App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.182 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.182/0.182/0.182/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=45 time=22.5 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 22.460/22.460/22.460/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 2455 0 --:--:-- --:--:-- --:--:-- 2479
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Jun 25 08:30:51.388417 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.3M, max 15.3M, 13.0M free. Jun 25 08:30:51.388858 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 08:30:51.388892 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 08:30:51.398362 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal clear'. Jun 25 08:30:51.615158 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 08:30:51.835991 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:30:51.900106 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 25 08:30:51.998740 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 25 08:30:52.054686 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 25 08:30:52.157113 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jun 25 08:30:52.214188 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 25 08:30:52.318035 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 25 08:30:52.374889 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 25 08:30:52.471629 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 25 08:30:52.569864 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 25 08:30:52.631358 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 08:30:52.733315 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 25 08:30:52.805239 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 08:30:52.922965 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show working'. Jun 25 08:30:52.994977 osdx ubnt-cfgd[69507]: inactive Jun 25 08:30:53.035629 osdx INFO[69529]: FRR daemons did not change Jun 25 08:30:53.192733 osdx kernel: app-detect: module init Jun 25 08:30:53.192793 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 25 08:30:53.192806 osdx kernel: app-detect: expression init Jun 25 08:30:53.192818 osdx kernel: app-detect: appid cache initialized Jun 25 08:30:53.192829 osdx kernel: app-detect: appid cache changes counter initialized Jun 25 08:30:53.232728 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 08:30:53.705521 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:30:53.716400 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:30:53.735160 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:30:53.882096 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 25 08:30:54.126454 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jun 25 08:30:54.288049 osdx file_operation[69779]: using src url: https://teldat.es dst url: running://index.html Jun 25 08:30:54.335446 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=15816 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.336736 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=15817 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.336776 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=15818 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.336790 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=15819 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.344737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=15821 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.344772 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=15820 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.360727 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=15822 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.387383 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=15823 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.404734 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=15825 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.410399 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Jun 25 08:30:54.412727 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=15826 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.452738 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=15824 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es]
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 845 0 845 0 0 155k 0 --:--:-- --:--:-- --:--:-- 165k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Jun 25 08:30:51.388417 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.3M, max 15.3M, 13.0M free. Jun 25 08:30:51.388858 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 08:30:51.388892 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 08:30:51.398362 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal clear'. Jun 25 08:30:51.615158 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 08:30:51.835991 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:30:51.900106 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 25 08:30:51.998740 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 25 08:30:52.054686 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 25 08:30:52.157113 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jun 25 08:30:52.214188 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 25 08:30:52.318035 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 25 08:30:52.374889 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 25 08:30:52.471629 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 25 08:30:52.569864 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 25 08:30:52.631358 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 08:30:52.733315 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 25 08:30:52.805239 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 08:30:52.922965 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show working'. Jun 25 08:30:52.994977 osdx ubnt-cfgd[69507]: inactive Jun 25 08:30:53.035629 osdx INFO[69529]: FRR daemons did not change Jun 25 08:30:53.192733 osdx kernel: app-detect: module init Jun 25 08:30:53.192793 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 25 08:30:53.192806 osdx kernel: app-detect: expression init Jun 25 08:30:53.192818 osdx kernel: app-detect: appid cache initialized Jun 25 08:30:53.192829 osdx kernel: app-detect: appid cache changes counter initialized Jun 25 08:30:53.232728 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 08:30:53.705521 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:30:53.716400 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:30:53.735160 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:30:53.882096 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 25 08:30:54.126454 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jun 25 08:30:54.288049 osdx file_operation[69779]: using src url: https://teldat.es dst url: running://index.html Jun 25 08:30:54.335446 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=15816 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.336736 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=15817 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.336776 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=15818 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.336790 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=15819 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.344737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=15821 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.344772 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=15820 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.360727 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=15822 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.387383 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=15823 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.404734 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=15825 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.410399 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Jun 25 08:30:54.412727 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=15826 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.452738 