App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.213 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=42 time=16.4 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.388/16.388/16.388/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 926 0 --:--:-- --:--:-- --:--:-- 923
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
May 14 09:23:12.310410 osdx systemd-journald[63976]: Runtime Journal (/run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac) is 2.1M, max 15.3M, 13.2M free. May 14 09:23:12.311228 osdx systemd-journald[63976]: Received client request to rotate journal, rotating. May 14 09:23:12.311277 osdx systemd-journald[63976]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac. May 14 09:23:12.314254 osdx sudo[113485]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:12.320939 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal clear'. May 14 09:23:12.532063 osdx sudo[113493]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:12.630243 osdx sudo[113498]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:12.693514 osdx osdx-coredump[113500]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:23:12.701358 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:23:13.213195 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:13.284797 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 14 09:23:13.390379 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 14 09:23:13.487322 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 14 09:23:13.548736 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 14 09:23:13.677560 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 14 09:23:13.784735 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 14 09:23:13.884563 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 14 09:23:13.954054 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 14 09:23:14.051718 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 14 09:23:14.112295 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:23:14.214986 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 14 09:23:14.299919 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:23:14.414672 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show working'. May 14 09:23:14.496262 osdx ubnt-cfgd[113528]: inactive May 14 09:23:14.537986 osdx INFO[113550]: FRR daemons did not change May 14 09:23:14.687184 osdx kernel: app-detect: module init May 14 09:23:14.687271 osdx kernel: app-detect: registered: sysctl net.appdetect May 14 09:23:14.687291 osdx kernel: app-detect: expression init May 14 09:23:14.687307 osdx kernel: app-detect: appid cache initialized May 14 09:23:14.687323 osdx kernel: app-detect: appid cache changes counter initialized May 14 09:23:14.708574 osdx sudo[113579]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:14.731952 osdx zebra[1610]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 14 09:23:14.731961 osdx zebra[1610]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=7665, pid=3359193353 May 14 09:23:14.731966 osdx zebra[1610]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 14 09:23:14.731970 osdx zebra[1610]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=7666, pid=3359193353 May 14 09:23:14.732380 osdx zebra[1610]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (1533[10.215.200.100 if 2 vrfid 0]) into the kernel May 14 09:23:14.732387 osdx zebra[1610]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (1534[10.215.200.200 if 2 vrfid 0]) into the kernel May 14 09:23:14.735175 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 14 09:23:15.044205 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:15.058713 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:15.090745 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:15.253021 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:23:15.590014 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 14 09:23:15.664276 osdx sudo[113791]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:15.724608 osdx file_operation[113794]: using src url: https://teldat.es dst url: running://index.html May 14 09:23:15.831525 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=42 ID=33856 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.836290 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=42 ID=33860 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.876427 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=42 ID=33862 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.876488 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=42 ID=33863 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.876568 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=164 TOS=0x00 PREC=0x00 TTL=42 ID=33864 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.927540 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=42 ID=33865 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.984065 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=42 ID=33866 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:16.008693 osdx sudo[113802]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:16.010564 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. May 14 09:23:16.035177 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=42 ID=33867 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:16.035233 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=33868 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:16.035253 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=33869 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es]
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 972 0 972 0 0 415k 0 --:--:-- --:--:-- --:--:-- 474k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
May 14 09:23:12.310410 osdx systemd-journald[63976]: Runtime Journal (/run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac) is 2.1M, max 15.3M, 13.2M free. May 14 09:23:12.311228 osdx systemd-journald[63976]: Received client request to rotate journal, rotating. May 14 09:23:12.311277 osdx systemd-journald[63976]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac. May 14 09:23:12.314254 osdx sudo[113485]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:12.320939 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal clear'. May 14 09:23:12.532063 osdx sudo[113493]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:12.630243 osdx sudo[113498]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:12.693514 osdx osdx-coredump[113500]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:23:12.701358 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:23:13.213195 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:13.284797 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 14 09:23:13.390379 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 14 09:23:13.487322 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 14 09:23:13.548736 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 14 09:23:13.677560 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 14 09:23:13.784735 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 14 09:23:13.884563 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 14 09:23:13.954054 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 14 09:23:14.051718 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 14 09:23:14.112295 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:23:14.214986 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 14 09:23:14.299919 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:23:14.414672 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show working'. May 14 09:23:14.496262 osdx ubnt-cfgd[113528]: inactive May 14 09:23:14.537986 osdx INFO[113550]: FRR daemons did not change May 14 09:23:14.687184 osdx kernel: app-detect: module init May 14 09:23:14.687271 osdx kernel: app-detect: registered: sysctl net.appdetect May 14 09:23:14.687291 osdx kernel: app-detect: expression