App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.212 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.212/0.212/0.212/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from www.teldatsdwan.com (82.223.148.162): icmp_seq=1 ttl=43 time=23.5 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 23.504/23.504/23.504/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 1692 0 --:--:-- --:--:-- --:--:-- 1699
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Apr 10 15:40:47.278685 osdx systemd-journald[1983]: Runtime Journal (/run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42) is 2.1M, max 15.3M, 13.2M free. Apr 10 15:40:47.280766 osdx systemd-journald[1983]: Received client request to rotate journal, rotating. Apr 10 15:40:47.280846 osdx systemd-journald[1983]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42. Apr 10 15:40:47.289119 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal clear'. Apr 10 15:40:47.688076 osdx osdx-coredump[23056]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 15:40:47.696591 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 15:40:48.246094 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:40:48.353037 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Apr 10 15:40:48.412665 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Apr 10 15:40:48.510170 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Apr 10 15:40:48.571150 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Apr 10 15:40:48.733711 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Apr 10 15:40:48.812867 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Apr 10 15:40:48.905312 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Apr 10 15:40:48.960099 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Apr 10 15:40:49.059047 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Apr 10 15:40:49.122621 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 15:40:49.242163 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Apr 10 15:40:49.318315 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 15:40:49.422913 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show working'. Apr 10 15:40:49.515660 osdx ubnt-cfgd[23084]: inactive Apr 10 15:40:49.596577 osdx INFO[23106]: FRR daemons did not change Apr 10 15:40:49.784777 osdx kernel: app-detect: module init Apr 10 15:40:49.784845 osdx kernel: app-detect: registered: sysctl net.appdetect Apr 10 15:40:49.784860 osdx kernel: app-detect: expression init Apr 10 15:40:49.784872 osdx kernel: app-detect: appid cache initialized Apr 10 15:40:49.784885 osdx kernel: app-detect: appid cache changes counter initialized Apr 10 15:40:49.832763 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 15:40:50.157930 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:40:50.177094 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:40:50.198007 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:40:50.370956 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 10 15:40:50.486344 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Apr 10 15:40:50.637583 osdx file_operation[23350]: using src url: https://teldat.es dst url: running://index.html Apr 10 15:40:50.704759 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19514 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.708753 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19515 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.708780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19516 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.708788 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=19517 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.712756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=19519 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.743248 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=19521 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.781718 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=19522 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.805268 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Apr 10 15:40:50.808764 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=19523 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.808791 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19524 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.808808 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19525 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es]
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 845 0 845 0 0 220k 0 --:--:-- --:--:-- --:--:-- 275k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Apr 10 15:40:47.278685 osdx systemd-journald[1983]: Runtime Journal (/run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42) is 2.1M, max 15.3M, 13.2M free. Apr 10 15:40:47.280766 osdx systemd-journald[1983]: Received client request to rotate journal, rotating. Apr 10 15:40:47.280846 osdx systemd-journald[1983]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42. Apr 10 15:40:47.289119 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal clear'. Apr 10 15:40:47.688076 osdx osdx-coredump[23056]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 15:40:47.696591 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 15:40:48.246094 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:40:48.353037 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Apr 10 15:40:48.412665 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Apr 10 15:40:48.510170 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Apr 10 15:40:48.571150 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Apr 10 15:40:48.733711 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Apr 10 15:40:48.812867 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Apr 10 15:40:48.905312 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Apr 10 15:40:48.960099 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Apr 10 15:40:49.059047 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Apr 10 15:40:49.122621 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 15:40:49.242163 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Apr 10 15:40:49.318315 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 15:40:49.422913 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show working'. Apr 10 15:40:49.515660 osdx ubnt-cfgd[23084]: inactive Apr 10 15:40:49.596577 osdx INFO[23106]: FRR daemons did not change Apr 10 15:40:49.784777 osdx kernel: app-detect: module init Apr 10 15:40:49.784845 osdx kernel: app-detect: registered: sysctl net.appdetect Apr 10 15:40:49.784860 osdx kernel: app-detect: expression init Apr 10 15:40:49.784872 osdx kernel: app-detect: appid cache initialized Apr 10 15:40:49.784885 osdx kernel: app-detect: appid cache changes counter initialized Apr 10 15:40:49.832763 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 15:40:50.157930 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:40:50.177094 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:40:50.198007 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:40:50.370956 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 10 15:40:50.486344 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Apr 