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=15824 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 25 08:30:54.530044 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal show | cat'. Jun 25 08:30:54.722521 osdx file_operation[69801]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 25 08:30:54.728733 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8076 DF PROTO=TCP SPT=80 DPT=38682 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jun 25 08:30:54.728778 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1064 TOS=0x00 PREC=0x00 TTL=64 ID=8077 DF PROTO=TCP SPT=80 DPT=38682 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jun 25 08:30:54.732725 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8078 DF PROTO=TCP SPT=80 DPT=38682 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jun 25 08:30:54.747426 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.177 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.177/0.177/0.177/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.36.4) 56(84) bytes of data. 64 bytes from ams15s44-in-f4.1e100.net (142.251.36.4): icmp_seq=1 ttl=107 time=204 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 204.049/204.049/204.049/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 10.8M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18364 0 18364 0 0 101k 0 --:--:-- --:--:-- --:--:-- 101k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Jun 25 08:31:00.319841 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.0M, max 15.3M, 13.3M free. Jun 25 08:31:00.320932 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 08:31:00.320989 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 08:31:00.331380 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal clear'. Jun 25 08:31:00.545737 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 08:31:00.768518 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:00.830799 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 25 08:31:00.934415 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 25 08:31:01.019518 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 25 08:31:01.116614 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jun 25 08:31:01.210560 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 25 08:31:01.272316 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 08:31:01.371398 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 25 08:31:01.442197 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 08:31:01.563822 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show working'. Jun 25 08:31:01.683276 osdx ubnt-cfgd[70074]: inactive Jun 25 08:31:01.725801 osdx INFO[70096]: FRR daemons did not change Jun 25 08:31:01.744971 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 08:31:02.045781 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:02.059422 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:02.076034 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:02.236625 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 25 08:31:02.596314 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 25 08:31:02.756750 osdx file_operation[70306]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 25 08:31:02.782037 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 25 08:31:02.943466 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:03.006236 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 25 08:31:03.095448 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 25 08:31:03.160190 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 25 08:31:03.274504 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show changes'. Jun 25 08:31:03.342122 osdx ubnt-cfgd[70323]: inactive Jun 25 08:31:03.366031 osdx INFO[70329]: FRR daemons did not change Jun 25 08:31:03.512931 osdx kernel: app-detect: module init Jun 25 08:31:03.512976 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 25 08:31:03.512985 osdx kernel: app-detect: expression init Jun 25 08:31:03.512993 osdx kernel: app-detect: appid cache initialized Jun 25 08:31:03.513001 osdx kernel: app-detect: appid cache changes counter initialized Jun 25 08:31:03.710632 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:03.712721 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:03.735360 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:03.963198 osdx file_operation[70382]: using src url: https://www.google.com dst url: running://index.html Jun 25 08:31:04.048093 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60275 PROTO=TCP SPT=443 DPT=56272 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.052939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60276 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.052995 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60277 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.053019 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=113 ID=60278 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.086407 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=60279 PROTO=TCP SPT=443 DPT=56272 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.088939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=113 ID=60280 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.122627 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60281 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.132930 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1033 TOS=0x00 PREC=0x00 TTL=113 ID=60282 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.132968 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60283 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.132982 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60284 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.133000 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60285 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.133013 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60286 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136932 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60287 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136949 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60288 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136962 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60289 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136974 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60290 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140925 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60291 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140953 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60292 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140963 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60293 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140971 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60294 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140979 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=2012 TOS=0x00 PREC=0x00 TTL=113 ID=60295 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.159988 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jun 25 08:31:04.176934 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60297 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 962 0 962 0 0 229k 0 --:--:-- --:--:-- --:--:-- 234k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Jun 25 08:31:00.319841 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.0M, max 15.3M, 13.3M free. Jun 25 08:31:00.320932 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 08:31:00.320989 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 08:31:00.331380 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal clear'. Jun 25 08:31:00.545737 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 08:31:00.768518 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:00.830799 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 25 08:31:00.934415 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 25 08:31:01.019518 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 25 08:31:01.116614 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jun 25 08:31:01.210560 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 