App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.195 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.195/0.195/0.195/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from www.blog.teldat.com (82.223.148.162): icmp_seq=1 ttl=43 time=11.7 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.664/11.664/11.664/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 3099 0 --:--:-- --:--:-- --:--:-- 3115
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Mar 10 10:44:57.297733 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free. Mar 10 10:44:57.299010 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 10:44:57.299061 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 10:44:57.306801 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal clear'. Mar 10 10:44:57.650357 osdx osdx-coredump[56433]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 10:44:57.658241 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 10:44:58.165002 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:44:58.240850 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 10 10:44:58.339454 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 10 10:44:58.391961 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 10 10:44:58.492076 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Mar 10 10:44:58.557676 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 10 10:44:58.664831 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 10 10:44:58.742569 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 10 10:44:58.846529 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 10 10:44:58.944177 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 10 10:44:59.002076 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 10:44:59.114501 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 10 10:44:59.185718 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 10:44:59.300732 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show working'. Mar 10 10:44:59.443320 osdx INFO[56481]: FRR daemons did not change Mar 10 10:44:59.579013 osdx kernel: app-detect: module init Mar 10 10:44:59.579060 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 10 10:44:59.579070 osdx kernel: app-detect: expression init Mar 10 10:44:59.579078 osdx kernel: app-detect: appid cache initialized Mar 10 10:44:59.579086 osdx kernel: app-detect: appid cache changes counter initialized Mar 10 10:44:59.971968 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:00.006885 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:00.029648 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:00.175993 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 10 10:45:00.271518 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Mar 10 10:45:00.425081 osdx file_operation[56681]: using src url: https://teldat.es dst url: running://index.html Mar 10 10:45:00.459016 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=17274 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.459087 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=17275 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.459109 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=17276 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.459122 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=17277 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.460855 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=17279 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.475608 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=17281 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.503646 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=17282 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.517135 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=17283 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.517212 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=17284 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.519007 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=17285 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.528382 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 972 0 972 0 0 30252 0 --:--:-- --:--:-- --:--:-- 30375
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Mar 10 10:44:57.297733 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free. Mar 10 10:44:57.299010 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 10:44:57.299061 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 10:44:57.306801 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal clear'. Mar 10 10:44:57.650357 osdx osdx-coredump[56433]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 10:44:57.658241 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 10:44:58.165002 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:44:58.240850 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 10 10:44:58.339454 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 10 10:44:58.391961 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 10 10:44:58.492076 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Mar 10 10:44:58.557676 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 10 10:44:58.664831 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 10 10:44:58.742569 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 10 10:44:58.846529 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 10 10:44:58.944177 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 10 10:44:59.002076 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 10:44:59.114501 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 10 10:44:59.185718 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 10:44:59.300732 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show working'. Mar 10 10:44:59.443320 osdx INFO[56481]: FRR daemons did not change Mar 10 10:44:59.579013 osdx kernel: app-detect: module init Mar 10 10:44:59.579060 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 10 10:44:59.579070 osdx kernel: app-detect: expression init Mar 10 10:44:59.579078 osdx kernel: app-detect: appid cache initialized Mar 10 10:44:59.579086 osdx kernel: app-detect: appid cache changes counter initialized Mar 10 10:44:59.971968 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:00.006885 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:00.029648 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:00.175993 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 10 10:45:00.271518 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Mar 10 10:45:00.425081 osdx file_operation[56681]: using src url: https://teldat.es dst url: running://index.html Mar 10 10:45:00.459016 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=17274 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.459087 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=17275 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.459109 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=17276 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.459122 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=17277 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.460855 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=17279 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.475608 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=17281 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.503646 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=17282 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.517135 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=17283 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.517212 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=17284 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.519007 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=17285 DF PROTO=TCP