App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.221 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.221/0.221/0.221/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=42 time=12.0 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.967/11.967/11.967/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 2632 0 --:--:-- --:--:-- --:--:-- 2641
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
May 19 17:33:37.310531 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.2M, max 15.3M, 13.1M free. May 19 17:33:37.313452 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 17:33:37.313499 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 17:33:37.320189 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal clear'. May 19 17:33:37.649687 osdx osdx-coredump[379163]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 17:33:37.657986 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:33:38.148324 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:38.251551 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 19 17:33:38.314244 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 19 17:33:38.414515 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 19 17:33:38.498818 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 19 17:33:38.610973 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 19 17:33:38.720664 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 19 17:33:38.799039 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 19 17:33:38.893573 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 19 17:33:38.952186 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 19 17:33:39.054137 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:33:39.111881 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 19 17:33:39.225942 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:33:39.300864 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show working'. May 19 17:33:39.419861 osdx INFO[379207]: FRR daemons did not change May 19 17:33:39.589453 osdx kernel: app-detect: module init May 19 17:33:39.589501 osdx kernel: app-detect: registered: sysctl net.appdetect May 19 17:33:39.589512 osdx kernel: app-detect: expression init May 19 17:33:39.589519 osdx kernel: app-detect: appid cache initialized May 19 17:33:39.589529 osdx kernel: app-detect: appid cache changes counter initialized May 19 17:33:39.633464 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:33:39.938581 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:39.968350 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:39.984849 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:40.168066 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 17:33:40.585843 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 19 17:33:40.744595 osdx file_operation[379404]: using src url: https://teldat.es dst url: running://index.html May 19 17:33:40.784061 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=53688 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785128 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53689 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785225 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53690 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785317 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53691 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785335 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=164 TOS=0x00 PREC=0x00 TTL=43 ID=53692 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.789016 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53693 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.789056 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=53694 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.811997 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=53695 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.837289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=53696 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.852188 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=53697 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.852315 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=53698 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.853446 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=53699 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.859809 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4352 0 4352 0 0 1535k 0 --:--:-- --:--:-- --:--:-- 2125k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
May 19 17:33:37.310531 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.2M, max 15.3M, 13.1M free. May 19 17:33:37.313452 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 17:33:37.313499 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 17:33:37.320189 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal clear'. May 19 17:33:37.649687 osdx osdx-coredump[379163]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 17:33:37.657986 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:33:38.148324 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:38.251551 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 19 17:33:38.314244 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 19 17:33:38.414515 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 19 17:33:38.498818 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 19 17:33:38.610973 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 19 17:33:38.720664 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 19 17:33:38.799039 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 19 17:33:38.893573 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 19 17:33:38.952186 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 19 17:33:39.054137 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:33:39.111881 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 19 17:33:39.225942 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:33:39.300864 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show working'. May 19 17:33:39.419861 osdx INFO[379207]: FRR daemons did not change May 19 17:33:39.589453 osdx kernel: app-detect: module init May 19 17:33:39.589501 osdx kernel: app-detect: registered: sysctl net.appdetect May 19 17:33:39.589512 osdx kernel: app-detect: expression init May 19 17:33:39.589519 osdx kernel: app-detect: appid cache initialized May 19 17:33:39.589529 osdx kernel: app-detect: appid cache changes counter initialized May 19 17:33:39.633464 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:33:39.938581 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:39.968350 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:39.984849 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:40.168066 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 17:33:40.585843 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 19 17:33:40.744595 osdx file_operation[379404]: using src url: https://teldat.es dst url: running://index.html May 19 17:33:40.784061 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=53688 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785128 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53689 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785225 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53690 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785317 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53691 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.785335 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=164 TOS=0x00 PREC=0x00 TTL=43 ID=53692 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.789016 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=53693 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.789056 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=53694 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.811997 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=53695 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.837289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=53696 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.852188 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=53697 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.852315 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=53698 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.853446 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=53699 DF PROTO=TCP SPT=443 DPT=53924 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 19 17:33:40.859809 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. May 19 17:33:40.963350 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal show | cat'. May 19 17:33:41.158694 osdx