25 08:31:01.272316 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 08:31:01.371398 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 25 08:31:01.442197 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 08:31:01.563822 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show working'. Jun 25 08:31:01.683276 osdx ubnt-cfgd[70074]: inactive Jun 25 08:31:01.725801 osdx INFO[70096]: FRR daemons did not change Jun 25 08:31:01.744971 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 08:31:02.045781 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:02.059422 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:02.076034 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:02.236625 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 25 08:31:02.596314 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 25 08:31:02.756750 osdx file_operation[70306]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 25 08:31:02.782037 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 25 08:31:02.943466 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:03.006236 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 25 08:31:03.095448 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 25 08:31:03.160190 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 25 08:31:03.274504 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show changes'. Jun 25 08:31:03.342122 osdx ubnt-cfgd[70323]: inactive Jun 25 08:31:03.366031 osdx INFO[70329]: FRR daemons did not change Jun 25 08:31:03.512931 osdx kernel: app-detect: module init Jun 25 08:31:03.512976 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 25 08:31:03.512985 osdx kernel: app-detect: expression init Jun 25 08:31:03.512993 osdx kernel: app-detect: appid cache initialized Jun 25 08:31:03.513001 osdx kernel: app-detect: appid cache changes counter initialized Jun 25 08:31:03.710632 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:03.712721 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:03.735360 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:03.963198 osdx file_operation[70382]: using src url: https://www.google.com dst url: running://index.html Jun 25 08:31:04.048093 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60275 PROTO=TCP SPT=443 DPT=56272 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.052939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60276 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.052995 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60277 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.053019 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=113 ID=60278 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.086407 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=60279 PROTO=TCP SPT=443 DPT=56272 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.088939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=113 ID=60280 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.122627 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60281 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.132930 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1033 TOS=0x00 PREC=0x00 TTL=113 ID=60282 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.132968 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60283 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.132982 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60284 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.133000 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60285 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.133013 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60286 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136932 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60287 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136949 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60288 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136962 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60289 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.136974 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60290 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140925 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60291 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140953 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60292 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140963 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60293 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140971 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60294 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.140979 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=2012 TOS=0x00 PREC=0x00 TTL=113 ID=60295 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.159988 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jun 25 08:31:04.176934 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60297 PROTO=TCP SPT=443 DPT=56272 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 25 08:31:04.280872 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal show | cat'. Jun 25 08:31:04.498083 osdx file_operation[70404]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 25 08:31:04.504934 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=42346 DF PROTO=TCP SPT=80 DPT=40206 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 25 08:31:04.504982 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1181 TOS=0x00 PREC=0x00 TTL=64 ID=42347 DF PROTO=TCP SPT=80 DPT=40206 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 25 08:31:04.504993 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=42348 DF PROTO=TCP SPT=80 DPT=40206 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 25 08:31:04.519967 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=52 time=17.8 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.783/17.783/17.783/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.36.4) 56(84) bytes of data. 64 bytes from ams15s44-in-f4.1e100.net (142.251.36.4): icmp_seq=1 ttl=107 time=44.8 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 44.813/44.813/44.813/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jun 25 08:31:09.319080 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.0M, max 15.3M, 13.3M free. Jun 25 08:31:09.322564 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 08:31:09.322637 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 08:31:09.329342 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal clear'. Jun 25 08:31:09.571894 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 08:31:09.796029 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:09.860397 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 25 08:31:09.973472 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 25 08:31:10.079930 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 25 08:31:10.199262 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 25 08:31:10.306204 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jun 25 08:31:10.397685 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 25 08:31:10.459383 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 25 08:31:10.587779 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 25 08:31:10.649786 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 25 08:31:10.771597 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 25 08:31:10.866076 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 08:31:10.981838 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 25 08:31:11.064504 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 08:31:11.165274 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show working'. Jun 25 08:31:11.264819 osdx ubnt-cfgd[70683]: inactive Jun 25 08:31:11.308366 osdx INFO[70705]: FRR daemons did not change Jun 25 08:31:11.454541 osdx kernel: app-detect: module init Jun 25 08:31:11.454598 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 25 08:31:11.454609 osdx kernel: app-detect: expression init Jun 25 08:31:11.454617 osdx kernel: app-detect: appid cache initialized Jun 25 08:31:11.454625 osdx kernel: app-detect: appid cache changes counter initialized