SPT=443 DPT=34068 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Mar 10 10:45:00.528382 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Mar 10 10:45:00.633079 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal show | cat'. Mar 10 10:45:00.811943 osdx file_operation[56703]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Mar 10 10:45:00.819016 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18529 DF PROTO=TCP SPT=80 DPT=34666 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Mar 10 10:45:00.844236 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1191 TOS=0x00 PREC=0x00 TTL=64 ID=18530 DF PROTO=TCP SPT=80 DPT=34666 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Mar 10 10:45:00.847012 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18531 DF PROTO=TCP SPT=80 DPT=34666 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Mar 10 10:45:00.865811 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.204 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.204/0.204/0.204/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (216.58.215.164) 56(84) bytes of data. 64 bytes from mad41s07-in-f4.1e100.net (216.58.215.164): icmp_seq=1 ttl=109 time=5.98 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 5.975/5.975/5.975/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 16.1M 0 --:--:-- --:--:-- --:--:-- 16.2M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 17857 0 17857 0 0 89653 0 --:--:-- --:--:-- --:--:-- 89733
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Mar 10 10:45:06.343463 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free. Mar 10 10:45:06.345132 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 10:45:06.345193 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 10:45:06.354700 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal clear'. Mar 10 10:45:06.872154 osdx osdx-coredump[56917]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 10:45:06.881479 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 10:45:07.403606 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:07.487100 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 10 10:45:07.579377 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 10 10:45:07.634631 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 10 10:45:07.732825 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Mar 10 10:45:07.787236 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 10 10:45:07.887536 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 10:45:07.940743 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 10 10:45:08.057718 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 10:45:08.139416 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show working'. Mar 10 10:45:08.296215 osdx INFO[56961]: FRR daemons did not change Mar 10 10:45:08.638001 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:08.664610 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:08.680313 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:08.824485 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 10 10:45:08.930102 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 10 10:45:09.118106 osdx file_operation[57127]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Mar 10 10:45:09.143567 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Mar 10 10:45:09.305935 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:09.378506 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Mar 10 10:45:09.473043 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 10 10:45:09.529422 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 10 10:45:09.632851 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show changes'. Mar 10 10:45:09.708415 osdx INFO[57144]: FRR daemons did not change Mar 10 10:45:09.865126 osdx kernel: app-detect: module init Mar 10 10:45:09.865175 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 10 10:45:09.865189 osdx kernel: app-detect: expression init Mar 10 10:45:09.865205 osdx kernel: app-detect: appid cache initialized Mar 10 10:45:09.865217 osdx kernel: app-detect: appid cache changes counter initialized Mar 10 10:45:10.078666 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:10.080805 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:10.097090 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:10.310892 osdx file_operation[57197]: using src url: https://www.google.com dst url: running://index.html Mar 10 10:45:10.331487 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23053 PROTO=TCP SPT=443 DPT=48334 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.355775 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23054 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.355858 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23055 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.357117 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1511 TOS=0x00 PREC=0x00 TTL=112 ID=23056 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.369117 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=23058 PROTO=TCP SPT=443 DPT=48334 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.369144 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=23059 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.377115 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23060 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.506524 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=112 ID=23061 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.506633 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23062 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.506685 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23063 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509141 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23064 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509223 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23065 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509261 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23066 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509279 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23067 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509297 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23068 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509314 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23069 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509330 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23070 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509347 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23071 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509364 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=960 TOS=0x00 PREC=0x00 TTL=112 ID=23072 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513129 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23073 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513181 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23074 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513204 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23075 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513223 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=85 TOS=0x00 PREC=0x00 TTL=112 ID=23076 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513244 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=91 TOS=0x00 PREC=0x00 TTL=112 ID=23077 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.517131 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23078 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.521144 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23079 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.539842 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'.
