App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.191 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.191/0.191/0.191/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=42 time=12.5 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 12.503/12.503/12.503/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 2086 0 --:--:-- --:--:-- --:--:-- 2094
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
May 26 09:06:55.311221 osdx systemd-journald[1942]: Runtime Journal (/run/log/journal/88574923f45f44e5afdfd869586bf8bf) is 2.0M, max 15.3M, 13.3M free. May 26 09:06:55.313663 osdx systemd-journald[1942]: Received client request to rotate journal, rotating. May 26 09:06:55.313712 osdx systemd-journald[1942]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88574923f45f44e5afdfd869586bf8bf. May 26 09:06:55.320732 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal clear'. May 26 09:06:55.628155 osdx osdx-coredump[13555]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 09:06:55.635902 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system coredump delete all'. May 26 09:06:56.115857 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:06:56.184699 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 26 09:06:56.280653 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 26 09:06:56.339485 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 26 09:06:56.446847 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 26 09:06:56.502129 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 26 09:06:56.608450 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 26 09:06:56.663575 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 26 09:06:56.759261 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 26 09:06:56.818546 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 26 09:06:56.941428 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 09:06:57.006782 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 26 09:06:57.130448 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 09:06:57.229052 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show working'. May 26 09:06:57.323686 osdx INFO[13599]: FRR daemons did not change May 26 09:06:57.525618 osdx kernel: app-detect: module init May 26 09:06:57.525684 osdx kernel: app-detect: registered: sysctl net.appdetect May 26 09:06:57.525694 osdx kernel: app-detect: expression init May 26 09:06:57.525702 osdx kernel: app-detect: appid cache initialized May 26 09:06:57.525709 osdx kernel: app-detect: appid cache changes counter initialized May 26 09:06:57.573599 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 09:06:57.950614 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:06:57.979205 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:06:57.998562 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:06:58.166021 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 26 09:06:58.515190 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 26 09:06:58.657903 osdx file_operation[13799]: using src url: https://teldat.es dst url: running://index.html May 26 09:06:58.708289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=27981 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.709265 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=27982 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.709642 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=27983 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.709743 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=27984 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.713187 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=27986 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.748194 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=27988 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.774716 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=27989 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.793597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=27990 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.793642 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=27991 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.793652 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=27992 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.794533 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 845 0 845 0 0 200k 0 --:--:-- --:--:-- --:--:-- 206k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
May 26 09:06:55.311221 osdx systemd-journald[1942]: Runtime Journal (/run/log/journal/88574923f45f44e5afdfd869586bf8bf) is 2.0M, max 15.3M, 13.3M free. May 26 09:06:55.313663 osdx systemd-journald[1942]: Received client request to rotate journal, rotating. May 26 09:06:55.313712 osdx systemd-journald[1942]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88574923f45f44e5afdfd869586bf8bf. May 26 09:06:55.320732 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal clear'. May 26 09:06:55.628155 osdx osdx-coredump[13555]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 09:06:55.635902 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system coredump delete all'. May 26 09:06:56.115857 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:06:56.184699 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 26 09:06:56.280653 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 26 09:06:56.339485 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 26 09:06:56.446847 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 26 09:06:56.502129 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 26 09:06:56.608450 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 26 09:06:56.663575 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 26 09:06:56.759261 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 26 09:06:56.818546 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 26 09:06:56.941428 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 09:06:57.006782 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 26 09:06:57.130448 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 09:06:57.229052 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show working'. May 26 09:06:57.323686 osdx INFO[13599]: FRR daemons did not change May 26 09:06:57.525618 osdx kernel: app-detect: module init May 26 09:06:57.525684 osdx kernel: app-detect: registered: sysctl net.appdetect May 26 09:06:57.525694 osdx kernel: app-detect: expression init May 26 09:06:57.525702 osdx kernel: app-detect: appid cache initialized May 26 09:06:57.525709 osdx kernel: app-detect: appid cache changes counter initialized May 26 09:06:57.573599 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 09:06:57.950614 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:06:57.979205 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:06:57.998562 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:06:58.166021 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 26 09:06:58.515190 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 26 09:06:58.657903 osdx file_operation[13799]: using src url: https://teldat.es dst url: running://index.html May 26 09:06:58.708289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=27981 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.709265 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=27982 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.709642 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=27983 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.709743 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=27984 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.713187 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=27986 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.748194 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=27988 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.774716 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=27989 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.793597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=27990 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.793642 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=27991 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.793652 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=27992 DF PROTO=TCP SPT=443 DPT=55278 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 26 09:06:58.794533 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. May 26 09:06:58.902336 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal show | cat'. May 26 09:06:59.073688 osdx file_operation[13821]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 26 09:06:59.081597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8611 DF PROTO=TCP SPT=80 DPT=44328 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 26 09:06:59.081644 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1064 TOS=0x00 PREC=0x00 TTL=64 ID=8612 DF PROTO=TCP SPT=80 DPT=44328 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 26 09:06:59.081654 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8613 DF PROTO=TCP SPT=80 DPT=44328 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 26 09:06:59.095640 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.183 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.183/0.183/0.183/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.31.147) 56(84) bytes of data. 64 bytes from eq-in-f147.1e100.net (142.251.31.147): icmp_seq=1 ttl=95 time=47.8 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 47.772/47.772/47.772/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 15.0M 0 --:--:-- --:--:-- --:--:-- 16.2M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18310 0 18310 0 0 70747 0 --:--:-- --:--:-- --:--:-- 70968