init May 14 09:23:14.687307 osdx kernel: app-detect: appid cache initialized May 14 09:23:14.687323 osdx kernel: app-detect: appid cache changes counter initialized May 14 09:23:14.708574 osdx sudo[113579]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:14.731952 osdx zebra[1610]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 14 09:23:14.731961 osdx zebra[1610]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=7665, pid=3359193353 May 14 09:23:14.731966 osdx zebra[1610]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 14 09:23:14.731970 osdx zebra[1610]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=7666, pid=3359193353 May 14 09:23:14.732380 osdx zebra[1610]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (1533[10.215.200.100 if 2 vrfid 0]) into the kernel May 14 09:23:14.732387 osdx zebra[1610]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (1534[10.215.200.200 if 2 vrfid 0]) into the kernel May 14 09:23:14.735175 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 14 09:23:15.044205 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:15.058713 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:15.090745 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:15.253021 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:23:15.590014 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 14 09:23:15.664276 osdx sudo[113791]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:15.724608 osdx file_operation[113794]: using src url: https://teldat.es dst url: running://index.html May 14 09:23:15.831525 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=42 ID=33856 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.836290 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1516 TOS=0x00 PREC=0x00 TTL=42 ID=33860 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.876427 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=42 ID=33862 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.876488 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=42 ID=33863 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.876568 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=164 TOS=0x00 PREC=0x00 TTL=42 ID=33864 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.927540 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=42 ID=33865 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:15.984065 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=42 ID=33866 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:16.008693 osdx sudo[113802]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:16.010564 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. May 14 09:23:16.035177 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=42 ID=33867 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:16.035233 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=33868 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:16.035253 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=33869 DF PROTO=TCP SPT=443 DPT=49626 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 14 09:23:16.125482 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal show | cat'. May 14 09:23:16.270382 osdx sudo[113813]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:16.338278 osdx file_operation[113816]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 14 09:23:16.343174 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=39330 DF PROTO=TCP SPT=80 DPT=55768 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 14 09:23:16.343215 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1191 TOS=0x00 PREC=0x00 TTL=64 ID=39331 DF PROTO=TCP SPT=80 DPT=55768 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 14 09:23:16.358374 osdx sudo[113823]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:16.360643 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'. May 14 09:23:16.367173 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=39332 DF PROTO=TCP SPT=80 DPT=55768 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1]
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.209 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.209/0.209/0.209/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (216.58.208.100) 56(84) bytes of data. 64 bytes from sof01s11-in-f100.1e100.net (216.58.208.100): icmp_seq=1 ttl=104 time=42.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 42.132/42.132/42.132/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 21.6M 0 --:--:-- --:--:-- --:--:-- 32.5M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18359 0 18359 0 0 17445 0 --:--:-- 0:00:01 --:--:-- 17451
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
May 14 09:23:21.000175 osdx systemd-timedated[111651]: Changed local time to Wed 2025-05-14 09:23:21 UTC May 14 09:23:21.000822 osdx systemd-journald[63976]: Time jumped backwards, rotating. May 14 09:23:21.001642 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'set date 2025-05-14 09:23:21'. May 14 09:23:21.292931 osdx sudo[114059]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.296658 osdx systemd-journald[63976]: Runtime Journal (/run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac) is 2.0M, max 15.3M, 13.2M free. May 14 09:23:21.297045 osdx systemd-journald[63976]: Received client request to rotate journal, rotating. May 14 09:23:21.297075 osdx systemd-journald[63976]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac. May 14 09:23:21.300686 osdx sudo[114058]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.306066 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal clear'. May 14 09:23:21.489065 osdx sudo[114066]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.574674 osdx sudo[114071]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.620979 osdx osdx-coredump[114073]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:23:21.628670 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:23:22.116914 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:22.180343 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 14 09:23:22.276079 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 14 09:23:22.338539 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 14 09:23:22.434255 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 14 09:23:22.494799 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 14 09:23:22.601601 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:23:22.659635 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 14 09:23:22.772361 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:23:22.843893 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show working'. May 14 09:23:22.936202 osdx ubnt-cfgd[114097]: inactive May 14 09:23:22.976542 osdx INFO[114119]: FRR daemons did not change May 14 09:23:22.996770 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 14 09:23:23.274121 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:23.287453 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:23.305144 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:23.461522 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:23:23.699774 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 14 09:23:23.766831 osdx sudo[114326]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:23.849186 osdx file_operation[114329]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 14 09:23:23.871035 osdx sudo[114336]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:23.873448 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 14 09:23:24.037826 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:24.162369 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 14 09:23:24.279299 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 14 09:23:24.369521 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 14 09:23:24.441619 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show changes'. May 14 09:23:24.554842 osdx ubnt-cfgd[114346]: inactive May 14 