App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.263 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from www.blog.teldat.com (82.223.148.162): icmp_seq=1 ttl=43 time=23.1 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 23.144/23.144/23.144/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 72 0 0:00:03 0:00:03 --:--:-- 72
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Feb 19 15:07:26.468385 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.2M free. Feb 19 15:07:26.470278 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 15:07:26.470359 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 15:07:26.486202 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal clear'. Feb 19 15:07:27.103610 osdx osdx-coredump[11570]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 15:07:27.115129 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 15:07:27.960695 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:28.095924 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Feb 19 15:07:28.247077 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Feb 19 15:07:28.387674 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Feb 19 15:07:28.529461 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Feb 19 15:07:28.652423 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Feb 19 15:07:28.775041 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Feb 19 15:07:28.920525 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Feb 19 15:07:29.060480 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Feb 19 15:07:29.215201 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Feb 19 15:07:29.382452 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 15:07:29.478525 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Feb 19 15:07:29.656393 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 15:07:29.868137 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show working'. Feb 19 15:07:30.049270 osdx INFO[11618]: FRR daemons did not change Feb 19 15:07:30.246264 osdx kernel: app-detect: module init Feb 19 15:07:30.246386 osdx kernel: app-detect: registered: sysctl net.appdetect Feb 19 15:07:30.382267 osdx kernel: app-detect: expression init Feb 19 15:07:30.382332 osdx kernel: app-detect: appid cache initialized Feb 19 15:07:30.382356 osdx kernel: app-detect: appid cache changes counter initialized Feb 19 15:07:30.446257 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 15:07:31.075921 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:07:31.115622 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:07:31.146207 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:07:31.342607 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 15:07:31.503240 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Feb 19 15:07:31.715476 osdx file_operation[11831]: using src url: https://teldat.es dst url: running://index.html Feb 19 15:07:33.814943 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=28960 RES=0x00 ACK SYN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.243389 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=63108 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.243851 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=63109 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.246265 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=63110 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.246302 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=63111 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.279868 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=63113 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.280080 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=63114 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.785756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=63115 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:35.078269 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=63116 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:35.107034 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 845 0 845 0 0 22637 0 --:--:-- --:--:-- --:--:-- 22837
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Feb 19 15:07:26.468385 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.2M free. Feb 19 15:07:26.470278 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 15:07:26.470359 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 15:07:26.486202 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal clear'. Feb 19 15:07:27.103610 osdx osdx-coredump[11570]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 15:07:27.115129 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 15:07:27.960695 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:28.095924 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Feb 19 15:07:28.247077 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Feb 19 15:07:28.387674 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Feb 19 15:07:28.529461 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Feb 19 15:07:28.652423 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Feb 19 15:07:28.775041 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Feb 19 15:07:28.920525 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Feb 19 15:07:29.060480 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Feb 19 15:07:29.215201 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Feb 19 15:07:29.382452 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 15:07:29.478525 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Feb 19 15:07:29.656393 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 15:07:29.868137 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show working'. Feb 19 15:07:30.049270 osdx INFO[11618]: FRR daemons did not change Feb 19 15:07:30.246264 osdx kernel: app-detect: module init Feb 19 15:07:30.246386 osdx kernel: app-detect: registered: sysctl net.appdetect Feb 19 15:07:30.382267 osdx kernel: app-detect: expression init Feb 19 15:07:30.382332 osdx kernel: app-detect: appid cache initialized Feb 19 15:07:30.382356 osdx kernel: app-detect: appid cache changes counter initialized Feb 19 15:07:30.446257 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 15:07:31.075921 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:07:31.115622 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:07:31.146207 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:07:31.342607 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 15:07:31.503240 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Feb 19 15:07:31.715476 osdx file_operation[11831]: using src url: https://teldat.es dst url: running://index.html Feb 19 15:07:33.814943 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=28960 RES=0x00 ACK SYN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.243389 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=63108 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.243851 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=63109 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.246265 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=63110 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.246302 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=63111 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.279868 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=63113 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.280080 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=63114 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:34.785756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=63115 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:35.078269 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=63116 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:35.107034 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Feb 19 15:07:35.255870 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal show | cat'. Feb 19 15:07:35.290272 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=63117 