10 15:40:50.637583 osdx file_operation[23350]: using src url: https://teldat.es dst url: running://index.html Apr 10 15:40:50.704759 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19514 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.708753 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19515 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.708780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19516 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.708788 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=19517 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.712756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=43 ID=19519 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.743248 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=19521 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.781718 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=19522 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.805268 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Apr 10 15:40:50.808764 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=19523 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.808791 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19524 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.808808 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19525 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Apr 10 15:40:50.904830 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal show | cat'. Apr 10 15:40:51.122253 osdx file_operation[23372]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Apr 10 15:40:51.128803 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15761 DF PROTO=TCP SPT=80 DPT=53420 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Apr 10 15:40:51.128858 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1064 TOS=0x00 PREC=0x00 TTL=64 ID=15762 DF PROTO=TCP SPT=80 DPT=53420 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Apr 10 15:40:51.128873 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15763 DF PROTO=TCP SPT=80 DPT=53420 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Apr 10 15:40:51.149822 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.184 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.184/0.184/0.184/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.185.4) 56(84) bytes of data. 64 bytes from mad41s11-in-f4.1e100.net (142.250.185.4): icmp_seq=1 ttl=109 time=22.3 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 22.298/22.298/22.298/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 11.4M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18188 0 18188 0 0 104k 0 --:--:-- --:--:-- --:--:-- 105k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Apr 10 15:40:56.303125 osdx systemd-journald[1983]: Runtime Journal (/run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42) is 2.0M, max 15.3M, 13.3M free. Apr 10 15:40:56.303539 osdx systemd-journald[1983]: Received client request to rotate journal, rotating. Apr 10 15:40:56.303572 osdx systemd-journald[1983]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42. Apr 10 15:40:56.313545 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal clear'. Apr 10 15:40:56.661778 osdx osdx-coredump[23628]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 15:40:56.669886 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 15:40:57.162977 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:40:57.224276 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Apr 10 15:40:57.356065 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Apr 10 15:40:57.416955 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Apr 10 15:40:57.539807 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Apr 10 15:40:57.600644 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Apr 10 15:40:57.702297 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 15:40:57.760402 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Apr 10 15:40:57.873474 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 15:40:57.947667 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show working'. Apr 10 15:40:58.032899 osdx ubnt-cfgd[23652]: inactive Apr 10 15:40:58.107724 osdx INFO[23674]: FRR daemons did not change Apr 10 15:40:58.127243 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 15:40:58.404270 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:40:58.416235 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:40:58.432627 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:40:58.587738 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 10 15:40:58.701425 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Apr 10 15:40:58.835025 osdx file_operation[23884]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Apr 10 15:40:58.859626 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Apr 10 15:40:59.008710 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:40:59.078460 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Apr 10 15:40:59.180416 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Apr 10 15:40:59.262424 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Apr 10 15:40:59.328895 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show changes'. Apr 10 15:40:59.437181 osdx ubnt-cfgd[23901]: inactive Apr 10 15:40:59.522421 osdx INFO[23907]: FRR daemons did not change Apr 10 15:40:59.671257 osdx kernel: app-detect: module init Apr 10 15:40:59.671311 osdx kernel: app-detect: registered: sysctl net.appdetect Apr 10 15:40:59.671325 osdx kernel: app-detect: expression init Apr 10 15:40:59.671337 osdx kernel: app-detect: appid cache initialized Apr 10 15:40:59.671348 osdx kernel: app-detect: appid cache changes counter initialized Apr 10 15:40:59.875709 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:40:59.877865 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:40:59.896233 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:41:00.094636 osdx file_operation[23960]: using src url: https://www.google.com dst url: running://index.html Apr 10 15:41:00.169757 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58901 PROTO=TCP SPT=443 DPT=53608 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.189029 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58902 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.189092 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58903 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.189191 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=112 ID=58904 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.200874 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=58906 PROTO=TCP SPT=443 DPT=53608 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.202619 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=58907 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.210588 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58908 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258554 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1038 TOS=0x00 PREC=0x00 TTL=112 ID=58909 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258678 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58910 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258801 