App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.700 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.700/0.700/0.700/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=45 time=24.9 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 24.896/24.896/24.896/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 2096 0 --:--:-- --:--:-- --:--:-- 2094
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Jul 28 12:25:44.546348 osdx systemd-journald[1675]: Runtime Journal (/run/log/journal/4c5d47518c544e039e2e5ef7565a6d23) is 2.0M, max 15.3M, 13.3M free. Jul 28 12:25:44.558952 osdx systemd-journald[1675]: Received client request to rotate journal, rotating. Jul 28 12:25:44.559015 osdx systemd-journald[1675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/4c5d47518c544e039e2e5ef7565a6d23. Jul 28 12:25:44.580905 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal clear'. Jul 28 12:25:45.123580 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 12:25:45.713622 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:25:45.938019 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jul 28 12:25:46.147342 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jul 28 12:25:46.368271 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jul 28 12:25:46.511859 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jul 28 12:25:46.609807 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jul 28 12:25:46.758312 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jul 28 12:25:46.955521 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jul 28 12:25:47.107774 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jul 28 12:25:47.301079 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jul 28 12:25:47.443482 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 12:25:47.599720 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jul 28 12:25:47.770754 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 12:25:47.974952 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:25:48.155637 osdx ubnt-cfgd[25457]: inactive Jul 28 12:25:48.279539 osdx INFO[25479]: FRR daemons did not change Jul 28 12:25:48.523187 osdx kernel: app-detect: module init Jul 28 12:25:48.523326 osdx kernel: app-detect: registered: sysctl net.appdetect Jul 28 12:25:48.523355 osdx kernel: app-detect: expression init Jul 28 12:25:48.523374 osdx kernel: app-detect: appid cache initialized Jul 28 12:25:48.523399 osdx kernel: app-detect: appid cache changes counter initialized Jul 28 12:25:48.639182 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:25:49.082571 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:25:49.101846 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:25:49.142011 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:25:49.382860 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 28 12:25:49.793729 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jul 28 12:25:50.163674 osdx file_operation[25723]: using src url: https://teldat.es dst url: running://index.html Jul 28 12:25:50.215683 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=32228 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.216879 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32229 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.219178 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=32231 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.220420 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=32233 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.220724 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32232 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.225115 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32230 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.241356 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32234 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.241474 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32235 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.251939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=32236 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.280107 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=32237 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.295338 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=32238 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.295425 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=32239 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.295452 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=32240 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.337730 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4352 0 4352 0 0 87533 0 --:--:-- --:--:-- --:--:-- 88816
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Jul 28 12:25:44.546348 osdx systemd-journald[1675]: Runtime Journal (/run/log/journal/4c5d47518c544e039e2e5ef7565a6d23) is 2.0M, max 15.3M, 13.3M free. Jul 28 12:25:44.558952 osdx systemd-journald[1675]: Received client request to rotate journal, rotating. Jul 28 12:25:44.559015 osdx systemd-journald[1675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/4c5d47518c544e039e2e5ef7565a6d23. Jul 28 12:25:44.580905 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal clear'. Jul 28 12:25:45.123580 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 12:25:45.713622 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:25:45.938019 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jul 28 12:25:46.147342 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jul 28 12:25:46.368271 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jul 28 12:25:46.511859 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jul 28 12:25:46.609807 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jul 28 12:25:46.758312 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jul 28 12:25:46.955521 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jul 28 12:25:47.107774 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jul 28 12:25:47.301079 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jul 28 12:25:47.443482 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 12:25:47.599720 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jul 28 12:25:47.770754 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 12:25:47.974952 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:25:48.155637 osdx ubnt-cfgd[25457]: inactive Jul 28 12:25:48.279539 osdx INFO[25479]: FRR daemons did not change Jul 28 12:25:48.523187 osdx kernel: app-detect: module init Jul 28 12:25:48.523326 osdx kernel: app-detect: registered: sysctl net.appdetect Jul 28 12:25:48.523355 osdx kernel: app-detect: expression init Jul 28 12:25:48.523374 osdx kernel: app-detect: appid cache initialized Jul 28 12:25:48.523399 osdx kernel: app-detect: appid cache changes counter initialized Jul 28 12:25:48.639182 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:25:49.082571 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:25:49.101846 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:25:49.142011 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:25:49.382860 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 28 12:25:49.793729 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jul 28 12:25:50.163674 osdx file_operation[25723]: using src url: https://teldat.es dst url: running://index.html Jul 28 12:25:50.215683 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=32228 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.216879 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32229 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.219178 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=32231 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.220420 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=32233 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.220724 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32232 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.225115 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32230 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.241356 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32234 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.241474 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=32235 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.251939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=32236 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.280107 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=32237 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.295338 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=32238 