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
May 26 09:07:04.346256 osdx systemd-journald[1942]: Runtime Journal (/run/log/journal/88574923f45f44e5afdfd869586bf8bf) is 2.0M, max 15.3M, 13.3M free. May 26 09:07:04.349621 osdx systemd-journald[1942]: Received client request to rotate journal, rotating. May 26 09:07:04.349671 osdx systemd-journald[1942]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88574923f45f44e5afdfd869586bf8bf. May 26 09:07:04.355907 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal clear'. May 26 09:07:04.736181 osdx osdx-coredump[14030]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 09:07:04.745705 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system coredump delete all'. May 26 09:07:05.239732 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:05.308805 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 26 09:07:05.408588 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 26 09:07:05.464121 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 26 09:07:05.568959 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 26 09:07:05.624289 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 26 09:07:05.725692 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 09:07:05.785312 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 26 09:07:05.949406 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 09:07:06.021657 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show working'. May 26 09:07:06.146121 osdx INFO[14070]: FRR daemons did not change May 26 09:07:06.165642 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 09:07:06.474541 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:06.508715 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:06.526732 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:06.693984 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 26 09:07:06.905040 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 26 09:07:07.067068 osdx file_operation[14236]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 26 09:07:07.089947 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 26 09:07:07.237066 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:07.318277 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 26 09:07:07.423721 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 26 09:07:07.531593 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 26 09:07:07.610213 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show changes'. May 26 09:07:07.731647 osdx INFO[14253]: FRR daemons did not change May 26 09:07:07.917622 osdx kernel: app-detect: module init May 26 09:07:07.917673 osdx kernel: app-detect: registered: sysctl net.appdetect May 26 09:07:07.917690 osdx kernel: app-detect: expression init May 26 09:07:07.917702 osdx kernel: app-detect: appid cache initialized May 26 09:07:07.917712 osdx kernel: app-detect: appid cache changes counter initialized May 26 09:07:08.125400 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:08.127407 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:08.178935 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:08.361619 osdx file_operation[14306]: using src url: https://www.google.com dst url: running://index.html May 26 09:07:08.517010 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60451 PROTO=TCP SPT=443 DPT=44358 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.517087 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60452 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.517099 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60453 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.517207 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1512 TOS=0x00 PREC=0x00 TTL=110 ID=60454 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.565900 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60456 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.565974 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=110 ID=60457 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.565989 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=110 ID=60458 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.569629 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60459 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609078 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1037 TOS=0x00 PREC=0x00 TTL=110 ID=60460 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60461 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609626 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60462 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609672 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60463 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60464 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.610548 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=110 ID=60465 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.611867 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60467 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.611958 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60468 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.614460 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60469 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.614551 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60470 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.617148 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60471 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.617258 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60472 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.618381 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60473 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.618491 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60474 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.620859 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=110 ID=60475 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.625619 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60476 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.644479 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 26 09:07:08.681639 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60477 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.681713 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60478 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 962 0 962 0 0 167k 0 --:--:-- --:--:-- --:--:-- 187k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