09:23:24.575212 osdx INFO[114352]: FRR daemons did not change May 14 09:23:24.728774 osdx kernel: app-detect: module init May 14 09:23:24.728826 osdx kernel: app-detect: registered: sysctl net.appdetect May 14 09:23:24.728841 osdx kernel: app-detect: expression init May 14 09:23:24.728849 osdx kernel: app-detect: appid cache initialized May 14 09:23:24.728856 osdx kernel: app-detect: appid cache changes counter initialized May 14 09:23:24.908836 osdx sudo[114388]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:24.915395 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:24.917452 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:24.945183 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:25.081796 osdx sudo[114402]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:25.147795 osdx file_operation[114405]: using src url: https://www.google.com dst url: running://index.html May 14 09:23:25.236961 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51700 PROTO=TCP SPT=443 DPT=42906 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.240780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51701 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.240878 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51702 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.240899 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=111 ID=51703 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.292615 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51705 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.292680 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=51706 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.292690 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=51707 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.300788 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51708 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.336665 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51709 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348758 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1035 TOS=0x00 PREC=0x00 TTL=111 ID=51710 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348782 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51711 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348794 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51712 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348806 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51713 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348817 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51714 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352768 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51715 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352813 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51716 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352822 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51717 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352830 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51718 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.356760 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51719 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.356788 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51720 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.360760 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51721 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.360780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51722 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.364756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=206 TOS=0x00 PREC=0x00 TTL=111 ID=51725 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:26.151215 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51729 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:26.200451 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51730 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:26.218994 osdx sudo[114413]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:26.220994 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 14 09:23:26.244762 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51731 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1089 0 1089 0 0 425k 0 --:--:-- --:--:-- --:--:-- 531k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
May 14 09:23:21.000175 osdx systemd-timedated[111651]: Changed local time to Wed 2025-05-14 09:23:21 UTC May 14 09:23:21.000822 osdx systemd-journald[63976]: Time jumped backwards, rotating. May 14 09:23:21.001642 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'set date 2025-05-14 09:23:21'. May 14 09:23:21.292931 osdx sudo[114059]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.296658 osdx systemd-journald[63976]: Runtime Journal (/run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac) is 2.0M, max 15.3M, 13.2M free. May 14 09:23:21.297045 osdx systemd-journald[63976]: Received client request to rotate journal, rotating. May 14 09:23:21.297075 osdx systemd-journald[63976]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac. May 14 09:23:21.300686 osdx sudo[114058]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.306066 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal clear'. May 14 09:23:21.489065 osdx sudo[114066]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.574674 osdx sudo[114071]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:21.620979 osdx osdx-coredump[114073]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:23:21.628670 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:23:22.116914 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:22.180343 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 14 09:23:22.276079 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 14 09:23:22.338539 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 14 09:23:22.434255 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 14 09:23:22.494799 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 14 09:23:22.601601 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:23:22.659635 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 14 09:23:22.772361 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:23:22.843893 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show working'. May 14 09:23:22.936202 osdx ubnt-cfgd[114097]: inactive May 14 09:23:22.976542 osdx INFO[114119]: FRR daemons did not change May 14 09:23:22.996770 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 14 09:23:23.274121 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:23.287453 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:23.305144 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:23.461522 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:23:23.699774 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 14 09:23:23.766831 osdx sudo[114326]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:23.849186 osdx file_operation[114329]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 14 09:23:23.871035 osdx sudo[114336]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:23.873448 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 14 09:23:24.037826 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:24.162369 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 14 09:23:24.279299 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 14 09:23:24.369521 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 14 09:23:24.441619 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show changes'. May 14 09:23:24.554842 osdx ubnt-cfgd[114346]: inactive May 14 09:23:24.575212 osdx INFO[114352]: FRR daemons did not change May 14 09:23:24.728774 osdx kernel: app-detect: module init May 14 09:23:24.728826 osdx kernel: app-detect: registered: sysctl net.appdetect May 14 09:23:24.728841 osdx kernel: app-detect: expression init