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.295425 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=32239 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.295452 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=32240 DF PROTO=TCP SPT=443 DPT=57924 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jul 28 12:25:50.337730 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Jul 28 12:25:50.565621 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal show | cat'. Jul 28 12:25:51.027365 osdx file_operation[25745]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jul 28 12:25:51.035784 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21424 DF PROTO=TCP SPT=80 DPT=57222 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jul 28 12:25:51.081429 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=4572 TOS=0x00 PREC=0x00 TTL=64 ID=21425 DF PROTO=TCP SPT=80 DPT=57222 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jul 28 12:25:51.095180 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21429 DF PROTO=TCP SPT=80 DPT=57222 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jul 28 12:25:51.109463 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.315 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (173.194.79.104) 56(84) bytes of data. 64 bytes from eg-in-f104.1e100.net (173.194.79.104): icmp_seq=1 ttl=95 time=33.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 33.099/33.099/33.099/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 15.0M 0 --:--:-- --:--:-- --:--:-- 16.2M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18736 0 18736 0 0 100k 0 --:--:-- --:--:-- --:--:-- 101k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Jul 28 12:26:00.518017 osdx systemd-journald[1675]: Runtime Journal (/run/log/journal/4c5d47518c544e039e2e5ef7565a6d23) is 2.0M, max 15.3M, 13.3M free. Jul 28 12:26:00.521567 osdx systemd-journald[1675]: Received client request to rotate journal, rotating. Jul 28 12:26:00.521682 osdx systemd-journald[1675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/4c5d47518c544e039e2e5ef7565a6d23. Jul 28 12:26:00.536866 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal clear'. Jul 28 12:26:00.954388 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 12:26:01.499987 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:01.632502 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jul 28 12:26:01.775919 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jul 28 12:26:01.889877 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jul 28 12:26:02.013435 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jul 28 12:26:02.128754 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jul 28 12:26:02.275150 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 12:26:02.416721 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jul 28 12:26:02.569079 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 12:26:02.731117 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:26:02.879618 osdx ubnt-cfgd[26018]: inactive Jul 28 12:26:02.977645 osdx INFO[26040]: FRR daemons did not change Jul 28 12:26:03.017578 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:26:03.410870 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:03.428377 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:03.490237 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:03.780168 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 28 12:26:04.077917 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jul 28 12:26:04.425344 osdx file_operation[26250]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jul 28 12:26:04.499000 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jul 28 12:26:04.740588 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:04.894264 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jul 28 12:26:05.057913 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jul 28 12:26:05.252414 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jul 28 12:26:05.399527 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show changes'. Jul 28 12:26:05.582714 osdx ubnt-cfgd[26267]: inactive Jul 28 12:26:05.641696 osdx INFO[26273]: FRR daemons did not change Jul 28 12:26:05.809598 osdx kernel: app-detect: module init Jul 28 12:26:05.809671 osdx kernel: app-detect: registered: sysctl net.appdetect Jul 28 12:26:05.809697 osdx kernel: app-detect: expression init Jul 28 12:26:05.809717 osdx kernel: app-detect: appid cache initialized Jul 28 12:26:05.809735 osdx kernel: app-detect: appid cache changes counter initialized Jul 28 12:26:06.283100 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:06.287338 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:06.360396 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:06.780851 osdx file_operation[26326]: using src url: https://www.google.com dst url: running://index.html Jul 28 12:26:06.875597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23861 PROTO=TCP SPT=443 DPT=43116 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.876617 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23862 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.877592 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23863 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.877648 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1366 TOS=0x00 PREC=0x00 TTL=110 ID=23864 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.915214 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=110 ID=23865 PROTO=TCP SPT=443 DPT=43116 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.915976 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=110 ID=23866 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.953620 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23867 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.954725 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=110 ID=23868 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957621 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23869 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957694 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23870 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957717 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23871 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23872 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23873 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957775 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23874 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961562 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23875 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961635 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23876 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961670 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23877 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961691 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23878 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965584 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23879 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965654 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23880 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965677 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23881 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965696 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=984 TOS=0x00 PREC=0x00 TTL=110 ID=23882 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:07.005603 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23883 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:07.008622 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jul 28 12:26:07.021606 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23884 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4469 0 4469 0 0 2019k 0 --:--:-- --:--:-- --:--:-- 2182k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Jul 28 12:26:00.518017 osdx systemd-journald[1675]: Runtime Journal (/run/log/journal/4c5d47518c544e039e2e5ef7565a6d23) is 2.0M, max 15.3M, 13.3M free. Jul 28 12:26:00.521567 osdx systemd-journald[1675]: Received client request to rotate journal, rotating. Jul 28 12:26:00.521682 osdx systemd-journald[1675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/4c5d47518c544e039e2e5ef7565a6d23. Jul 28 12:26:00.536866 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal clear'. Jul 28 12:26:00.954388 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 12:26:01.499987 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:01.632502 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jul 28 12:26:01.775919 