00 PREC=0x00 TTL=64 ID=54862 DF PROTO=TCP SPT=80 DPT=34606 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Mar 18 10:44:37.792406 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=54863 DF PROTO=TCP SPT=80 DPT=34606 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Mar 18 10:44:37.812210 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (151.101.133.50) 56(84) bytes of data. 64 bytes from 151.101.133.50 (151.101.133.50): icmp_seq=1 ttl=49 time=23.6 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 23.605/23.605/23.605/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.185.4) 56(84) bytes of data. 64 bytes from mad41s11-in-f4.1e100.net (142.250.185.4): icmp_seq=1 ttl=109 time=29.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 29.115/29.115/29.115/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Mar 18 10:44:44.384135 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1) is 2.0M, max 15.3M, 13.2M free. Mar 18 10:44:44.387867 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Mar 18 10:44:44.387982 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1. Mar 18 10:44:44.398635 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal clear'. Mar 18 10:44:44.820508 osdx osdx-coredump[51238]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 10:44:44.831034 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 10:44:45.466248 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:45.560628 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 18 10:44:45.678759 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 18 10:44:45.790234 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 18 10:44:45.878871 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 18 10:44:46.012775 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Mar 18 10:44:46.097025 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 18 10:44:46.218131 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 18 10:44:46.311491 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 18 10:44:46.426254 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 18 10:44:46.541911 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 18 10:44:46.635975 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 10:44:46.725273 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 18 10:44:46.837631 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 10:44:46.963207 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show working'. Mar 18 10:44:47.137698 osdx INFO[51287]: FRR daemons did not change Mar 18 10:44:47.303868 osdx kernel: app-detect: module init Mar 18 10:44:47.303944 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 18 10:44:47.303981 osdx kernel: app-detect: expression init Mar 18 10:44:47.304014 osdx kernel: app-detect: appid cache initialized Mar 18 10:44:47.304049 osdx kernel: app-detect: appid cache changes counter initialized Mar 18 10:44:47.371873 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 10:44:47.741066 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:47.784763 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:47.812233 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:48.299063 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Mar 18 10:44:48.478534 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 18 10:44:48.652581 osdx file_operation[51485]: using src url: https://www.marca.com dst url: running://index.html Mar 18 10:44:48.716711 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=55156 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717736 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55157 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717776 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55158 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717969 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55159 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717998 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=55160 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.805720 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=55161 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.924718 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55162 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.034329 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55163 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.161700 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55164 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.526520 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55165 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.623461 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55166 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:50.505782 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55167 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:50.556583 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55168 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:52.412186 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55169 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:52.424928 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55170 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:53.633101 osdx file_operation.py[51485]: Operation aborted by user. Mar 18 10:44:53.651835 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Mar 18 10:44:53.663924 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=55171 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:53.663954 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=55172 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Mar 18 10:44:44.384135 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1) is 2.0M, max 15.3M, 13.2M free. Mar 18 10:44:44.387867 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Mar 18 10:44:44.387982 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1. Mar 18 10:44:44.398635 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal clear'. Mar 18 10:44:44.820508 osdx osdx-coredump[51238]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 10:44:44.831034 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 10:44:45.466248 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:44:45.560628 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 18 10:44:45.678759 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 18 10:44:45.790234 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 18 10:44:45.878871 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 18 10:44:46.012775 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Mar 18 10:44:46.097025 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 18 10:44:46.218131 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 18 10:44:46.311491 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 18 10:44:46.426254 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 18 10:44:46.541911 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 18 10:44:46.635975 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 10:44:46.725273 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 18 10:44:46.837631 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 10:44:46.963207 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show working'. Mar 18 10:44:47.137698 osdx INFO[51287]: FRR daemons did not change Mar 18 10:44:47.303868 osdx kernel: app-detect: module init Mar 18 10:44:47.303944 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 18 10:44:47.303981 osdx kernel: app-detect: expression init Mar 18 10:44:47.304014 osdx kernel: app-detect: appid cache initialized Mar 18 10:44:47.304049 osdx kernel: app-detect: appid cache changes counter initialized Mar 18 10:44:47.371873 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 10:44:47.741066 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:44:47.784763 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:44:47.812233 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:44:48.299063 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Mar 18 10:44:48.478534 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 18 10:44:48.652581 osdx file_operation[51485]: using src url: https://www.marca.com dst url: running://index.html Mar 18 10:44:48.716711 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=55156 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717736 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55157 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717776 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55158 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717969 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55159 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.717998 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=55160 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.805720 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=55161 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:48.924718 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55162 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.034329 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55163 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.161700 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55164 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.526520 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55165 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:49.623461 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55166 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:50.505782 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55167 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:50.556583 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55168 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:52.412186 