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58911 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258912 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58912 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.259027 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58913 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263234 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58914 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263267 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58915 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263276 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58916 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263288 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58917 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263296 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=112 ID=58918 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263304 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58920 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263312 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58921 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.267235 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58922 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.267264 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1363 TOS=0x00 PREC=0x00 TTL=112 ID=58923 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.275252 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58924 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.279249 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58925 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.291347 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'.
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 962 0 962 0 0 392k 0 --:--:-- --:--:-- --:--:-- 469k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Apr 10 15:40:56.303125 osdx systemd-journald[1983]: Runtime Journal (/run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42) is 2.0M, max 15.3M, 13.3M free. Apr 10 15:40:56.303539 osdx systemd-journald[1983]: Received client request to rotate journal, rotating. Apr 10 15:40:56.303572 osdx systemd-journald[1983]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42. Apr 10 15:40:56.313545 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal clear'. Apr 10 15:40:56.661778 osdx osdx-coredump[23628]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 15:40:56.669886 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 15:40:57.162977 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:40:57.224276 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Apr 10 15:40:57.356065 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Apr 10 15:40:57.416955 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Apr 10 15:40:57.539807 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Apr 10 15:40:57.600644 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Apr 10 15:40:57.702297 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 15:40:57.760402 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Apr 10 15:40:57.873474 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 15:40:57.947667 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show working'. Apr 10 15:40:58.032899 osdx ubnt-cfgd[23652]: inactive Apr 10 15:40:58.107724 osdx INFO[23674]: FRR daemons did not change Apr 10 15:40:58.127243 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 15:40:58.404270 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:40:58.416235 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:40:58.432627 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:40:58.587738 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 10 15:40:58.701425 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Apr 10 15:40:58.835025 osdx file_operation[23884]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Apr 10 15:40:58.859626 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Apr 10 15:40:59.008710 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:40:59.078460 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Apr 10 15:40:59.180416 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Apr 10 15:40:59.262424 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Apr 10 15:40:59.328895 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show changes'. Apr 10 15:40:59.437181 osdx ubnt-cfgd[23901]: inactive Apr 10 15:40:59.522421 osdx INFO[23907]: FRR daemons did not change Apr 10 15:40:59.671257 osdx kernel: app-detect: module init Apr 10 15:40:59.671311 osdx kernel: app-detect: registered: sysctl net.appdetect Apr 10 15:40:59.671325 osdx kernel: app-detect: expression init Apr 10 15:40:59.671337 osdx kernel: app-detect: appid cache initialized Apr 10 15:40:59.671348 osdx kernel: app-detect: appid cache changes counter initialized Apr 10 15:40:59.875709 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:40:59.877865 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:40:59.896233 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:41:00.094636 osdx file_operation[23960]: using src url: https://www.google.com dst url: running://index.html Apr 10 15:41:00.169757 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58901 PROTO=TCP SPT=443 DPT=53608 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.189029 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58902 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.189092 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58903 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.189191 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=112 ID=58904 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.200874 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=58906 PROTO=TCP SPT=443 DPT=53608 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.202619 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=58907 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.210588 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58908 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258554 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1038 TOS=0x00 PREC=0x00 TTL=112 ID=58909 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258678 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58910 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258801 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58911 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.258912 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58912 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.259027 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58913 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263234 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58914 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263267 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58915 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263276 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58916 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263288 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58917 