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jul 28 12:26:01.889877 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jul 28 12:26:02.013435 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jul 28 12:26:02.128754 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jul 28 12:26:02.275150 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 12:26:02.416721 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jul 28 12:26:02.569079 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 12:26:02.731117 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:26:02.879618 osdx ubnt-cfgd[26018]: inactive Jul 28 12:26:02.977645 osdx INFO[26040]: FRR daemons did not change Jul 28 12:26:03.017578 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:26:03.410870 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:03.428377 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:03.490237 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:03.780168 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 28 12:26:04.077917 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jul 28 12:26:04.425344 osdx file_operation[26250]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jul 28 12:26:04.499000 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jul 28 12:26:04.740588 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:04.894264 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jul 28 12:26:05.057913 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jul 28 12:26:05.252414 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jul 28 12:26:05.399527 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show changes'. Jul 28 12:26:05.582714 osdx ubnt-cfgd[26267]: inactive Jul 28 12:26:05.641696 osdx INFO[26273]: FRR daemons did not change Jul 28 12:26:05.809598 osdx kernel: app-detect: module init Jul 28 12:26:05.809671 osdx kernel: app-detect: registered: sysctl net.appdetect Jul 28 12:26:05.809697 osdx kernel: app-detect: expression init Jul 28 12:26:05.809717 osdx kernel: app-detect: appid cache initialized Jul 28 12:26:05.809735 osdx kernel: app-detect: appid cache changes counter initialized Jul 28 12:26:06.283100 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:06.287338 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:06.360396 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:06.780851 osdx file_operation[26326]: using src url: https://www.google.com dst url: running://index.html Jul 28 12:26:06.875597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23861 PROTO=TCP SPT=443 DPT=43116 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.876617 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23862 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.877592 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23863 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.877648 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1366 TOS=0x00 PREC=0x00 TTL=110 ID=23864 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.915214 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=110 ID=23865 PROTO=TCP SPT=443 DPT=43116 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.915976 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=110 ID=23866 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.953620 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23867 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.954725 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=110 ID=23868 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957621 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23869 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957694 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23870 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957717 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23871 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23872 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957756 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23873 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.957775 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23874 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961562 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23875 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961635 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23876 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961670 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23877 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.961691 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23878 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965584 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23879 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965654 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23880 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965677 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=110 ID=23881 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:06.965696 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=984 TOS=0x00 PREC=0x00 TTL=110 ID=23882 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:07.005603 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23883 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:07.008622 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jul 28 12:26:07.021606 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=23884 PROTO=TCP SPT=443 DPT=43116 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jul 28 12:26:07.238206 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal show | cat'. Jul 28 12:26:07.685505 osdx file_operation[26348]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jul 28 12:26:07.689694 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=57840 DF PROTO=TCP SPT=80 DPT=41850 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jul 28 12:26:07.689751 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=4689 TOS=0x00 PREC=0x00 TTL=64 ID=57841 DF PROTO=TCP SPT=80 DPT=41850 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jul 28 12:26:07.693580 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=57845 DF PROTO=TCP SPT=80 DPT=41850 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jul 28 12:26:07.721938 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=51 time=4.48 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.476/4.476/4.476/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (173.194.79.104) 56(84) bytes of data. 64 bytes from eg-in-f104.1e100.net (173.194.79.104): icmp_seq=1 ttl=95 time=36.0 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 36.001/36.001/36.001/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jul 28 12:26:16.554611 osdx systemd-journald[1675]: Runtime Journal (/run/log/journal/4c5d47518c544e039e2e5ef7565a6d23) is 2.0M, max 15.3M, 13.2M free. Jul 28 12:26:16.557098 osdx systemd-journald[1675]: Received client request to rotate journal, rotating. Jul 28 12:26:16.557210 osdx systemd-journald[1675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/4c5d47518c544e039e2e5ef7565a6d23. Jul 28 12:26:16.576464 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal clear'. Jul 28 12:26:17.014194 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 12:26:17.546575 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:17.684661 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jul 28 12:26:17.824018 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jul 28 12:26:17.953139 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jul 28 12:26:18.088502 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jul 28 12:26:18.282148 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jul 28 12:26:18.422186 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jul 28 12:26:18.578096 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jul 28 12:26:18.733789 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jul 28 12:26:18.922664 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jul 28 12:26:19.072028 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jul 28 12:26:19.241700 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 12:26:19.417272 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jul 28 12:26:19.620822 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 12:26:19.842133 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:26:20.033472 osdx ubnt-cfgd[26625]: inactive Jul 28 12:26:20.175232 osdx INFO[26647]: FRR daemons did not change Jul 28 12:26:20.378238 osdx kernel: app-detect: module init Jul 28 12:26:20.378311 osdx kernel: app-detect: registered: sysctl net.appdetect Jul 28 12:26:20.384002 osdx kernel: app-detect: expression init Jul 28 12:26:20.384094 osdx kernel: app-detect: appid cache initialized Jul 28 12:26:20.384120 osdx kernel: app-detect: appid cache changes counter initialized Jul 28 12:26:20.497122 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:26:21.022378 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:21.039712 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:21.111411 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:21.467030 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jul 28 12:26:21.664403 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jul 28 12:26:22.018420 osdx file_operation[26887]: using src url: https://www.marca.com dst url: running://index.html Jul 28 12:26:22.049074 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=61213 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049155 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61214 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049177 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61215 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049191 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61216 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049203 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=61217 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.083120 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=61218 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.243895 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61219 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.300362 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61220 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.452112 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61221 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.745451 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61222 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.883945 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61223 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:23.668382 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61224 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:23.715957 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61225 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:25.380871 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61226 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:25.460456 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61227 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:26.906885 osdx file_operation.py[26887]: Operation aborted by user. Jul 28 12:26:26.929072 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=61228 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:26.929134 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=61229 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:26.936378 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Jul 28 12:26:16.554611 osdx systemd-journald[1675]: Runtime Journal (/run/log/journal/4c5d47518c544e039e2e5ef7565a6d23) is 2.0M, max 15.3M, 13.2M free. Jul 28 12:26:16.557098 osdx systemd-journald[1675]: Received client request to rotate journal, rotating. Jul 28 12:26:16.557210 osdx systemd-journald[1675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/4c5d47518c544e039e2e5ef7565a6d23. Jul 28 12:26:16.576464 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal clear'. Jul 28 12:26:17.014194 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 12:26:17.546575 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:17.684661 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jul 28 12:26:17.824018 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jul 28 12:26:17.953139 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jul 28 12:26:18.088502 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jul 28 12:26:18.282148 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jul 28 12:26:18.422186 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jul 28 12:26:18.578096 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jul 28 12:26:18.733789 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jul 28 12:26:18.922664 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jul 28 12:26:19.072028 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jul 28 12:26:19.241700 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 12:26:19.417272 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jul 28 12:26:19.620822 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 12:26:19.842133 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:26:20.033472 osdx ubnt-cfgd[26625]: inactive Jul 28 12:26:20.175232 osdx INFO[26647]: FRR daemons did not change Jul 28 12:26:20.378238 osdx kernel: app-detect: module init Jul 28 12:26:20.378311 osdx kernel: app-detect: registered: sysctl net.appdetect Jul 28 12:26:20.384002 osdx kernel: app-detect: expression init Jul 28 12:26:20.384094 osdx kernel: app-detect: appid cache initialized Jul 28 12:26:20.384120 osdx kernel: app-detect: appid cache changes counter initialized Jul 28 12:26:20.497122 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:26:21.022378 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:21.039712 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:21.111411 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:21.467030 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jul 28 12:26:21.664403 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jul 28 12:26:22.018420 osdx file_operation[26887]: using src url: https://www.marca.com dst url: running://index.html Jul 28 12:26:22.049074 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=61213 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049155 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61214 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049177 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61215 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049191 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61216 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.049203 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=61217 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.083120 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=61218 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.243895 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61219 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.300362 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61220 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.452112 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61221 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.745451 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61222 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:22.883945 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61223 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:23.668382 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61224 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:23.715957 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61225 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:25.380871 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61226 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:25.460456 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61227 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:26.906885 osdx file_operation.py[26887]: Operation aborted by user. Jul 28 12:26:26.929072 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=61228 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:26.929134 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=61229 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:26.936378 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jul 28 12:26:27.292480 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal show | cat'. Jul 28 12:26:27.755907 osdx file_operation[26907]: using src url: http://www.google.com dst url: running://index.html Jul 28 12:26:27.828148 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=7877 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.875630 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7878 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.875705 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7879 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.875775 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7880 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.876514 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7881 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.876539 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7882 