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:35.290387 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=63118 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:35.290423 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=63119 DF PROTO=TCP SPT=443 DPT=39116 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Feb 19 15:07:35.544674 osdx file_operation[11855]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Feb 19 15:07:35.550303 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=49064 DF PROTO=TCP SPT=80 DPT=54220 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Feb 19 15:07:35.582740 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1064 TOS=0x00 PREC=0x00 TTL=64 ID=49065 DF PROTO=TCP SPT=80 DPT=54220 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Feb 19 15:07:35.586260 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=49066 DF PROTO=TCP SPT=80 DPT=54220 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Feb 19 15:07:35.620167 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.262 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.262/0.262/0.262/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (216.58.209.68) 56(84) bytes of data. 64 bytes from waw02s06-in-f4.1e100.net (216.58.209.68): icmp_seq=1 ttl=109 time=12.7 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 12.726/12.726/12.726/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 16.0M 0 --:--:-- --:--:-- --:--:-- 16.2M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 19731 0 19731 0 0 29228 0 --:--:-- --:--:-- --:--:-- 29274
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Feb 19 15:07:43.455660 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.3M free. Feb 19 15:07:43.456420 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 15:07:43.456489 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 15:07:43.474575 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal clear'. Feb 19 15:07:44.086959 osdx osdx-coredump[12066]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 15:07:44.098736 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 15:07:44.955521 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:45.102999 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Feb 19 15:07:45.215845 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Feb 19 15:07:45.337243 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Feb 19 15:07:45.457756 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Feb 19 15:07:45.575762 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Feb 19 15:07:45.733844 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 15:07:45.859321 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Feb 19 15:07:46.028485 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 15:07:46.172469 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show working'. Feb 19 15:07:46.353882 osdx INFO[12110]: FRR daemons did not change Feb 19 15:07:46.384433 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 15:07:46.810080 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:07:46.859096 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:07:46.916046 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:07:47.194707 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 15:07:47.379058 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Feb 19 15:07:47.652230 osdx file_operation[12276]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Feb 19 15:07:47.699467 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Feb 19 15:07:47.956188 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:48.114540 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Feb 19 15:07:48.258279 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Feb 19 15:07:48.383595 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Feb 19 15:07:48.593282 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show changes'. Feb 19 15:07:48.736128 osdx INFO[12293]: FRR daemons did not change Feb 19 15:07:48.924415 osdx kernel: app-detect: module init Feb 19 15:07:48.924490 osdx kernel: app-detect: registered: sysctl net.appdetect Feb 19 15:07:48.924521 osdx kernel: app-detect: expression init Feb 19 15:07:48.924541 osdx kernel: app-detect: appid cache initialized Feb 19 15:07:48.924566 osdx kernel: app-detect: appid cache changes counter initialized Feb 19 15:07:49.295131 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:07:49.302565 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:07:49.351410 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:07:49.676575 osdx file_operation[12346]: using src url: https://www.google.com dst url: running://index.html Feb 19 15:07:49.878414 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34806 PROTO=TCP SPT=443 DPT=49594 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:49.880472 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34807 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:49.880588 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34808 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:49.880617 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1511 TOS=0x00 PREC=0x00 TTL=112 ID=34809 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.066066 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34811 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.068450 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=34812 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.068569 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=34813 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.068598 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34814 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.180682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=34815 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.182069 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34816 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.345088 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1020 TOS=0x00 PREC=0x00 TTL=112 ID=34817 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.345193 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34818 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348412 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34819 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348466 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34820 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348481 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34821 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348494 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34822 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348507 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34823 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348528 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34824 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348554 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34825 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348568 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34826 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348580 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34827 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352418 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34828 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352451 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34829 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352489 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34830 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352521 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34831 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352562 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34832 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352588 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=272 TOS=0x00 PREC=0x00 TTL=112 ID=34833 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.389351 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'.