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1089 0 1089 0 0 206k 0 --:--:-- --:--:-- --:--:-- 212k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Mar 10 10:45:06.343463 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free. Mar 10 10:45:06.345132 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 10:45:06.345193 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 10:45:06.354700 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal clear'. Mar 10 10:45:06.872154 osdx osdx-coredump[56917]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 10:45:06.881479 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 10:45:07.403606 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:07.487100 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 10 10:45:07.579377 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 10 10:45:07.634631 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 10 10:45:07.732825 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Mar 10 10:45:07.787236 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 10 10:45:07.887536 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 10:45:07.940743 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 10 10:45:08.057718 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 10:45:08.139416 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show working'. Mar 10 10:45:08.296215 osdx INFO[56961]: FRR daemons did not change Mar 10 10:45:08.638001 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:08.664610 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:08.680313 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:08.824485 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 10 10:45:08.930102 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 10 10:45:09.118106 osdx file_operation[57127]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Mar 10 10:45:09.143567 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Mar 10 10:45:09.305935 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:09.378506 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Mar 10 10:45:09.473043 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 10 10:45:09.529422 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 10 10:45:09.632851 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show changes'. Mar 10 10:45:09.708415 osdx INFO[57144]: FRR daemons did not change Mar 10 10:45:09.865126 osdx kernel: app-detect: module init Mar 10 10:45:09.865175 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 10 10:45:09.865189 osdx kernel: app-detect: expression init Mar 10 10:45:09.865205 osdx kernel: app-detect: appid cache initialized Mar 10 10:45:09.865217 osdx kernel: app-detect: appid cache changes counter initialized Mar 10 10:45:10.078666 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:10.080805 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:10.097090 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:10.310892 osdx file_operation[57197]: using src url: https://www.google.com dst url: running://index.html Mar 10 10:45:10.331487 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23053 PROTO=TCP SPT=443 DPT=48334 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.355775 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23054 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.355858 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23055 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.357117 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1511 TOS=0x00 PREC=0x00 TTL=112 ID=23056 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.369117 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=23058 PROTO=TCP SPT=443 DPT=48334 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.369144 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=23059 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.377115 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23060 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.506524 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=112 ID=23061 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.506633 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23062 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.506685 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23063 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509141 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23064 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509223 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23065 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509261 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23066 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509279 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23067 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509297 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23068 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509314 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23069 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509330 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23070 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509347 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23071 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.509364 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=960 TOS=0x00 PREC=0x00 TTL=112 ID=23072 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513129 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23073 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513181 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23074 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513204 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=23075 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513223 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=85 TOS=0x00 PREC=0x00 TTL=112 ID=23076 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.513244 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=91 TOS=0x00 PREC=0x00 TTL=112 ID=23077 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.517131 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23078 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.521144 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=23079 PROTO=TCP SPT=443 DPT=48334 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Mar 10 10:45:10.539842 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Mar 10 10:45:10.656096 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal show | cat'. Mar 10 10:45:10.897796 osdx file_operation[57219]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Mar 10 10:45:10.905125 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61080 DF PROTO=TCP SPT=80 DPT=45030 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Mar 10 10:45:10.905166 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1308 TOS=0x00 PREC=0x00 TTL=64 ID=61081 DF PROTO=TCP SPT=80 DPT=45030 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Mar 10 10:45:10.905175 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61082 DF PROTO=TCP SPT=80 DPT=45030 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Mar 10 10:45:10.922352 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (151.101.133.50) 56(84) bytes of data. 64 bytes from 151.101.133.50 (151.101.133.50): icmp_seq=1 ttl=49 time=3.51 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.508/3.508/3.508/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (216.58.215.164) 56(84) bytes of data. 64 bytes from mad41s07-in-f4.1e100.net (216.58.215.164): icmp_seq=1 ttl=109 time=16.7 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.731/16.731/16.731/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Mar 10 10:45:15.350862 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.2M free. Mar 10 10:45:15.353021 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 10:45:15.353085 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 10:45:15.361860 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal clear'. Mar 10 10:45:15.702841 osdx osdx-coredump[57432]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 10:45:15.710868 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 10:45:16.230910 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:16.301989 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 10 10:45:16.413146 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 10 10:45:16.524838 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 10 10:45:16.583562 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 10 10:45:16.689048 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Mar 10 10:45:16.752500 