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55169 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:52.424928 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=55170 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:53.633101 osdx file_operation.py[51485]: Operation aborted by user. Mar 18 10:44:53.651835 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Mar 18 10:44:53.663924 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=55171 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:53.663954 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=55172 DF PROTO=TCP SPT=443 DPT=56298 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:44:53.904279 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal show | cat'. Mar 18 10:44:54.156788 osdx file_operation[51505]: using src url: http://www.google.com dst url: running://index.html Mar 18 10:44:54.213290 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=65360 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.333535 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65361 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.333621 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65362 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.335881 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65363 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.335945 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65364 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.335972 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65365 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.339874 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65366 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.339923 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65367 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.339951 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65368 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.343874 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65369 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.343931 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65370 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.391735 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65371 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.444592 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=65372 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.603776 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65373 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:54.644963 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=65374 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:55.068799 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65375 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:55.097991 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=65376 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:56.007979 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65377 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:56.053301 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=65378 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:57.861106 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=65379 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:57.874139 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=65380 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 18 10:44:59.115550 osdx file_operation.py[51505]: Operation aborted by user. Mar 18 10:44:59.137127 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Mar 18 10:44:59.159867 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=65381 PROTO=TCP SPT=80 DPT=48756 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.238 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (151.101.133.50) 56(84) bytes of data. 64 bytes from 151.101.133.50 (151.101.133.50): icmp_seq=1 ttl=49 time=3.36 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.356/3.356/3.356/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 22.5M 0 --:--:-- --:--:-- --:--:-- 32.5M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Mar 18 10:45:05.373815 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1) is 2.0M, max 15.3M, 13.2M free. Mar 18 10:45:05.376471 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Mar 18 10:45:05.376539 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f51c37f3fd984377bce3ce2f5006d0e1. Mar 18 10:45:05.387487 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system journal clear'. Mar 18 10:45:05.818960 osdx osdx-coredump[51713]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 10:45:05.829468 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 10:45:06.459208 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:45:06.561620 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 10:45:06.677856 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 18 10:45:06.798394 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 10:45:06.913276 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show working'. Mar 18 10:45:07.030490 osdx INFO[51740]: FRR daemons did not change Mar 18 10:45:07.056466 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 10:45:07.243412 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:45:07.291238 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:45:07.322656 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:45:07.512876 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 18 10:45:07.630160 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Mar 18 10:45:07.807521 osdx file_operation[51886]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Mar 18 10:45:07.833295 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Mar 18 10:45:08.002626 osdx OSDxCLI[1989]: User 'admin' entered the configuration menu. Mar 18 10:45:08.097772 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 18 10:45:08.213313 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 18 10:45:08.346882 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 18 10:45:08.435974 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 18 10:45:08.553752 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 18 10:45:08.654108 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Mar 18 10:45:08.741234 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 18 10:45:08.835235 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Mar 18 10:45:08.919342 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 18 10:45:09.006409 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 18 10:45:09.106148 osdx OSDxCLI[1989]: User 'admin' added a new cfg line: 'show changes'. Mar 18 10:45:09.224946 osdx INFO[51927]: FRR daemons did not change Mar 18 10:45:09.396498 osdx kernel: app-detect: module init Mar 18 10:45:09.396557 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 18 10:45:09.396577 osdx kernel: app-detect: expression init Mar 18 10:45:09.396604 osdx kernel: app-detect: appid cache initialized Mar 18 10:45:09.396625 osdx kernel: app-detect: appid cache changes counter initialized Mar 18 10:45:09.830260 osdx cfgd[1448]: [1989]Completed change to active configuration Mar 18 10:45:09.833501 osdx OSDxCLI[1989]: User 'admin' committed the configuration. Mar 18 10:45:09.870278 osdx OSDxCLI[1989]: User 'admin' left the configuration menu. Mar 18 10:45:10.113805 osdx file_operation[52000]: using src url: https://www.marca.com dst url: running://index.html Mar 18 10:45:10.139034 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=39063 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.141591 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=39064 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.141628 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=39065 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.141720 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=39066 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.142035 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=39067 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.178327 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=39068 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.340500 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=39069 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.399611 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=39070 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.549446 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=39071 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.844482 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=39072 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:10.993626 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=39073 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:11.777016 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=39074 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:11.857496 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=39075 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:13.563239 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=39076 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:13.568076 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=39077 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:15.098914 osdx file_operation.py[52000]: Operation aborted by user. Mar 18 10:45:15.117343 osdx OSDxCLI[1989]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Mar 18 10:45:15.144458 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=39078 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 18 10:45:15.144493 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:25:73:ba:99:cd:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=39079 DF PROTO=TCP SPT=443 DPT=48428 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]