file_operation[379426]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 19 17:33:41.165482 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=27739 DF PROTO=TCP SPT=80 DPT=56502 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 19 17:33:41.165523 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=27740 DF PROTO=TCP SPT=80 DPT=56502 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 19 17:33:41.165532 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=27741 DF PROTO=TCP SPT=80 DPT=56502 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 19 17:33:41.165545 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=27742 DF PROTO=TCP SPT=80 DPT=56502 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 19 17:33:41.165553 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=27743 DF PROTO=TCP SPT=80 DPT=56502 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 19 17:33:41.169459 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=27744 DF PROTO=TCP SPT=80 DPT=56502 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 19 17:33:41.179998 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=11.0 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.027/11.027/11.027/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (192.178.156.99) 56(84) bytes of data. 64 bytes from yugrqog-in-f99.1e100.net (192.178.156.99): icmp_seq=1 ttl=94 time=37.2 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 37.228/37.228/37.228/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 7726k 0 --:--:-- --:--:-- --:--:-- 8322k
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18388 0 18388 0 0 90731 0 --:--:-- --:--:-- --:--:-- 90581
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
May 19 17:33:46.312165 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free. May 19 17:33:46.312657 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 17:33:46.312690 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 17:33:46.324316 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal clear'. May 19 17:33:46.679865 osdx osdx-coredump[379632]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 17:33:46.689612 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:33:47.206261 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:47.299675 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 19 17:33:47.372186 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 19 17:33:47.459375 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 19 17:33:47.532216 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 19 17:33:47.630037 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 19 17:33:47.690633 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:33:47.790938 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 19 17:33:47.862207 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:33:47.956045 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show working'. May 19 17:33:48.086756 osdx INFO[379672]: FRR daemons did not change May 19 17:33:48.108667 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:33:48.429905 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:48.456883 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:48.487859 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:48.709099 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 17:33:48.941709 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 19 17:33:49.083999 osdx file_operation[379838]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 19 17:33:49.112270 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 19 17:33:49.270728 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:49.357603 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 19 17:33:49.411740 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 19 17:33:49.508680 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 19 17:33:49.583827 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show changes'. May 19 17:33:49.678162 osdx INFO[379855]: FRR daemons did not change May 19 17:33:49.836694 osdx kernel: app-detect: module init May 19 17:33:49.836752 osdx kernel: app-detect: registered: sysctl net.appdetect May 19 17:33:49.836772 osdx kernel: app-detect: expression init May 19 17:33:49.836784 osdx kernel: app-detect: appid cache initialized May 19 17:33:49.836796 osdx kernel: app-detect: appid cache changes counter initialized May 19 17:33:50.054400 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:50.056283 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:50.078407 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:50.279465 osdx file_operation[379908]: using src url: https://www.google.com dst url: running://index.html May 19 17:33:50.382687 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31620 PROTO=TCP SPT=443 DPT=46034 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384045 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31621 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384670 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31622 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384706 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31623 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384722 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=184 TOS=0x00 PREC=0x00 TTL=110 ID=31624 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.426390 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31625 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.426591 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=110 ID=31626 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.426607 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=110 ID=31627 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.431704 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31628 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.464914 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31629 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.473845 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1036 TOS=0x00 PREC=0x00 TTL=110 ID=31630 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476660 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31631 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31632 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476691 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31633 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476699 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31634 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476707 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31635 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476734 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31636 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476743 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31637 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476753 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31638 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476918 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31639 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.477012 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31640 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.478963 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31641 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.479054 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31642 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.480982 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31643 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.481074 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31644 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.482521 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=235 TOS=0x00 PREC=0x00 TTL=110 ID=31645 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.502669 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 19 17:33:50.532674 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31646 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4469 0 4469 0 0 1861k 0 --:--:-- --:--:-- --:--:-- 2182k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
