App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.179 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.179/0.179/0.179/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=45 time=17.5 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.451/17.451/17.451/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 1520 0 --:--:-- --:--:-- --:--:-- 1528
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Aug 20 09:55:29.313281 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.3M free. Aug 20 09:55:29.315935 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 09:55:29.316015 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 09:55:29.323106 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 09:55:29.575097 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 09:55:29.898578 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:29.986268 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Aug 20 09:55:30.097960 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Aug 20 09:55:30.188148 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Aug 20 09:55:30.284102 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Aug 20 09:55:30.401423 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Aug 20 09:55:30.486855 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Aug 20 09:55:30.590421 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Aug 20 09:55:30.672209 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Aug 20 09:55:30.785044 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Aug 20 09:55:30.863656 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 09:55:30.967115 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Aug 20 09:55:31.041362 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 09:55:31.168045 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 09:55:31.242608 osdx ubnt-cfgd[15808]: inactive Aug 20 09:55:31.282177 osdx INFO[15830]: FRR daemons did not change Aug 20 09:55:31.431932 osdx kernel: app-detect: module init Aug 20 09:55:31.431979 osdx kernel: app-detect: registered: sysctl net.appdetect Aug 20 09:55:31.431989 osdx kernel: app-detect: expression init Aug 20 09:55:31.431997 osdx kernel: app-detect: appid cache initialized Aug 20 09:55:31.432004 osdx kernel: app-detect: appid cache changes counter initialized Aug 20 09:55:31.475944 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 09:55:31.753046 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:31.765106 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:31.784221 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:31.974009 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Aug 20 09:55:32.267853 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Aug 20 09:55:32.429327 osdx file_operation[16074]: using src url: https://teldat.es dst url: running://index.html Aug 20 09:55:32.499338 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=1432 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.503935 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=1433 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.503989 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=1434 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.504004 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=1435 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.507929 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=1436 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.507967 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=1437 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.548444 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=1438 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.589584 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=1439 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.611891 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Aug 20 09:55:32.623935 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=1440 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.623987 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=1441 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.624003 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=1442 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es]
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 845 0 845 0 0 135k 0 --:--:-- --:--:-- --:--:-- 137k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Aug 20 09:55:29.313281 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.3M free. Aug 20 09:55:29.315935 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 09:55:29.316015 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 09:55:29.323106 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 09:55:29.575097 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 09:55:29.898578 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:29.986268 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Aug 20 09:55:30.097960 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Aug 20 09:55:30.188148 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Aug 20 09:55:30.284102 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Aug 20 09:55:30.401423 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Aug 20 09:55:30.486855 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Aug 20 09:55:30.590421 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Aug 20 09:55:30.672209 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Aug 20 09:55:30.785044 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Aug 20 09:55:30.863656 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 09:55:30.967115 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Aug 20 09:55:31.041362 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 09:55:31.168045 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 09:55:31.242608 osdx ubnt-cfgd[15808]: inactive Aug 20 09:55:31.282177 osdx INFO[15830]: FRR daemons did not change Aug 20 09:55:31.431932 osdx kernel: app-detect: module init Aug 20 09:55:31.431979 osdx kernel: app-detect: registered: sysctl net.appdetect Aug 20 09:55:31.431989 osdx kernel: app-detect: expression init Aug 20 09:55:31.431997 osdx kernel: app-detect: appid cache initialized Aug 20 09:55:31.432004 osdx kernel: app-detect: appid cache changes counter initialized Aug 20 09:55:31.475944 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 09:55:31.753046 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:31.765106 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:31.784221 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:31.974009 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Aug 20 09:55:32.267853 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Aug 20 09:55:32.429327 osdx file_operation[16074]: using src url: https://teldat.es dst url: running://index.html Aug 20 09:55:32.499338 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=1432 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.503935 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=1433 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.503989 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=1434 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.504004 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=1435 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.507929 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=1436 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.507967 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=1437 