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.876560 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7883 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.876579 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7884 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.876598 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7885 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.876617 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7886 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.876640 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7887 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:27.942999 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7888 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:28.061665 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=7889 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:28.182966 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7890 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:28.301533 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=7891 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:28.654685 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7892 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:28.801599 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=7893 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:28.805078 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=61230 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:28.980478 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=61231 DF PROTO=TCP SPT=443 DPT=47812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:29.630695 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7894 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:29.761277 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=7895 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:31.550581 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=7896 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:31.687517 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=7897 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jul 28 12:26:32.664468 osdx file_operation.py[26907]: Operation aborted by user. Jul 28 12:26:32.694346 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Jul 28 12:26:32.721255 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=173.194.79.105 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=7898 PROTO=TCP SPT=80 DPT=34104 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.271 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.271/0.271/0.271/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=52 time=2.55 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.552/2.552/2.552/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 15.0M 0 --:--:-- --:--:-- --:--:-- 16.2M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jul 28 12:26:40.436731 osdx systemd-journald[1675]: Runtime Journal (/run/log/journal/4c5d47518c544e039e2e5ef7565a6d23) is 2.0M, max 15.3M, 13.2M free. Jul 28 12:26:40.438250 osdx systemd-journald[1675]: Received client request to rotate journal, rotating. Jul 28 12:26:40.438354 osdx systemd-journald[1675]: Vacuuming done, freed 0B of archived journals from /run/log/journal/4c5d47518c544e039e2e5ef7565a6d23. Jul 28 12:26:40.458646 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system journal clear'. Jul 28 12:26:40.907780 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 12:26:41.655592 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:41.822536 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 12:26:41.986776 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jul 28 12:26:42.291516 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 12:26:42.448029 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:26:42.617473 osdx ubnt-cfgd[27166]: inactive Jul 28 12:26:42.686750 osdx INFO[27174]: FRR daemons did not change Jul 28 12:26:42.742258 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:26:43.016050 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:43.047660 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:43.128159 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:43.361221 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 28 12:26:43.545117 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jul 28 12:26:43.792840 osdx file_operation[27364]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jul 28 12:26:43.830785 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jul 28 12:26:44.064212 osdx OSDxCLI[2568]: User 'admin' entered the configuration menu. Jul 28 12:26:44.222535 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jul 28 12:26:44.374704 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jul 28 12:26:44.531988 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jul 28 12:26:44.645342 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jul 28 12:26:44.796947 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jul 28 12:26:44.959755 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Jul 28 12:26:45.089810 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jul 28 12:26:45.260432 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jul 28 12:26:45.450617 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jul 28 12:26:45.620267 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jul 28 12:26:45.815527 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show changes'. Jul 28 12:26:45.960973 osdx ubnt-cfgd[27391]: inactive Jul 28 12:26:46.019539 osdx INFO[27411]: FRR daemons did not change Jul 28 12:26:46.222205 osdx kernel: app-detect: module init Jul 28 12:26:46.222271 osdx kernel: app-detect: registered: sysctl net.appdetect Jul 28 12:26:46.222305 osdx kernel: app-detect: expression init Jul 28 12:26:46.222326 osdx kernel: app-detect: appid cache initialized Jul 28 12:26:46.222345 osdx kernel: app-detect: appid cache changes counter initialized Jul 28 12:26:46.771726 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:26:46.774644 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:26:46.818049 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:26:47.157153 osdx file_operation[27484]: using src url: https://www.marca.com dst url: running://index.html Jul 28 12:26:47.182203 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=12704 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.182292 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=12706 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.182314 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=12707 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.182328 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=51 ID=12708 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.190192 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=12705 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.217986 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=51 ID=12709 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.378265 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=12710 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.440153 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=12711 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.590842 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=12712 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:47.880192 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=12713 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:48.013453 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=12714 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:48.785193 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=12715 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:48.847198 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=12716 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:50.510768 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=12717 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:50.576450 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=12718 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:52.077381 osdx file_operation.py[27484]: Operation aborted by user. Jul 28 12:26:52.105012 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=12720 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:52.105129 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:06:65:7b:27:11:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=12719 DF PROTO=TCP SPT=443 DPT=40812 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jul 28 12:26:52.119200 osdx OSDxCLI[2568]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.