May 19 17:33:46.312165 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free. May 19 17:33:46.312657 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 17:33:46.312690 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 17:33:46.324316 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal clear'. May 19 17:33:46.679865 osdx osdx-coredump[379632]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 17:33:46.689612 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:33:47.206261 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:47.299675 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 19 17:33:47.372186 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 19 17:33:47.459375 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 19 17:33:47.532216 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 19 17:33:47.630037 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 19 17:33:47.690633 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:33:47.790938 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 19 17:33:47.862207 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:33:47.956045 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show working'. May 19 17:33:48.086756 osdx INFO[379672]: FRR daemons did not change May 19 17:33:48.108667 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:33:48.429905 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:48.456883 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:48.487859 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:48.709099 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 17:33:48.941709 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 19 17:33:49.083999 osdx file_operation[379838]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 19 17:33:49.112270 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 19 17:33:49.270728 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:49.357603 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 19 17:33:49.411740 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 19 17:33:49.508680 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 19 17:33:49.583827 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show changes'. May 19 17:33:49.678162 osdx INFO[379855]: FRR daemons did not change May 19 17:33:49.836694 osdx kernel: app-detect: module init May 19 17:33:49.836752 osdx kernel: app-detect: registered: sysctl net.appdetect May 19 17:33:49.836772 osdx kernel: app-detect: expression init May 19 17:33:49.836784 osdx kernel: app-detect: appid cache initialized May 19 17:33:49.836796 osdx kernel: app-detect: appid cache changes counter initialized May 19 17:33:50.054400 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:50.056283 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:50.078407 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:50.279465 osdx file_operation[379908]: using src url: https://www.google.com dst url: running://index.html May 19 17:33:50.382687 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31620 PROTO=TCP SPT=443 DPT=46034 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384045 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31621 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384670 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31622 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384706 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31623 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.384722 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=184 TOS=0x00 PREC=0x00 TTL=110 ID=31624 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.426390 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31625 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.426591 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=110 ID=31626 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.426607 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=110 ID=31627 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.431704 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31628 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.464914 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31629 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.473845 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1036 TOS=0x00 PREC=0x00 TTL=110 ID=31630 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476660 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31631 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31632 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476691 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31633 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476699 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31634 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476707 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31635 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476734 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31636 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476743 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31637 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476753 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31638 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.476918 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31639 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.477012 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31640 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.478963 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31641 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.479054 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31642 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.480982 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31643 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.481074 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=31644 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.482521 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=235 TOS=0x00 PREC=0x00 TTL=110 ID=31645 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.502669 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 19 17:33:50.532674 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31646 PROTO=TCP SPT=443 DPT=46034 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 19 17:33:50.637918 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal show | cat'. May 19 17:33:50.831845 osdx file_operation[379930]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 19 17:33:50.836665 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=33952 DF PROTO=TCP SPT=80 DPT=37620 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 19 17:33:50.836720 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=33953 DF PROTO=TCP SPT=80 DPT=37620 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 19 17:33:50.836738 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=33954 DF PROTO=TCP SPT=80 DPT=37620 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 19 17:33:50.836750 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=33955 DF PROTO=TCP SPT=80 DPT=37620 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 19 17:33:50.836762 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=345 TOS=0x00 PREC=0x00 TTL=64 ID=33956 DF PROTO=TCP SPT=80 DPT=37620 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 19 17:33:50.836774 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=33957 DF PROTO=TCP SPT=80 DPT=37620 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 19 17:33:50.851696 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=4.53 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.532/4.532/4.532/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (192.178.156.105) 56(84) bytes of data. 64 bytes from yugrqog-in-f105.1e100.net (192.178.156.105): icmp_seq=1 ttl=95 time=37.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 37.115/37.115/37.115/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 19 17:33:56.317735 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.1M, max 15.3M, 13.1M free. May 19 17:33:56.321219 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 17:33:56.321271 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 17:33:56.327245 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal clear'. May 19 17:33:56.644542 osdx osdx-coredump[380138]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 17:33:56.653077 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:33:57.121653 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:57.187352 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 19 17:33:57.285396 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 19 17:33:57.379974 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 19 17:33:57.438502 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 19 17:33:57.546398 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 19 17:33:57.600001 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 19 17:33:57.700554 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 19 17:33:57.768457 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 19 17:33:57.864016 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 