May 14 09:23:24.728849 osdx kernel: app-detect: appid cache initialized May 14 09:23:24.728856 osdx kernel: app-detect: appid cache changes counter initialized May 14 09:23:24.908836 osdx sudo[114388]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:24.915395 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:24.917452 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:24.945183 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:25.081796 osdx sudo[114402]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:25.147795 osdx file_operation[114405]: using src url: https://www.google.com dst url: running://index.html May 14 09:23:25.236961 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51700 PROTO=TCP SPT=443 DPT=42906 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.240780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51701 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.240878 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51702 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.240899 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1513 TOS=0x00 PREC=0x00 TTL=111 ID=51703 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.292615 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51705 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.292680 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=51706 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.292690 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=51707 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.300788 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51708 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.336665 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51709 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348758 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1035 TOS=0x00 PREC=0x00 TTL=111 ID=51710 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348782 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51711 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348794 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51712 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348806 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51713 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.348817 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51714 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352768 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51715 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352813 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51716 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352822 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51717 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.352830 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51718 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.356760 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51719 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.356788 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51720 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.360760 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51721 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.360780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51722 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:25.364756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=206 TOS=0x00 PREC=0x00 TTL=111 ID=51725 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:26.151215 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51729 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:26.200451 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=51730 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:26.218994 osdx sudo[114413]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:26.220994 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 14 09:23:26.244762 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=216.58.208.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=51731 PROTO=TCP SPT=443 DPT=42906 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 14 09:23:26.345364 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal show | cat'. May 14 09:23:26.544643 osdx sudo[114424]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:26.604904 osdx file_operation[114427]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 14 09:23:26.608767 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6988 DF PROTO=TCP SPT=80 DPT=43228 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 14 09:23:26.608814 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1308 TOS=0x00 PREC=0x00 TTL=64 ID=6989 DF PROTO=TCP SPT=80 DPT=43228 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 14 09:23:26.608824 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6990 DF PROTO=TCP SPT=80 DPT=43228 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 14 09:23:26.623558 osdx sudo[114434]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:26.625371 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=33.6 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 33.578/33.578/33.578/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (216.58.208.100) 56(84) bytes of data. 64 bytes from sof01s11-in-f100.1e100.net (216.58.208.100): icmp_seq=1 ttl=104 time=58.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 58.059/58.059/58.059/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 14 09:23:32.299455 osdx systemd-journald[63976]: Runtime Journal (/run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac) is 2.1M, max 15.3M, 13.2M free. May 14 09:23:32.301478 osdx systemd-journald[63976]: Received client request to rotate journal, rotating. May 14 09:23:32.301520 osdx systemd-journald[63976]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac. May 14 09:23:32.303999 osdx sudo[114670]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:32.311761 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal clear'. May 14 09:23:32.502525 osdx sudo[114678]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:32.591602 osdx sudo[114683]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:32.643953 osdx osdx-coredump[114685]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:23:32.651643 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:23:33.170463 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:33.284747 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 14 09:23:33.366037 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 14 09:23:33.451844 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 14 09:23:33.529673 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 14 09:23:33.670224 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 14 09:23:33.727022 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 14 09:23:33.832621 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 14 09:23:33.897013 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 14 09:23:33.992784 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 14 09:23:34.052860 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 14 09:23:34.173610 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:23:34.270314 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 14 09:23:34.378858 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:23:34.477153 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show working'. May 14 09:23:34.562705 osdx ubnt-cfgd[114714]: inactive May 14 09:23:34.600989 osdx INFO[114736]: FRR daemons did not change May 14 09:23:34.733482 osdx kernel: app-detect: module init May 14 09:23:34.733532 osdx kernel: app-detect: registered: sysctl net.appdetect May 14 09:23:34.733545 osdx kernel: app-detect: expression init May 14 09:23:34.733556 osdx kernel: app-detect: appid cache initialized May 14 09:23:34.733567 osdx kernel: app-detect: appid cache changes counter initialized May 14 