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 962 0 962 0 0 336k 0 --:--:-- --:--:-- --:--:-- 469k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Feb 19 15:07:43.455660 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.3M free. Feb 19 15:07:43.456420 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 15:07:43.456489 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 15:07:43.474575 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal clear'. Feb 19 15:07:44.086959 osdx osdx-coredump[12066]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 15:07:44.098736 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 15:07:44.955521 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:45.102999 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Feb 19 15:07:45.215845 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Feb 19 15:07:45.337243 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Feb 19 15:07:45.457756 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Feb 19 15:07:45.575762 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Feb 19 15:07:45.733844 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 15:07:45.859321 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Feb 19 15:07:46.028485 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 15:07:46.172469 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show working'. Feb 19 15:07:46.353882 osdx INFO[12110]: FRR daemons did not change Feb 19 15:07:46.384433 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 15:07:46.810080 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:07:46.859096 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:07:46.916046 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:07:47.194707 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 15:07:47.379058 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Feb 19 15:07:47.652230 osdx file_operation[12276]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Feb 19 15:07:47.699467 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Feb 19 15:07:47.956188 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:48.114540 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Feb 19 15:07:48.258279 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Feb 19 15:07:48.383595 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Feb 19 15:07:48.593282 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show changes'. Feb 19 15:07:48.736128 osdx INFO[12293]: FRR daemons did not change Feb 19 15:07:48.924415 osdx kernel: app-detect: module init Feb 19 15:07:48.924490 osdx kernel: app-detect: registered: sysctl net.appdetect Feb 19 15:07:48.924521 osdx kernel: app-detect: expression init Feb 19 15:07:48.924541 osdx kernel: app-detect: appid cache initialized Feb 19 15:07:48.924566 osdx kernel: app-detect: appid cache changes counter initialized Feb 19 15:07:49.295131 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:07:49.302565 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:07:49.351410 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:07:49.676575 osdx file_operation[12346]: using src url: https://www.google.com dst url: running://index.html Feb 19 15:07:49.878414 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34806 PROTO=TCP SPT=443 DPT=49594 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:49.880472 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34807 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:49.880588 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34808 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:49.880617 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1511 TOS=0x00 PREC=0x00 TTL=112 ID=34809 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.066066 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34811 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.068450 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=34812 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.068569 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=34813 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.068598 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34814 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.180682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=34815 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.182069 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34816 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.345088 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1020 TOS=0x00 PREC=0x00 TTL=112 ID=34817 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.345193 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34818 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348412 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34819 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348466 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34820 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348481 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34821 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348494 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34822 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348507 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34823 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348528 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34824 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348554 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34825 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348568 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34826 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.348580 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34827 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352418 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34828 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352451 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34829 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352489 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34830 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352521 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34831 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352562 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=34832 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.352588 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=272 TOS=0x00 PREC=0x00 TTL=112 ID=34833 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:50.389351 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Feb 19 15:07:50.637646 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal show | cat'. Feb 19 15:07:50.868335 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=272 TOS=0x00 PREC=0x00 TTL=112 ID=34834 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:51.035781 osdx file_operation[12368]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Feb 19 15:07:51.040428 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1014 DF PROTO=TCP SPT=80 DPT=47276 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Feb 19 15:07:51.040477 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1181 TOS=0x00 PREC=0x00 TTL=64 ID=1015 DF PROTO=TCP SPT=80 DPT=47276 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Feb 19 15:07:51.040503 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1016 DF PROTO=TCP SPT=80 DPT=47276 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Feb 19 15:07:51.070823 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'. Feb 19 15:07:51.171901 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34835 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Feb 19 15:07:51.172458 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=34836 PROTO=TCP SPT=443 DPT=49594 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (151.101.133.50) 56(84) bytes of data. 64 bytes from 151.101.133.50 (151.101.133.50): icmp_seq=1 ttl=49 time=4.87 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.867/4.867/4.867/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (216.58.209.68) 56(84) bytes of data. 64 bytes from