Jun 25 08:31:11.494539 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 08:31:11.795431 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:11.806662 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:11.825513 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:12.141587 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 25 08:31:12.378842 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 25 08:31:12.520824 osdx file_operation[70946]: using src url: https://www.marca.com dst url: running://index.html Jun 25 08:31:12.582673 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=18637 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.586535 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18638 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.586553 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18639 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.586562 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=52 ID=18640 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.657848 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=18642 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.790100 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18643 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.897373 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18644 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:13.031877 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18645 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:13.375580 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18646 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:13.487185 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18647 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:14.324210 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18648 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:14.399567 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18649 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:16.221872 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18650 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:16.247208 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18651 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:17.506384 osdx file_operation.py[70946]: Operation aborted by user. Jun 25 08:31:17.522568 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=18652 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:17.522620 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=18653 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:17.523332 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Jun 25 08:31:09.319080 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.0M, max 15.3M, 13.3M free. Jun 25 08:31:09.322564 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 08:31:09.322637 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 08:31:09.329342 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal clear'. Jun 25 08:31:09.571894 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 08:31:09.796029 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:09.860397 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 25 08:31:09.973472 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 25 08:31:10.079930 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 25 08:31:10.199262 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 25 08:31:10.306204 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jun 25 08:31:10.397685 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 25 08:31:10.459383 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 25 08:31:10.587779 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 25 08:31:10.649786 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 25 08:31:10.771597 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 25 08:31:10.866076 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 08:31:10.981838 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 25 08:31:11.064504 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 08:31:11.165274 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show working'. Jun 25 08:31:11.264819 osdx ubnt-cfgd[70683]: inactive Jun 25 08:31:11.308366 osdx INFO[70705]: FRR daemons did not change Jun 25 08:31:11.454541 osdx kernel: app-detect: module init Jun 25 08:31:11.454598 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 25 08:31:11.454609 osdx kernel: app-detect: expression init Jun 25 08:31:11.454617 osdx kernel: app-detect: appid cache initialized Jun 25 08:31:11.454625 osdx kernel: app-detect: appid cache changes counter initialized Jun 25 08:31:11.494539 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 08:31:11.795431 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:11.806662 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:11.825513 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:12.141587 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 25 08:31:12.378842 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 25 08:31:12.520824 osdx file_operation[70946]: using src url: https://www.marca.com dst url: running://index.html Jun 25 08:31:12.582673 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=18637 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.586535 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18638 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.586553 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18639 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.586562 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=52 ID=18640 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.657848 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=18642 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.790100 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18643 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:12.897373 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18644 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:13.031877 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18645 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:13.375580 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18646 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:13.487185 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18647 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:14.324210 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18648 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:14.399567 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18649 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:16.221872 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=18650 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:16.247208 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=18651 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:17.506384 osdx file_operation.py[70946]: Operation aborted by user. Jun 25 08:31:17.522568 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=18652 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:17.522620 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=18653 DF PROTO=TCP SPT=443 DPT=40598 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:17.523332 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jun 25 08:31:17.733581 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal show | cat'. Jun 25 08:31:17.928691 osdx file_operation[70966]: using src url: http://www.google.com dst url: running://index.html Jun 25 08:31:18.009533 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=59812 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.052442 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59813 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.052521 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59814 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.052569 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59815 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.052605 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59817 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.054551 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59818 