May 26 09:07:04.346256 osdx systemd-journald[1942]: Runtime Journal (/run/log/journal/88574923f45f44e5afdfd869586bf8bf) is 2.0M, max 15.3M, 13.3M free. May 26 09:07:04.349621 osdx systemd-journald[1942]: Received client request to rotate journal, rotating. May 26 09:07:04.349671 osdx systemd-journald[1942]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88574923f45f44e5afdfd869586bf8bf. May 26 09:07:04.355907 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal clear'. May 26 09:07:04.736181 osdx osdx-coredump[14030]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 09:07:04.745705 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system coredump delete all'. May 26 09:07:05.239732 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:05.308805 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 26 09:07:05.408588 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 26 09:07:05.464121 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 26 09:07:05.568959 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 26 09:07:05.624289 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 26 09:07:05.725692 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 09:07:05.785312 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 26 09:07:05.949406 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 09:07:06.021657 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show working'. May 26 09:07:06.146121 osdx INFO[14070]: FRR daemons did not change May 26 09:07:06.165642 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 09:07:06.474541 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:06.508715 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:06.526732 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:06.693984 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 26 09:07:06.905040 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 26 09:07:07.067068 osdx file_operation[14236]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 26 09:07:07.089947 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 26 09:07:07.237066 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:07.318277 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 26 09:07:07.423721 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 26 09:07:07.531593 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 26 09:07:07.610213 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show changes'. May 26 09:07:07.731647 osdx INFO[14253]: FRR daemons did not change May 26 09:07:07.917622 osdx kernel: app-detect: module init May 26 09:07:07.917673 osdx kernel: app-detect: registered: sysctl net.appdetect May 26 09:07:07.917690 osdx kernel: app-detect: expression init May 26 09:07:07.917702 osdx kernel: app-detect: appid cache initialized May 26 09:07:07.917712 osdx kernel: app-detect: appid cache changes counter initialized May 26 09:07:08.125400 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:08.127407 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:08.178935 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:08.361619 osdx file_operation[14306]: using src url: https://www.google.com dst url: running://index.html May 26 09:07:08.517010 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60451 PROTO=TCP SPT=443 DPT=44358 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.517087 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60452 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.517099 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60453 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.517207 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1512 TOS=0x00 PREC=0x00 TTL=110 ID=60454 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.565900 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60456 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.565974 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=110 ID=60457 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.565989 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=110 ID=60458 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.569629 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60459 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609078 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1037 TOS=0x00 PREC=0x00 TTL=110 ID=60460 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60461 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609626 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60462 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609672 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60463 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.609682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60464 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.610548 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=110 ID=60465 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.611867 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60467 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.611958 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60468 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.614460 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60469 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.614551 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60470 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.617148 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60471 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.617258 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60472 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.618381 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60473 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.618491 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=60474 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.620859 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=110 ID=60475 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.625619 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60476 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.644479 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 26 09:07:08.681639 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60477 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.681713 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=60478 PROTO=TCP SPT=443 DPT=44358 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 26 09:07:08.765865 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal show | cat'. May 26 09:07:08.985451 osdx file_operation[14328]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 26 09:07:08.993625 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20237 DF PROTO=TCP SPT=80 DPT=54104 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 26 09:07:08.993677 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1181 TOS=0x00 PREC=0x00 TTL=64 ID=20238 DF PROTO=TCP SPT=80 DPT=54104 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 26 09:07:08.993690 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20239 DF PROTO=TCP SPT=80 DPT=54104 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 26 09:07:09.010356 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=21.2 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 21.180/21.180/21.180/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.31.99) 56(84) bytes of data. 64 bytes from eq-in-f99.1e100.net (142.251.31.99): icmp_seq=1 ttl=95 time=63.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 63.124/63.124/63.124/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 26 09:07:14.294391 osdx systemd-journald[1942]: Runtime Journal (/run/log/journal/88574923f45f44e5afdfd869586bf8bf) is 2.0M, max 15.3M, 13.2M free. May 26 09:07:14.296050 osdx systemd-journald[1942]: Received client request to rotate journal, rotating. May 26 09:07:14.296112 osdx systemd-journald[1942]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88574923f45f44e5afdfd869586bf8bf. May 26 09:07:14.303811 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal clear'. May 26 09:07:14.636984 osdx osdx-coredump[14536]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 09:07:14.644733 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system coredump delete all'. May 26 09:07:15.155958 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:15.242195 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 26 09:07:15.372624 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 26 09:07:15.443204 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 26 09:07:15.554509 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 26 09:07:15.620810 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 26 09:07:15.727199 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 26 09:07:15.811867 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 26 09:07:15.872478 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 26 09:07:15.970956 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 26 09:07:16.033316 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 26 09:07:16.135299 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 09:07:16.193714 