09:23:34.747944 osdx sudo[114765]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:34.773495 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 14 09:23:35.070399 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:35.081823 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:35.098595 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:35.499539 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 14 09:23:35.638405 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 14 09:23:35.707137 osdx sudo[114974]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:35.769347 osdx file_operation[114977]: using src url: https://www.marca.com dst url: running://index.html May 14 09:23:36.869460 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31974 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:36.980533 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=31978 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:37.237097 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31979 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:37.748375 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31980 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:38.811779 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31981 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:39.172442 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=31982 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:40.808445 osdx file_operation.py[114977]: Operation aborted by user. May 14 09:23:40.822177 osdx sudo[114983]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:40.824003 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 14 09:23:40.849482 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=31983 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:40.849532 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=31984 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:40.857475 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=31985 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
May 14 09:23:32.299455 osdx systemd-journald[63976]: Runtime Journal (/run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac) is 2.1M, max 15.3M, 13.2M free. May 14 09:23:32.301478 osdx systemd-journald[63976]: Received client request to rotate journal, rotating. May 14 09:23:32.301520 osdx systemd-journald[63976]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac. May 14 09:23:32.303999 osdx sudo[114670]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:32.311761 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal clear'. May 14 09:23:32.502525 osdx sudo[114678]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:32.591602 osdx sudo[114683]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:32.643953 osdx osdx-coredump[114685]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:23:32.651643 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:23:33.170463 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:33.284747 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 14 09:23:33.366037 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 14 09:23:33.451844 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 14 09:23:33.529673 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 14 09:23:33.670224 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 14 09:23:33.727022 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 14 09:23:33.832621 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 14 09:23:33.897013 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 14 09:23:33.992784 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 14 09:23:34.052860 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 14 09:23:34.173610 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:23:34.270314 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 14 09:23:34.378858 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:23:34.477153 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show working'. May 14 09:23:34.562705 osdx ubnt-cfgd[114714]: inactive May 14 09:23:34.600989 osdx INFO[114736]: FRR daemons did not change May 14 09:23:34.733482 osdx kernel: app-detect: module init May 14 09:23:34.733532 osdx kernel: app-detect: registered: sysctl net.appdetect May 14 09:23:34.733545 osdx kernel: app-detect: expression init May 14 09:23:34.733556 osdx kernel: app-detect: appid cache initialized May 14 09:23:34.733567 osdx kernel: app-detect: appid cache changes counter initialized May 14 09:23:34.747944 osdx sudo[114765]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:34.773495 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 14 09:23:35.070399 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:35.081823 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:35.098595 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:35.499539 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 14 09:23:35.638405 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 14 09:23:35.707137 osdx sudo[114974]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:35.769347 osdx file_operation[114977]: using src url: https://www.marca.com dst url: running://index.html May 14 09:23:36.869460 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31974 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:36.980533 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=31978 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:37.237097 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31979 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:37.748375 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31980 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:38.811779 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=31981 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:39.172442 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=31982 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:40.808445 osdx file_operation.py[114977]: Operation aborted by user. May 14 09:23:40.822177 osdx sudo[114983]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:40.824003 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 14 09:23:40.849482 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=31983 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:40.849532 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=31984 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:40.857475 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=31985 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:41.045790 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal show | cat'. May 14 09:23:41.165261 osdx sudo[114994]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:41.248540 osdx sudo[114999]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:41.253408 osdx file_operation[114997]: using src url: http://www.google.com dst url: running://index.html May 14 09:23:41.781379 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=2566 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 14 09:23:42.258494 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=2578 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 14 09:23:42.318389 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=31986 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:42.744947 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=2579 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 14 09:23:43.877797 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=2581 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 14 09:23:44.000456 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=2582 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 14 09:23:44.970832 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=31987 DF PROTO=TCP SPT=443 DPT=34830 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:46.232363 osdx file_operation.py[114997]: Operation aborted by user. May 14 