19 17:33:57.955517 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 19 17:33:58.016273 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:33:58.117759 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 19 17:33:58.192882 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:33:58.346247 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show working'. May 19 17:33:58.460934 osdx INFO[380183]: FRR daemons did not change May 19 17:33:58.629220 osdx kernel: app-detect: module init May 19 17:33:58.629275 osdx kernel: app-detect: registered: sysctl net.appdetect May 19 17:33:58.629288 osdx kernel: app-detect: expression init May 19 17:33:58.629300 osdx kernel: app-detect: appid cache initialized May 19 17:33:58.629312 osdx kernel: app-detect: appid cache changes counter initialized May 19 17:33:58.681214 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:33:59.010242 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:59.037610 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:59.061308 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:59.339160 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 19 17:34:00.431365 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 19 17:34:01.110788 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 19 17:34:01.266037 osdx file_operation[380383]: using src url: https://www.marca.com dst url: running://index.html May 19 17:34:01.293806 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=29154 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295546 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29155 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295626 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29156 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295752 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29157 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295767 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=29158 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.335088 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=29159 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.488570 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29160 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.557102 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29161 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.697221 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29162 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.996189 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29163 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:02.128626 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29164 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:02.922468 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29165 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:02.972532 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29166 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:04.626584 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29167 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:06.258784 osdx file_operation.py[380383]: Operation aborted by user. May 19 17:34:06.273218 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=29169 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:06.273274 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=29170 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:06.274781 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
May 19 17:33:56.317735 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.1M, max 15.3M, 13.1M free. May 19 17:33:56.321219 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 17:33:56.321271 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 17:33:56.327245 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal clear'. May 19 17:33:56.644542 osdx osdx-coredump[380138]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 17:33:56.653077 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:33:57.121653 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:33:57.187352 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 19 17:33:57.285396 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 19 17:33:57.379974 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 19 17:33:57.438502 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 19 17:33:57.546398 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 19 17:33:57.600001 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 19 17:33:57.700554 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 19 17:33:57.768457 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 19 17:33:57.864016 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 19 17:33:57.955517 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 19 17:33:58.016273 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:33:58.117759 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 19 17:33:58.192882 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:33:58.346247 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show working'. May 19 17:33:58.460934 osdx INFO[380183]: FRR daemons did not change May 19 17:33:58.629220 osdx kernel: app-detect: module init May 19 17:33:58.629275 osdx kernel: app-detect: registered: sysctl net.appdetect May 19 17:33:58.629288 osdx kernel: app-detect: expression init May 19 17:33:58.629300 osdx kernel: app-detect: appid cache initialized May 19 17:33:58.629312 osdx kernel: app-detect: appid cache changes counter initialized May 19 17:33:58.681214 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:33:59.010242 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:33:59.037610 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:33:59.061308 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:33:59.339160 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 19 17:34:00.431365 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 19 17:34:01.110788 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 19 17:34:01.266037 osdx file_operation[380383]: using src url: https://www.marca.com dst url: running://index.html May 19 17:34:01.293806 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=29154 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295546 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29155 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295626 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29156 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295752 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29157 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.295767 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=29158 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.335088 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=29159 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.488570 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29160 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.557102 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29161 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.697221 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29162 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:01.996189 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29163 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:02.128626 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29164 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:02.922468 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=29165 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:02.972532 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29166 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:04.626584 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=29167 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:06.258784 osdx file_operation.py[380383]: Operation aborted by user. May 19 17:34:06.273218 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=29169 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:06.273274 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=29170 DF PROTO=TCP SPT=443 DPT=45898 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:06.274781 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 19 17:34:06.471129 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal show | cat'. May 19 17:34:06.643325 osdx file_operation[380406]: using src url: http://www.google.com dst url: running://index.html May 19 17:34:06.724649 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=14842 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.765769 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14843 