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 10 10:45:16.868228 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 10 10:45:16.933966 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 10 10:45:17.046457 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 10 10:45:17.137693 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 10 10:45:17.203141 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 10:45:17.300161 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 10 10:45:17.373312 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 10:45:17.509881 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show working'. Mar 10 10:45:17.601831 osdx INFO[57481]: FRR daemons did not change Mar 10 10:45:17.745027 osdx kernel: app-detect: module init Mar 10 10:45:17.745076 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 10 10:45:17.745090 osdx kernel: app-detect: expression init Mar 10 10:45:17.745101 osdx kernel: app-detect: appid cache initialized Mar 10 10:45:17.745113 osdx kernel: app-detect: appid cache changes counter initialized Mar 10 10:45:18.091620 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:18.141328 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:18.180305 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:18.523819 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Mar 10 10:45:18.633488 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 10 10:45:18.864542 osdx file_operation[57678]: using src url: https://www.marca.com dst url: running://index.html Mar 10 10:45:18.881032 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34927 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.881081 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34928 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.881091 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34929 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.885016 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=49 ID=34930 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.897028 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=34932 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.084524 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34933 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.105194 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34934 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.292724 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34935 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.520961 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34936 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.720395 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34937 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:20.351895 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34938 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:20.552478 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34939 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:22.016881 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34940 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:22.216365 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34941 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:23.827097 osdx file_operation.py[57678]: Operation aborted by user. Mar 10 10:45:23.841018 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34942 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:23.841059 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34943 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:23.841996 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Mar 10 10:45:15.350862 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.2M free. Mar 10 10:45:15.353021 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 10:45:15.353085 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 10:45:15.361860 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal clear'. Mar 10 10:45:15.702841 osdx osdx-coredump[57432]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 10:45:15.710868 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 10:45:16.230910 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:16.301989 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 10 10:45:16.413146 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 10 10:45:16.524838 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 10 10:45:16.583562 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 10 10:45:16.689048 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Mar 10 10:45:16.752500 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 10 10:45:16.868228 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Mar 10 10:45:16.933966 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Mar 10 10:45:17.046457 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 10 10:45:17.137693 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 10 10:45:17.203141 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 10:45:17.300161 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 10 10:45:17.373312 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 10:45:17.509881 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show working'. Mar 10 10:45:17.601831 osdx INFO[57481]: FRR daemons did not change Mar 10 10:45:17.745027 osdx kernel: app-detect: module init Mar 10 10:45:17.745076 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 10 10:45:17.745090 osdx kernel: app-detect: expression init Mar 10 10:45:17.745101 osdx kernel: app-detect: appid cache initialized Mar 10 10:45:17.745113 osdx kernel: app-detect: appid cache changes counter initialized Mar 10 10:45:18.091620 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:18.141328 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:18.180305 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:18.523819 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Mar 10 10:45:18.633488 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Mar 10 10:45:18.864542 osdx file_operation[57678]: using src url: https://www.marca.com dst url: running://index.html Mar 10 10:45:18.881032 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34927 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.881081 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34928 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.881091 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34929 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.885016 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=49 ID=34930 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:18.897028 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=34932 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.084524 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34933 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.105194 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34934 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.292724 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34935 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.520961 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34936 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:19.720395 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34937 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:20.351895 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34938 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:20.552478 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34939 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:22.016881 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34940 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:22.216365 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34941 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:23.827097 osdx file_operation.py[57678]: Operation aborted by user. Mar 10 10:45:23.841018 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34942 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:23.841059 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34943 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:23.841996 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Mar 10 10:45:24.065740 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal show | cat'. Mar 10 10:45:24.258745 osdx file_operation[57700]: using src url: http://www.google.com dst url: running://index.html Mar 10 10:45:24.293045 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=49713 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.445024 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49714 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.445089 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49715 