09:23:46.245293 osdx sudo[115006]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:46.246903 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. May 14 09:23:46.261494 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=2583 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 14 09:23:46.317491 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=2584 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 14 09:23:46.375130 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=142.251.18.106 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=2585 PROTO=TCP SPT=80 DPT=50518 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.174 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.174/0.174/0.174/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=13.2 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 13.212/13.212/13.212/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 24.2M 0 --:--:-- --:--:-- --:--:-- 32.5M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 14 09:23:50.000195 osdx systemd-timedated[111651]: Changed local time to Wed 2025-05-14 09:23:50 UTC May 14 09:23:50.001138 osdx systemd-journald[63976]: Time jumped backwards, rotating. May 14 09:23:50.002111 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'set date 2025-05-14 09:23:50'. May 14 09:23:50.323270 osdx sudo[115234]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:50.327049 osdx systemd-journald[63976]: Runtime Journal (/run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac) is 2.0M, max 15.3M, 13.2M free. May 14 09:23:50.329160 osdx systemd-journald[63976]: Received client request to rotate journal, rotating. May 14 09:23:50.329208 osdx systemd-journald[63976]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d54fa6ddd60f4e688f2f72800dcfecac. May 14 09:23:50.331977 osdx sudo[115233]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:50.337876 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system journal clear'. May 14 09:23:50.532869 osdx sudo[115241]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:50.629158 osdx sudo[115246]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:50.683271 osdx osdx-coredump[115248]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:23:50.693378 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:23:51.218577 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:51.280222 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:23:51.389050 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 14 09:23:51.480483 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:23:51.578726 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show working'. May 14 09:23:51.641580 osdx ubnt-cfgd[115267]: inactive May 14 09:23:51.664164 osdx INFO[115275]: FRR daemons did not change May 14 09:23:51.685150 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 14 09:23:51.798464 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:51.812811 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:51.831463 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:51.995601 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:23:52.193595 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 14 09:23:52.260416 osdx sudo[115462]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:52.330476 osdx sudo[115467]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:52.334849 osdx file_operation[115465]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 14 09:23:52.357379 osdx sudo[115475]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:52.359379 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 14 09:23:52.512322 osdx OSDxCLI[63830]: User 'admin' entered the configuration menu. May 14 09:23:52.598310 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 14 09:23:52.702416 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 14 09:23:52.759534 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 14 09:23:52.872448 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 14 09:23:52.928582 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 14 09:23:53.034674 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. May 14 09:23:53.087892 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 14 09:23:53.189374 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 14 09:23:53.259372 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 14 09:23:53.357665 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 14 09:23:53.425353 osdx OSDxCLI[63830]: User 'admin' added a new cfg line: 'show changes'. May 14 09:23:53.540704 osdx ubnt-cfgd[115492]: inactive May 14 09:23:53.577556 osdx INFO[115512]: FRR daemons did not change May 14 09:23:53.741145 osdx kernel: app-detect: module init May 14 09:23:53.741201 osdx kernel: app-detect: registered: sysctl net.appdetect May 14 09:23:53.741214 osdx kernel: app-detect: expression init May 14 09:23:53.741225 osdx kernel: app-detect: appid cache initialized May 14 09:23:53.741236 osdx kernel: app-detect: appid cache changes counter initialized May 14 09:23:53.945594 osdx sudo[115548]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:54.138326 osdx cfgd[1680]: [63830]Completed change to active configuration May 14 09:23:54.140392 osdx OSDxCLI[63830]: User 'admin' committed the configuration. May 14 09:23:54.171107 osdx OSDxCLI[63830]: User 'admin' left the configuration menu. May 14 09:23:54.306427 osdx sudo[115582]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:54.368591 osdx file_operation[115585]: using src url: https://www.marca.com dst url: running://index.html May 14 09:23:54.445717 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=39451 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:54.447101 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=39452 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:54.447186 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=39453 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:54.447314 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=48 ID=39454 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:54.535221 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=48 ID=39456 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:54.670634 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=39457 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:54.781945 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=39458 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:54.890350 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=39459 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:55.267923 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=39460 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:55.386533 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=39461 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:56.279643 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=39462 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:56.349140 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=39463 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:58.239112 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=39464 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:58.276457 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=39465 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:59.327254 osdx file_operation.py[115585]: Operation aborted by user. May 14 09:23:59.341220 osdx sudo[115591]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped May 14 09:23:59.343298 osdx OSDxCLI[63830]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 14 09:23:59.405150 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=39466 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 14 09:23:59.405236 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:1c:0a:04:c8:bc:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=39467 DF PROTO=TCP SPT=443 DPT=37484 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]