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.548444 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=1438 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.589584 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=1439 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.611891 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Aug 20 09:55:32.623935 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=1440 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.623987 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=1441 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.624003 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=1442 DF PROTO=TCP SPT=443 DPT=53318 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Aug 20 09:55:32.710806 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal show | cat'. Aug 20 09:55:32.925760 osdx file_operation[16096]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Aug 20 09:55:32.935932 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50141 DF PROTO=TCP SPT=80 DPT=49838 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Aug 20 09:55:32.935986 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1064 TOS=0x00 PREC=0x00 TTL=64 ID=50142 DF PROTO=TCP SPT=80 DPT=49838 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Aug 20 09:55:32.935996 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50143 DF PROTO=TCP SPT=80 DPT=49838 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Aug 20 09:55:32.952965 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.159 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.159/0.159/0.159/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.31.147) 56(84) bytes of data. 64 bytes from eq-in-f147.1e100.net (142.251.31.147): icmp_seq=1 ttl=100 time=58.0 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 57.978/57.978/57.978/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 2794k 0 --:--:-- --:--:-- --:--:-- 2894k
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18259 0 18259 0 0 69406 0 --:--:-- --:--:-- --:--:-- 72169
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Aug 20 09:55:38.316541 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.3M free. Aug 20 09:55:38.317156 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 09:55:38.317198 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 09:55:38.330653 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 09:55:38.337510 osdx systemd[1]: Starting osdx-coredump-cleanup.service - Cleanup of Coredump Files... Aug 20 09:55:38.404356 osdx systemd[1]: osdx-coredump-cleanup.service: Deactivated successfully. Aug 20 09:55:38.404462 osdx systemd[1]: Finished osdx-coredump-cleanup.service - Cleanup of Coredump Files. Aug 20 09:55:38.552252 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 09:55:38.809584 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:38.882177 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Aug 20 09:55:38.990541 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Aug 20 09:55:39.124547 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Aug 20 09:55:39.204043 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Aug 20 09:55:39.330048 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Aug 20 09:55:39.407921 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 09:55:39.514775 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Aug 20 09:55:39.618727 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 09:55:39.713769 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 09:55:39.827016 osdx ubnt-cfgd[16377]: inactive Aug 20 09:55:39.863690 osdx INFO[16399]: FRR daemons did not change Aug 20 09:55:39.881093 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 09:55:40.134133 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:40.145240 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:40.164844 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:40.329850 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Aug 20 09:55:40.623333 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Aug 20 09:55:40.756280 osdx file_operation[16609]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Aug 20 09:55:40.800033 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Aug 20 09:55:40.952047 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:41.031498 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Aug 20 09:55:41.097560 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Aug 20 09:55:41.205227 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Aug 20 09:55:41.282838 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show changes'. Aug 20 09:55:41.399840 osdx ubnt-cfgd[16626]: inactive Aug 20 09:55:41.422880 osdx INFO[16632]: FRR daemons did not change Aug 20 09:55:41.597093 osdx kernel: app-detect: module init Aug 20 09:55:41.597156 osdx kernel: app-detect: registered: sysctl net.appdetect Aug 20 09:55:41.597169 osdx kernel: app-detect: expression init Aug 20 09:55:41.597181 osdx kernel: app-detect: appid cache initialized Aug 20 09:55:41.597193 osdx kernel: app-detect: appid cache changes counter initialized Aug 20 09:55:41.808910 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:41.810712 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:41.853826 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:42.057224 osdx file_operation[16685]: using src url: https://www.google.com dst url: running://index.html Aug 20 09:55:42.200831 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53446 PROTO=TCP SPT=443 DPT=55156 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.201634 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53447 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.205094 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53448 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.205149 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1365 TOS=0x00 PREC=0x00 TTL=112 ID=53449 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.266309 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53450 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.266945 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=53451 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.266964 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=53452 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.273868 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53453 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.318520 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1035 TOS=0x00 PREC=0x00 TTL=112 ID=53454 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.318597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53455 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321096 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53456 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321149 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53457 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321162 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53458 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321173 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53459 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321184 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53460 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321201 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=2852 TOS=0x00 PREC=0x00 TTL=112 ID=53461 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321217 