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 26 09:07:16.322157 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 09:07:16.401857 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show working'. May 26 09:07:16.529113 osdx INFO[14581]: FRR daemons did not change May 26 09:07:16.712055 osdx kernel: app-detect: module init May 26 09:07:16.712112 osdx kernel: app-detect: registered: sysctl net.appdetect May 26 09:07:16.712122 osdx kernel: app-detect: expression init May 26 09:07:16.712130 osdx kernel: app-detect: appid cache initialized May 26 09:07:16.712138 osdx kernel: app-detect: appid cache changes counter initialized May 26 09:07:16.768056 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 09:07:17.085392 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:17.118580 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:17.146485 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:18.316265 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 26 09:07:18.514973 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 26 09:07:18.660615 osdx file_operation[14778]: using src url: https://www.marca.com dst url: running://index.html May 26 09:07:18.723117 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=57499 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.725158 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2684 TOS=0x00 PREC=0x00 TTL=49 ID=57500 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.725257 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=49 ID=57502 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.809303 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=57504 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.932619 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57505 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:19.145071 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57507 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:19.544292 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=57508 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:19.618099 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57509 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:20.528698 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57510 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:20.568185 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=57511 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:22.310446 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57512 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:22.552200 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=57513 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:23.655690 osdx file_operation.py[14778]: Operation aborted by user. May 26 09:07:23.673801 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 26 09:07:23.680051 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=57514 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:23.680092 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=57515 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
May 26 09:07:14.294391 osdx systemd-journald[1942]: Runtime Journal (/run/log/journal/88574923f45f44e5afdfd869586bf8bf) is 2.0M, max 15.3M, 13.2M free. May 26 09:07:14.296050 osdx systemd-journald[1942]: Received client request to rotate journal, rotating. May 26 09:07:14.296112 osdx systemd-journald[1942]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88574923f45f44e5afdfd869586bf8bf. May 26 09:07:14.303811 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal clear'. May 26 09:07:14.636984 osdx osdx-coredump[14536]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 09:07:14.644733 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system coredump delete all'. May 26 09:07:15.155958 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:15.242195 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 26 09:07:15.372624 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 26 09:07:15.443204 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 26 09:07:15.554509 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 26 09:07:15.620810 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 26 09:07:15.727199 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 26 09:07:15.811867 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 26 09:07:15.872478 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 26 09:07:15.970956 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 26 09:07:16.033316 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 26 09:07:16.135299 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 09:07:16.193714 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 26 09:07:16.322157 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 09:07:16.401857 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show working'. May 26 09:07:16.529113 osdx INFO[14581]: FRR daemons did not change May 26 09:07:16.712055 osdx kernel: app-detect: module init May 26 09:07:16.712112 osdx kernel: app-detect: registered: sysctl net.appdetect May 26 09:07:16.712122 osdx kernel: app-detect: expression init May 26 09:07:16.712130 osdx kernel: app-detect: appid cache initialized May 26 09:07:16.712138 osdx kernel: app-detect: appid cache changes counter initialized May 26 09:07:16.768056 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 09:07:17.085392 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:17.118580 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:17.146485 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:18.316265 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 26 09:07:18.514973 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 26 09:07:18.660615 osdx file_operation[14778]: using src url: https://www.marca.com dst url: running://index.html May 26 09:07:18.723117 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=57499 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.725158 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2684 TOS=0x00 PREC=0x00 TTL=49 ID=57500 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.725257 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=49 ID=57502 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.809303 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=57504 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:18.932619 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57505 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:19.145071 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57507 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:19.544292 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=57508 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:19.618099 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57509 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:20.528698 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57510 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:20.568185 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=57511 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:22.310446 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57512 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:22.552200 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=57513 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:23.655690 osdx file_operation.py[14778]: Operation aborted by user. May 26 09:07:23.673801 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 26 09:07:23.680051 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=57514 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:23.680092 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=57515 DF PROTO=TCP SPT=443 DPT=39488 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:23.879935 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal show | cat'. May 26 09:07:24.090926 osdx file_operation[14798]: using src url: http://www.google.com dst url: running://index.html May 26 09:07:24.211979 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=20805 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.243912 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20806 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.243981 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20807 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.243997 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20808 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.244118 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20809 