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.449017 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=112 ID=49716 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.449028 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49718 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.449045 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49719 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.449053 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49720 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.449061 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49721 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.449069 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49722 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.449077 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49723 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.477310 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49724 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.497834 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=49725 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.696881 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49726 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:24.716917 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=49727 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:25.124515 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49728 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:25.161058 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=49729 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:25.344228 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34944 DF PROTO=TCP SPT=443 DPT=49788 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:25.996425 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49730 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:26.057178 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=49731 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:27.723392 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=49732 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:27.826834 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=49733 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Mar 10 10:45:29.225281 osdx file_operation.py[57700]: Operation aborted by user. Mar 10 10:45:29.240385 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Mar 10 10:45:29.265037 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=216.58.215.164 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=49734 PROTO=TCP SPT=80 DPT=43866 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.231 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.231/0.231/0.231/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (151.101.133.50) 56(84) bytes of data. 64 bytes from 151.101.133.50 (151.101.133.50): icmp_seq=1 ttl=49 time=4.64 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.641/4.641/4.641/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 11.1M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Mar 10 10:45:34.324967 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.2M free. Mar 10 10:45:34.327747 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 10:45:34.327802 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 10:45:34.336056 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system journal clear'. Mar 10 10:45:34.674243 osdx osdx-coredump[57905]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 10:45:34.682039 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 10:45:35.211775 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:35.455237 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 10:45:35.523978 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Mar 10 10:45:35.632091 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 10:45:35.724336 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show working'. Mar 10 10:45:35.819369 osdx INFO[57930]: FRR daemons did not change Mar 10 10:45:35.990103 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:36.030609 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:36.051539 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:36.202972 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 10 10:45:36.292036 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Mar 10 10:45:36.483594 osdx file_operation[58076]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Mar 10 10:45:36.508823 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Mar 10 10:45:36.645431 osdx OSDxCLI[51605]: User 'admin' entered the configuration menu. Mar 10 10:45:36.705978 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Mar 10 10:45:36.822599 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Mar 10 10:45:36.941291 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Mar 10 10:45:37.011147 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 10 10:45:37.112360 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Mar 10 10:45:37.188575 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Mar 10 10:45:37.295150 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Mar 10 10:45:37.371392 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Mar 10 10:45:37.467256 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Mar 10 10:45:37.566486 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Mar 10 10:45:37.653847 osdx OSDxCLI[51605]: User 'admin' added a new cfg line: 'show changes'. Mar 10 10:45:37.823226 osdx INFO[58117]: FRR daemons did not change Mar 10 10:45:37.979734 osdx kernel: app-detect: module init Mar 10 10:45:37.979776 osdx kernel: app-detect: registered: sysctl net.appdetect Mar 10 10:45:37.979785 osdx kernel: app-detect: expression init Mar 10 10:45:37.979793 osdx kernel: app-detect: appid cache initialized Mar 10 10:45:37.979801 osdx kernel: app-detect: appid cache changes counter initialized Mar 10 10:45:38.333148 osdx cfgd[1455]: [51605]Completed change to active configuration Mar 10 10:45:38.335588 osdx OSDxCLI[51605]: User 'admin' committed the configuration. Mar 10 10:45:38.368881 osdx OSDxCLI[51605]: User 'admin' left the configuration menu. Mar 10 10:45:38.609457 osdx file_operation[58190]: using src url: https://www.marca.com dst url: running://index.html Mar 10 10:45:38.645009 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=25245 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:38.645307 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=25246 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:38.645411 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=25247 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:38.645520 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=25248 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:38.645558 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=25249 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:38.692382 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=25250 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:38.851605 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=25251 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:38.918467 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=25252 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:39.071242 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=25253 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:39.365468 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=25254 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:39.520023 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=25255 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:40.261470 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=25256 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:40.415333 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=25257 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:42.053827 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=25258 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:42.176568 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=25259 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:43.544718 osdx file_operation.py[58190]: Operation aborted by user. Mar 10 10:45:43.562169 osdx OSDxCLI[51605]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Mar 10 10:45:43.579733 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=25260 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Mar 10 10:45:43.579765 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:5f:e8:40:58:52:08:00 SRC=151.101.133.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=25261 DF PROTO=TCP SPT=443 DPT=46322 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]