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53463 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321230 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53464 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321240 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53465 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321250 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53466 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321262 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1907 TOS=0x00 PREC=0x00 TTL=112 ID=53467 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.325089 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53469 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.340481 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Aug 20 09:55:42.385099 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53470 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.385166 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53471 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 962 0 962 0 0 176k 0 --:--:-- --:--:-- --:--:-- 187k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Aug 20 09:55:38.316541 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.3M free. Aug 20 09:55:38.317156 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 09:55:38.317198 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 09:55:38.330653 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 09:55:38.337510 osdx systemd[1]: Starting osdx-coredump-cleanup.service - Cleanup of Coredump Files... Aug 20 09:55:38.404356 osdx systemd[1]: osdx-coredump-cleanup.service: Deactivated successfully. Aug 20 09:55:38.404462 osdx systemd[1]: Finished osdx-coredump-cleanup.service - Cleanup of Coredump Files. Aug 20 09:55:38.552252 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 09:55:38.809584 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:38.882177 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Aug 20 09:55:38.990541 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Aug 20 09:55:39.124547 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Aug 20 09:55:39.204043 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Aug 20 09:55:39.330048 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Aug 20 09:55:39.407921 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 09:55:39.514775 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Aug 20 09:55:39.618727 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 09:55:39.713769 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 09:55:39.827016 osdx ubnt-cfgd[16377]: inactive Aug 20 09:55:39.863690 osdx INFO[16399]: FRR daemons did not change Aug 20 09:55:39.881093 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 09:55:40.134133 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:40.145240 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:40.164844 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:40.329850 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Aug 20 09:55:40.623333 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Aug 20 09:55:40.756280 osdx file_operation[16609]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Aug 20 09:55:40.800033 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Aug 20 09:55:40.952047 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:41.031498 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Aug 20 09:55:41.097560 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Aug 20 09:55:41.205227 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Aug 20 09:55:41.282838 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show changes'. Aug 20 09:55:41.399840 osdx ubnt-cfgd[16626]: inactive Aug 20 09:55:41.422880 osdx INFO[16632]: FRR daemons did not change Aug 20 09:55:41.597093 osdx kernel: app-detect: module init Aug 20 09:55:41.597156 osdx kernel: app-detect: registered: sysctl net.appdetect Aug 20 09:55:41.597169 osdx kernel: app-detect: expression init Aug 20 09:55:41.597181 osdx kernel: app-detect: appid cache initialized Aug 20 09:55:41.597193 osdx kernel: app-detect: appid cache changes counter initialized Aug 20 09:55:41.808910 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:41.810712 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:41.853826 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:42.057224 osdx file_operation[16685]: using src url: https://www.google.com dst url: running://index.html Aug 20 09:55:42.200831 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53446 PROTO=TCP SPT=443 DPT=55156 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.201634 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53447 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.205094 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53448 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.205149 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1365 TOS=0x00 PREC=0x00 TTL=112 ID=53449 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.266309 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53450 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.266945 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=53451 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.266964 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=53452 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.273868 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53453 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.318520 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1035 TOS=0x00 PREC=0x00 TTL=112 ID=53454 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.318597 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53455 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321096 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53456 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321149 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53457 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321162 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53458 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321173 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53459 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321184 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53460 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321201 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=2852 TOS=0x00 PREC=0x00 TTL=112 ID=53461 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321217 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53463 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321230 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53464 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321240 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53465 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321250 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=53466 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.321262 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1907 TOS=0x00 PREC=0x00 TTL=112 ID=53467 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.325089 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53469 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.340481 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Aug 20 09:55:42.385099 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53470 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.385166 