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263296 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=112 ID=58918 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263304 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58920 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.263312 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58921 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.267235 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=58922 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.267264 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1363 TOS=0x00 PREC=0x00 TTL=112 ID=58923 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.275252 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58924 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.279249 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=58925 PROTO=TCP SPT=443 DPT=53608 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Apr 10 15:41:00.291347 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Apr 10 15:41:00.418287 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal show | cat'. Apr 10 15:41:00.621191 osdx file_operation[23982]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Apr 10 15:41:00.627240 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=35884 DF PROTO=TCP SPT=80 DPT=32770 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Apr 10 15:41:00.627282 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1181 TOS=0x00 PREC=0x00 TTL=64 ID=35885 DF PROTO=TCP SPT=80 DPT=32770 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Apr 10 15:41:00.627291 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=35886 DF PROTO=TCP SPT=80 DPT=32770 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Apr 10 15:41:00.641742 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.33.50) 56(84) bytes of data. 64 bytes from 199.232.33.50 (199.232.33.50): icmp_seq=1 ttl=50 time=13.2 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 13.224/13.224/13.224/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.185.4) 56(84) bytes of data. 64 bytes from mad41s11-in-f4.1e100.net (142.250.185.4): icmp_seq=1 ttl=109 time=11.5 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.496/11.496/11.496/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Apr 10 15:41:05.297738 osdx systemd-journald[1983]: Runtime Journal (/run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42) is 2.1M, max 15.3M, 13.2M free. Apr 10 15:41:05.301649 osdx systemd-journald[1983]: Received client request to rotate journal, rotating. Apr 10 15:41:05.301706 osdx systemd-journald[1983]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42. Apr 10 15:41:05.308546 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal clear'. Apr 10 15:41:05.643075 osdx osdx-coredump[24243]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 15:41:05.650890 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 15:41:06.238334 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:41:06.318263 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Apr 10 15:41:06.428773 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Apr 10 15:41:06.531085 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Apr 10 15:41:06.644220 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Apr 10 15:41:06.738041 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Apr 10 15:41:06.803068 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Apr 10 15:41:06.921420 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Apr 10 15:41:06.992858 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Apr 10 15:41:07.087696 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Apr 10 15:41:07.154181 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Apr 10 15:41:07.260747 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 15:41:07.328683 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Apr 10 15:41:07.453518 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 15:41:07.534721 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show working'. Apr 10 15:41:07.622770 osdx ubnt-cfgd[24272]: inactive Apr 10 15:41:07.714071 osdx INFO[24294]: FRR daemons did not change Apr 10 15:41:07.897651 osdx kernel: app-detect: module init Apr 10 15:41:07.897692 osdx kernel: app-detect: registered: sysctl net.appdetect Apr 10 15:41:07.897702 osdx kernel: app-detect: expression init Apr 10 15:41:07.897710 osdx kernel: app-detect: appid cache initialized Apr 10 15:41:07.897717 osdx kernel: app-detect: appid cache changes counter initialized Apr 10 15:41:07.945660 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 15:41:08.214719 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:41:08.229312 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:41:08.247924 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:41:08.714289 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Apr 10 15:41:08.806897 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Apr 10 15:41:08.965048 osdx file_operation[24535]: using src url: https://www.marca.com dst url: running://index.html Apr 10 15:41:09.026132 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=49055 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.027942 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49056 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.027983 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49057 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.028123 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=50 ID=49058 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.109337 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=49060 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.231516 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49061 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.349586 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49062 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.458702 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49063 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.829645 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49064 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.919973 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49065 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:10.795837 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49066 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:10.810032 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49067 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:12.601345 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49068 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:12.709528 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49069 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:13.952334 osdx file_operation.py[24535]: Operation aborted by user. Apr 10 15:41:13.973572 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Apr 10 15:41:13.989670 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=49070 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:13.989735 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=49071 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Apr 10 15:41:05.297738 osdx