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.244177 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20810 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.244308 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20811 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.244416 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20812 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.244546 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20813 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.244643 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20814 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.244753 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20815 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.358810 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20816 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.474465 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=20817 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.614375 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20818 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:24.764594 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=20819 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:25.126621 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20820 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:25.314620 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=20821 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:26.150602 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20822 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:26.417517 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=20823 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:28.198820 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=20824 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:28.672479 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=20825 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 26 09:07:29.049358 osdx file_operation.py[14798]: Operation aborted by user. May 26 09:07:29.065380 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. May 26 09:07:29.128056 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=20826 PROTO=TCP SPT=80 DPT=55976 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.184 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.184/0.184/0.184/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=10.9 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 10.903/10.903/10.903/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 10.6M 0 --:--:-- --:--:-- --:--:-- 10.8M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 26 09:07:34.342640 osdx systemd-journald[1942]: Runtime Journal (/run/log/journal/88574923f45f44e5afdfd869586bf8bf) is 2.0M, max 15.3M, 13.2M free. May 26 09:07:34.343546 osdx systemd-journald[1942]: Received client request to rotate journal, rotating. May 26 09:07:34.343583 osdx systemd-journald[1942]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88574923f45f44e5afdfd869586bf8bf. May 26 09:07:34.352018 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system journal clear'. May 26 09:07:34.683317 osdx osdx-coredump[14998]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 09:07:34.691083 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'system coredump delete all'. May 26 09:07:35.167636 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:35.230775 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 09:07:35.366679 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 26 09:07:35.443102 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 09:07:35.541173 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show working'. May 26 09:07:35.609012 osdx INFO[15019]: FRR daemons did not change May 26 09:07:35.631569 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 09:07:35.768848 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:35.796217 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:35.822638 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:35.970461 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 26 09:07:36.064203 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 26 09:07:36.221227 osdx file_operation[15165]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 26 09:07:36.247843 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 26 09:07:36.389405 osdx OSDxCLI[2181]: User 'admin' entered the configuration menu. May 26 09:07:36.450636 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 26 09:07:36.552237 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 26 09:07:36.608261 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 26 09:07:36.710420 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 26 09:07:36.796263 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 26 09:07:36.871114 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. May 26 09:07:36.978428 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 26 09:07:37.058614 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 26 09:07:37.160812 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 26 09:07:37.228204 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 26 09:07:37.345068 osdx OSDxCLI[2181]: User 'admin' added a new cfg line: 'show changes'. May 26 09:07:37.432753 osdx INFO[15206]: FRR daemons did not change May 26 09:07:37.587557 osdx kernel: app-detect: module init May 26 09:07:37.587606 osdx kernel: app-detect: registered: sysctl net.appdetect May 26 09:07:37.587618 osdx kernel: app-detect: expression init May 26 09:07:37.587632 osdx kernel: app-detect: appid cache initialized May 26 09:07:37.587642 osdx kernel: app-detect: appid cache changes counter initialized May 26 09:07:37.920301 osdx cfgd[1647]: [2181]Completed change to active configuration May 26 09:07:37.922396 osdx OSDxCLI[2181]: User 'admin' committed the configuration. May 26 09:07:37.939894 osdx OSDxCLI[2181]: User 'admin' left the configuration menu. May 26 09:07:38.142248 osdx file_operation[15279]: using src url: https://www.marca.com dst url: running://index.html May 26 09:07:38.225236 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=14526 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.226732 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=14527 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.226812 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=14528 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.226924 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=14529 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.227362 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=14530 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.334835 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=14531 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.439633 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=14532 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.584572 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=14533 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:38.683312 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=14534 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:39.088289 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=14535 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:39.162366 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=14536 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:40.111853 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=14537 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:40.134466 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=14538 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:42.045255 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=14539 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:42.201901 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=45 ID=14540 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:43.107999 osdx file_operation.py[15279]: Operation aborted by user. May 26 09:07:43.124781 osdx OSDxCLI[2181]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 26 09:07:43.163556 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=14541 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 26 09:07:43.163620 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2b:c1:3a:0f:81:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=14542 DF PROTO=TCP SPT=443 DPT=56154 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]