waw02s06-in-f4.1e100.net (216.58.209.68): icmp_seq=1 ttl=109 time=6.39 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 6.394/6.394/6.394/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Feb 19 15:07:58.423035 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.2M free. Feb 19 15:07:58.426702 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 15:07:58.426806 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 15:07:58.439353 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal clear'. Feb 19 15:07:58.969548 osdx osdx-coredump[12581]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 15:07:58.981175 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 15:07:59.726682 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:59.836349 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Feb 19 15:07:59.977285 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Feb 19 15:08:00.103318 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Feb 19 15:08:00.244553 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Feb 19 15:08:00.368663 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Feb 19 15:08:00.459929 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Feb 19 15:08:00.569613 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Feb 19 15:08:00.674263 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Feb 19 15:08:00.777020 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Feb 19 15:08:00.888790 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Feb 19 15:08:01.024118 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 15:08:01.135899 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Feb 19 15:08:01.284562 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 15:08:01.435090 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show working'. Feb 19 15:08:01.617637 osdx INFO[12630]: FRR daemons did not change Feb 19 15:08:01.834674 osdx kernel: app-detect: module init Feb 19 15:08:01.834718 osdx kernel: app-detect: registered: sysctl net.appdetect Feb 19 15:08:01.834733 osdx kernel: app-detect: expression init Feb 19 15:08:01.834763 osdx kernel: app-detect: appid cache initialized Feb 19 15:08:01.834786 osdx kernel: app-detect: appid cache changes counter initialized Feb 19 15:08:01.906710 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 15:08:02.336257 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:08:02.379441 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:08:02.440456 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:08:02.822992 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Feb 19 15:08:02.959106 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Feb 19 15:08:03.159461 osdx file_operation[12831]: using src url: https://www.marca.com dst url: running://index.html Feb 19 15:08:03.420669 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28187 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426704 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28188 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426769 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28189 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426801 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28190 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426820 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=28191 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.632608 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=28192 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.934199 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28193 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:04.463681 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=28194 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:04.573623 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28195 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:04.619080 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=28196 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:05.124876 osdx file_operation.py[12831]: Operation aborted by user. Feb 19 15:08:05.147721 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Feb 19 15:07:58.423035 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.2M free. Feb 19 15:07:58.426702 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 15:07:58.426806 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 15:07:58.439353 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal clear'. Feb 19 15:07:58.969548 osdx osdx-coredump[12581]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 15:07:58.981175 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 15:07:59.726682 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:07:59.836349 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Feb 19 15:07:59.977285 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Feb 19 15:08:00.103318 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Feb 19 15:08:00.244553 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Feb 19 15:08:00.368663 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Feb 19 15:08:00.459929 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Feb 19 15:08:00.569613 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Feb 19 15:08:00.674263 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Feb 19 15:08:00.777020 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Feb 19 15:08:00.888790 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Feb 19 15:08:01.024118 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 15:08:01.135899 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Feb 19 15:08:01.284562 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 15:08:01.435090 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show working'. Feb 19 15:08:01.617637 osdx INFO[12630]: FRR daemons did not change Feb 19 15:08:01.834674 osdx kernel: app-detect: module init Feb 19 15:08:01.834718 osdx kernel: app-detect: registered: sysctl net.appdetect Feb 19 15:08:01.834733 osdx kernel: app-detect: expression init Feb 19 15:08:01.834763 osdx kernel: app-detect: appid cache initialized Feb 19 15:08:01.834786 osdx kernel: app-detect: appid cache changes counter initialized Feb 19 15:08:01.906710 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 15:08:02.336257 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:08:02.379441 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:08:02.440456 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:08:02.822992 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Feb 19 15:08:02.959106 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Feb 19 15:08:03.159461 osdx file_operation[12831]: using src url: https://www.marca.com dst url: running://index.html Feb 19 15:08:03.420669 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28187 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426704 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28188 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426769 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28189 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426801 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28190 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.426820 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=28191 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.632608 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=28192 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:03.934199 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28193 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:04.463681 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=28194 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:04.573623 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28195 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:04.619080 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=28196 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:05.124876 osdx file_operation.py[12831]: Operation aborted by user. Feb 19 15:08:05.147721 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Feb 19 15:08:05.423707 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal show | cat'. Feb 19 15:08:05.500705 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28197 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:05.502689 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28198 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:05.529398 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=28199 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:05.693210 osdx file_operation[12851]: using src url: http://www.google.com dst url: running://index.html Feb 19 15:08:05.767397 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=28200 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:06.439485 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=60 TOS=0x00 PREC=0x00 TTL=112 ID=0 DF PROTO=TCP SPT=80 DPT=37630 WINDOW=65535 RES=0x00 ACK SYN URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.446710 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=62591 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.606447 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62592 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.606907 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62593 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.607285 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62594 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.607686 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62595 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.610711 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62596 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.610763 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62597 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.610796 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62598 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.610819 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62599 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.610851 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62600 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:06.614684 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62601 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:07.187746 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=28201 DF PROTO=TCP SPT=443 DPT=41130 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:07.341563 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=62602 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Feb 19 15:08:07.643117 osdx file_operation.py[12851]: Operation aborted by user. Feb 19 15:08:07.668305 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Feb 19 15:08:07.888765 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=216.58.209.68 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=62603 PROTO=TCP SPT=80 DPT=37630 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.389 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.389/0.389/0.389/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.33.50) 56(84) bytes of data. 64 bytes from 199.232.33.50 (199.232.33.50): icmp_seq=1 ttl=50 time=4.43 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.428/4.428/4.428/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 18.3M 0 --:--:-- --:--:-- --:--:-- 21.6M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Feb 19 15:08:15.429146 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.2M free. Feb 19 15:08:15.430313 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 15:08:15.430393 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 15:08:15.447770 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system journal clear'. Feb 19 15:08:15.975117 osdx osdx-coredump[13057]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 15:08:15.986521 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 15:08:16.819924 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:08:16.975205 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 15:08:17.103636 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Feb 19 15:08:17.243498 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 15:08:17.379147 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show working'. Feb 19 15:08:17.486564 osdx INFO[13082]: FRR daemons did not change Feb 19 15:08:17.517922 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 15:08:17.722625 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:08:17.767702 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:08:17.796426 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:08:18.004700 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 15:08:18.271785 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Feb 19 15:08:18.475000 osdx file_operation[13228]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Feb 19 15:08:18.506761 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Feb 19 15:08:18.674126 osdx OSDxCLI[1988]: User 'admin' entered the configuration menu. Feb 19 15:08:18.787125 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Feb 19 15:08:18.896552 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Feb 19 15:08:18.997453 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Feb 19 15:08:19.127225 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Feb 19 15:08:19.241532 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Feb 19 15:08:19.378276 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Feb 19 15:08:19.470453 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Feb 19 15:08:19.594371 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Feb 19 15:08:19.696315 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Feb 19 15:08:19.798999 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Feb 19 15:08:19.946694 osdx OSDxCLI[1988]: User 'admin' added a new cfg line: 'show changes'. Feb 19 15:08:20.087433 osdx INFO[13269]: FRR daemons did not change Feb 19 15:08:20.241914 osdx kernel: app-detect: module init Feb 19 15:08:20.241969 osdx kernel: app-detect: registered: sysctl net.appdetect Feb 19 15:08:20.241991 osdx kernel: app-detect: expression init Feb 19 15:08:20.242011 osdx kernel: app-detect: appid cache initialized Feb 19 15:08:20.242031 osdx kernel: app-detect: appid cache changes counter initialized Feb 19 15:08:20.719400 osdx cfgd[1448]: [1988]Completed change to active configuration Feb 19 15:08:20.722816 osdx OSDxCLI[1988]: User 'admin' committed the configuration. Feb 19 15:08:20.752391 osdx OSDxCLI[1988]: User 'admin' left the configuration menu. Feb 19 15:08:21.054242 osdx file_operation[13342]: using src url: https://www.marca.com dst url: running://index.html Feb 19 15:08:21.126981 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=18983 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.129945 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=18984 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.130031 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=18985 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.130068 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=18986 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.130094 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=18987 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.191787 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=18988 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.485497 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=18989 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.501995 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=18990 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:21.601226 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=18991 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:22.011537 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=18992 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:22.028333 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:31:5e:a4:e5:76:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=18993 DF PROTO=TCP SPT=443 DPT=49104 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Feb 19 15:08:22.999591 osdx file_operation.py[13342]: Operation aborted by user. Feb 19 15:08:23.023958 osdx OSDxCLI[1988]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.