systemd-journald[1983]: Runtime Journal (/run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42) is 2.1M, max 15.3M, 13.2M free. Apr 10 15:41:05.301649 osdx systemd-journald[1983]: Received client request to rotate journal, rotating. Apr 10 15:41:05.301706 osdx systemd-journald[1983]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42. Apr 10 15:41:05.308546 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal clear'. Apr 10 15:41:05.643075 osdx osdx-coredump[24243]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 15:41:05.650890 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 15:41:06.238334 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:41:06.318263 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Apr 10 15:41:06.428773 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Apr 10 15:41:06.531085 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Apr 10 15:41:06.644220 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Apr 10 15:41:06.738041 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Apr 10 15:41:06.803068 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Apr 10 15:41:06.921420 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Apr 10 15:41:06.992858 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Apr 10 15:41:07.087696 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Apr 10 15:41:07.154181 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Apr 10 15:41:07.260747 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 15:41:07.328683 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Apr 10 15:41:07.453518 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 15:41:07.534721 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show working'. Apr 10 15:41:07.622770 osdx ubnt-cfgd[24272]: inactive Apr 10 15:41:07.714071 osdx INFO[24294]: FRR daemons did not change Apr 10 15:41:07.897651 osdx kernel: app-detect: module init Apr 10 15:41:07.897692 osdx kernel: app-detect: registered: sysctl net.appdetect Apr 10 15:41:07.897702 osdx kernel: app-detect: expression init Apr 10 15:41:07.897710 osdx kernel: app-detect: appid cache initialized Apr 10 15:41:07.897717 osdx kernel: app-detect: appid cache changes counter initialized Apr 10 15:41:07.945660 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 15:41:08.214719 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:41:08.229312 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:41:08.247924 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:41:08.714289 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Apr 10 15:41:08.806897 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Apr 10 15:41:08.965048 osdx file_operation[24535]: using src url: https://www.marca.com dst url: running://index.html Apr 10 15:41:09.026132 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=49055 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.027942 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49056 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.027983 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49057 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.028123 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=50 ID=49058 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.109337 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=49060 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.231516 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49061 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.349586 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49062 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.458702 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49063 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.829645 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49064 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:09.919973 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49065 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:10.795837 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49066 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:10.810032 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49067 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:12.601345 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=49068 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:12.709528 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=49069 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:13.952334 osdx file_operation.py[24535]: Operation aborted by user. Apr 10 15:41:13.973572 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Apr 10 15:41:13.989670 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=49070 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:13.989735 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=49071 DF PROTO=TCP SPT=443 DPT=34644 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:14.187319 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal show | cat'. Apr 10 15:41:14.391228 osdx file_operation[24557]: using src url: http://www.google.com dst url: running://index.html Apr 10 15:41:14.445663 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=11402 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.495275 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11403 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.495341 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11404 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.495358 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11405 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.497657 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11406 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.497691 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11407 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.497700 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11408 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.497709 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11409 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.497717 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11410 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.497725 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11411 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.497739 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11412 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.572952 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11413 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.658967 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=11414 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.813446 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11415 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:14.881775 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=11416 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:15.284987 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11417 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:15.332477 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=11418 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:16.219049 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=11419 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:16.228776 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11420 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:18.016287 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=11421 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:18.148757 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=112 ID=11422 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Apr 10 15:41:19.389908 osdx file_operation.py[24557]: Operation aborted by user. Apr 10 15:41:19.406631 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Apr 10 15:41:19.445694 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=142.250.185.