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.765928 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14844 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.766241 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14845 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.766774 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14846 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.767348 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14847 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.768075 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14848 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.769005 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14849 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.773200 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14850 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.773213 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14851 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.777205 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14852 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.847267 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14853 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:06.961908 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=109 ID=14854 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:07.085461 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14855 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:07.205991 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=109 ID=14856 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:07.565356 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14857 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:07.697983 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=109 ID=14858 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:08.549492 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14859 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:08.690352 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=109 ID=14860 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:10.469285 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=109 ID=14861 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:10.642422 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=109 ID=14862 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 19 17:34:11.605348 osdx file_operation.py[380406]: Operation aborted by user. May 19 17:34:11.623186 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. May 19 17:34:11.661216 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=192.178.156.103 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=14863 PROTO=TCP SPT=80 DPT=38362 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.232 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.232/0.232/0.232/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=4.44 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.442/4.442/4.442/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 7291k 0 --:--:-- --:--:-- --:--:-- 7398k
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 19 17:34:16.326848 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.2M free. May 19 17:34:16.327837 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 17:34:16.327882 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 17:34:16.336849 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system journal clear'. May 19 17:34:16.707281 osdx osdx-coredump[380606]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 17:34:16.715855 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:34:17.261769 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:34:17.336692 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:34:17.440800 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 19 17:34:17.536498 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:34:17.641638 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show working'. May 19 17:34:17.714287 osdx INFO[380627]: FRR daemons did not change May 19 17:34:17.735828 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:34:17.867426 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:34:17.900304 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:34:17.917477 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:34:18.088408 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 17:34:18.205734 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 19 17:34:18.361623 osdx file_operation[380773]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 19 17:34:18.394685 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 19 17:34:18.641270 osdx OSDxCLI[334642]: User 'admin' entered the configuration menu. May 19 17:34:18.713317 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 19 17:34:18.874615 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 19 17:34:18.934440 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 19 17:34:19.035861 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 19 17:34:19.108756 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 19 17:34:19.226372 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. May 19 17:34:19.282909 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 19 17:34:19.390507 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 19 17:34:19.448843 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 19 17:34:19.553892 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 19 17:34:19.624515 osdx OSDxCLI[334642]: User 'admin' added a new cfg line: 'show changes'. May 19 17:34:19.743184 osdx INFO[380814]: FRR daemons did not change May 19 17:34:19.895831 osdx kernel: app-detect: module init May 19 17:34:19.895882 osdx kernel: app-detect: registered: sysctl net.appdetect May 19 17:34:19.895895 osdx kernel: app-detect: expression init May 19 17:34:19.895907 osdx kernel: app-detect: appid cache initialized May 19 17:34:19.895918 osdx kernel: app-detect: appid cache changes counter initialized May 19 17:34:20.264816 osdx cfgd[1649]: [334642]Completed change to active configuration May 19 17:34:20.267037 osdx OSDxCLI[334642]: User 'admin' committed the configuration. May 19 17:34:20.294272 osdx OSDxCLI[334642]: User 'admin' left the configuration menu. May 19 17:34:20.505065 osdx file_operation[380888]: using src url: https://www.marca.com dst url: running://index.html May 19 17:34:20.531831 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34806 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.535085 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34807 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.535146 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34808 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.535279 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34809 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.535291 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=34810 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.571612 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=34811 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.727140 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34812 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.790017 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34813 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:20.935287 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34814 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:21.229862 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34815 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:21.347123 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34816 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:22.117853 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34817 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:22.179206 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34818 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:23.843139 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=34819 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:23.909775 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=34820 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:25.457483 osdx file_operation.py[380888]: Operation aborted by user. May 19 17:34:25.475832 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34821 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:25.475882 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:ef:05:f2:ea:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=34822 DF PROTO=TCP SPT=443 DPT=38160 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 19 17:34:25.476337 osdx OSDxCLI[334642]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.