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.054594 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1143 TOS=0x00 PREC=0x00 TTL=113 ID=59819 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.054608 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=156 TOS=0x00 PREC=0x00 TTL=113 ID=59820 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.054620 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59821 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.054631 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59822 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.062538 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59816 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.127213 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59823 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.253694 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=113 ID=59824 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.371100 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59825 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.493653 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=113 ID=59826 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:18.838550 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59827 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:19.002345 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=113 ID=59828 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:19.819469 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59829 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:19.997327 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=113 ID=59830 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:21.726924 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=59831 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:21.946452 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=113 ID=59832 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 25 08:31:22.884441 osdx file_operation.py[70966]: Operation aborted by user. Jun 25 08:31:22.901379 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Jun 25 08:31:22.946540 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=59833 PROTO=TCP SPT=80 DPT=59778 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.189 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.189/0.189/0.189/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=52 time=3.18 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.179/3.179/3.179/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 12.8M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jun 25 08:31:28.320052 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.0M, max 15.3M, 13.3M free. Jun 25 08:31:28.321238 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 08:31:28.321277 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 08:31:28.329898 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system journal clear'. Jun 25 08:31:28.576904 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 08:31:28.798378 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:28.861431 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 08:31:28.964082 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 25 08:31:29.038874 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 08:31:29.137404 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show working'. Jun 25 08:31:29.202757 osdx ubnt-cfgd[71225]: inactive Jun 25 08:31:29.223441 osdx INFO[71233]: FRR daemons did not change Jun 25 08:31:29.245254 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 08:31:29.352066 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:29.366550 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:29.383511 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:29.537666 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 25 08:31:29.713815 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 25 08:31:29.858120 osdx file_operation[71423]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 25 08:31:29.883563 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 25 08:31:30.061006 osdx OSDxCLI[2035]: User 'admin' entered the configuration menu. Jun 25 08:31:30.127908 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 25 08:31:30.240952 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 25 08:31:30.344481 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 25 08:31:30.491277 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 25 08:31:30.616351 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 25 08:31:30.751161 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Jun 25 08:31:30.837075 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 25 08:31:30.905036 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 25 08:31:31.000061 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 25 08:31:31.120344 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 25 08:31:31.222294 osdx OSDxCLI[2035]: User 'admin' added a new cfg line: 'show changes'. Jun 25 08:31:31.290103 osdx ubnt-cfgd[71450]: inactive Jun 25 08:31:31.327601 osdx INFO[71470]: FRR daemons did not change Jun 25 08:31:31.485254 osdx kernel: app-detect: module init Jun 25 08:31:31.485320 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 25 08:31:31.485336 osdx kernel: app-detect: expression init Jun 25 08:31:31.485349 osdx kernel: app-detect: appid cache initialized Jun 25 08:31:31.485362 osdx kernel: app-detect: appid cache changes counter initialized Jun 25 08:31:31.838331 osdx cfgd[1463]: [2035]Completed change to active configuration Jun 25 08:31:31.840113 osdx OSDxCLI[2035]: User 'admin' committed the configuration. Jun 25 08:31:31.856241 osdx OSDxCLI[2035]: User 'admin' left the configuration menu. Jun 25 08:31:32.055486 osdx file_operation[71543]: using src url: https://www.marca.com dst url: running://index.html Jun 25 08:31:32.085258 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=7909 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.089234 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=7910 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.089277 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=7911 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.089287 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=7912 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.089295 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=7913 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.120203 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=7914 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.281002 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=7915 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.346451 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=7916 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.492953 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=7917 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.787412 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=7918 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:32.941133 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=7919 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:33.715285 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=7920 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:33.794611 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=7921 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:35.489247 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=7922 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:35.509247 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=7923 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:37.029829 osdx file_operation.py[71543]: Operation aborted by user. Jun 25 08:31:37.046078 osdx OSDxCLI[2035]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jun 25 08:31:37.049247 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=7924 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 25 08:31:37.049275 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:0b:d7:14:bb:cf:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=7925 DF PROTO=TCP SPT=443 DPT=37762 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]