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=11423 PROTO=TCP SPT=80 DPT=36024 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.183 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.183/0.183/0.183/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.33.50) 56(84) bytes of data. 64 bytes from 199.232.33.50 (199.232.33.50): icmp_seq=1 ttl=50 time=17.6 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.641/17.641/17.641/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 19.0M 0 --:--:-- --:--:-- --:--:-- 21.6M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Apr 10 15:41:24.334844 osdx systemd-journald[1983]: Runtime Journal (/run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42) is 2.0M, max 15.3M, 13.2M free. Apr 10 15:41:24.337982 osdx systemd-journald[1983]: Received client request to rotate journal, rotating. Apr 10 15:41:24.338036 osdx systemd-journald[1983]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1b38a2acfb83465bb2abfbc9ee1b5d42. Apr 10 15:41:24.345776 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system journal clear'. Apr 10 15:41:24.675258 osdx osdx-coredump[24808]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 15:41:24.683026 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 15:41:25.138058 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:41:25.201298 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 15:41:25.300920 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Apr 10 15:41:25.374061 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 15:41:25.470670 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show working'. Apr 10 15:41:25.534667 osdx ubnt-cfgd[24827]: inactive Apr 10 15:41:25.618505 osdx INFO[24835]: FRR daemons did not change Apr 10 15:41:25.637991 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 15:41:25.741347 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:41:25.752577 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:41:25.770213 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:41:25.915124 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 10 15:41:27.006919 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Apr 10 15:41:27.612083 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Apr 10 15:41:27.752749 osdx file_operation[25028]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Apr 10 15:41:27.776623 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Apr 10 15:41:27.936614 osdx OSDxCLI[2245]: User 'admin' entered the configuration menu. Apr 10 15:41:28.011431 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Apr 10 15:41:28.111968 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Apr 10 15:41:28.220541 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Apr 10 15:41:28.278632 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Apr 10 15:41:28.379886 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Apr 10 15:41:28.454214 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Apr 10 15:41:28.563274 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Apr 10 15:41:28.622849 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Apr 10 15:41:28.721592 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Apr 10 15:41:28.821973 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Apr 10 15:41:28.888267 osdx OSDxCLI[2245]: User 'admin' added a new cfg line: 'show changes'. Apr 10 15:41:28.985497 osdx ubnt-cfgd[25055]: inactive Apr 10 15:41:29.044047 osdx INFO[25075]: FRR daemons did not change Apr 10 15:41:29.201983 osdx kernel: app-detect: module init Apr 10 15:41:29.202028 osdx kernel: app-detect: registered: sysctl net.appdetect Apr 10 15:41:29.202037 osdx kernel: app-detect: expression init Apr 10 15:41:29.202046 osdx kernel: app-detect: appid cache initialized Apr 10 15:41:29.202058 osdx kernel: app-detect: appid cache changes counter initialized Apr 10 15:41:29.607055 osdx cfgd[1673]: [2245]Completed change to active configuration Apr 10 15:41:29.609430 osdx OSDxCLI[2245]: User 'admin' committed the configuration. Apr 10 15:41:29.639034 osdx OSDxCLI[2245]: User 'admin' left the configuration menu. Apr 10 15:41:29.849936 osdx file_operation[25148]: using src url: https://www.marca.com dst url: running://index.html Apr 10 15:41:29.938648 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=16564 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:29.940959 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=16565 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:29.941985 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=16566 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:29.942004 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=50 ID=16567 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:30.086719 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=16569 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:30.179509 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=16570 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:30.349176 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=16571 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:30.434743 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=16572 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:30.894067 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=16573 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:30.951883 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=16574 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:31.975106 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=16575 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:31.981939 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=16576 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:34.012131 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=16577 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:34.160412 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=16578 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:34.806895 osdx file_operation.py[25148]: Operation aborted by user. Apr 10 15:41:34.824158 osdx OSDxCLI[2245]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Apr 10 15:41:34.841993 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=16579 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Apr 10 15:41:34.842054 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:14:da:93:d5:89:08:00 SRC=199.232.33.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=16580 DF PROTO=TCP SPT=443 DPT=33616 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]