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=53471 PROTO=TCP SPT=443 DPT=55156 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Aug 20 09:55:42.482046 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal show | cat'. Aug 20 09:55:42.728861 osdx file_operation[16707]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Aug 20 09:55:42.737110 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=555 DF PROTO=TCP SPT=80 DPT=40934 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Aug 20 09:55:42.737164 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1181 TOS=0x00 PREC=0x00 TTL=64 ID=556 DF PROTO=TCP SPT=80 DPT=40934 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Aug 20 09:55:42.737177 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=557 DF PROTO=TCP SPT=80 DPT=40934 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Aug 20 09:55:42.754357 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=51 time=7.87 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 7.868/7.868/7.868/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.31.106) 56(84) bytes of data. 64 bytes from eq-in-f106.1e100.net (142.251.31.106): icmp_seq=1 ttl=97 time=44.6 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 44.620/44.620/44.620/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Aug 20 09:55:50.307159 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.2M free. Aug 20 09:55:50.310897 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 09:55:50.310969 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 09:55:50.318695 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 09:55:50.544208 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 09:55:50.784017 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:50.846098 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Aug 20 09:55:50.948095 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Aug 20 09:55:51.010583 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Aug 20 09:55:51.099340 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Aug 20 09:55:51.164030 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Aug 20 09:55:51.259376 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Aug 20 09:55:51.517585 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Aug 20 09:55:51.579531 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Aug 20 09:55:51.672026 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Aug 20 09:55:51.729587 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Aug 20 09:55:51.830458 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 09:55:51.888219 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Aug 20 09:55:51.999485 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 09:55:52.076174 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 09:55:52.169368 osdx ubnt-cfgd[16986]: inactive Aug 20 09:55:52.205386 osdx INFO[17008]: FRR daemons did not change Aug 20 09:55:52.358884 osdx kernel: app-detect: module init Aug 20 09:55:52.358930 osdx kernel: app-detect: registered: sysctl net.appdetect Aug 20 09:55:52.358940 osdx kernel: app-detect: expression init Aug 20 09:55:52.358947 osdx kernel: app-detect: appid cache initialized Aug 20 09:55:52.358955 osdx kernel: app-detect: appid cache changes counter initialized Aug 20 09:55:52.398887 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 09:55:52.692202 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:52.703428 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:52.739613 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:53.024796 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Aug 20 09:55:53.243764 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Aug 20 09:55:53.399842 osdx file_operation[17248]: using src url: https://www.marca.com dst url: running://index.html Aug 20 09:55:53.434455 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=39533 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.436474 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39534 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.436543 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39535 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.436573 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39536 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.438876 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=39537 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.488923 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=39538 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.649257 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39539 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.722817 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39540 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.854359 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39541 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:54.178002 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39542 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:54.312814 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39543 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:55.086173 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39544 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:55.179397 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39545 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:56.897542 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39546 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:56.943085 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=39547 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:58.356326 osdx file_operation.py[17248]: Operation aborted by user. Aug 20 09:55:58.374769 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Aug 20 09:55:58.390922 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=39548 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:58.390980 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=39549 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Aug 20 09:55:50.307159 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.2M free. Aug 20 09:55:50.310897 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 09:55:50.310969 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 09:55:50.318695 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 09:55:50.544208 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 09:55:50.784017 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:55:50.846098 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Aug 20 09:55:50.948095 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Aug 20 09:55:51.010583 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Aug 20 09:55:51.099340 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Aug 20 09:55:51.164030 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Aug 20 09:55:51.259376 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Aug 20 09:55:51.517585 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Aug 20 09:55:51.579531 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Aug 20 09:55:51.672026 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Aug 20 09:55:51.729587 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Aug 20 09:55:51.830458 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 09:55:51.888219 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Aug 20 09:55:51.999485 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 09:55:52.076174 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 09:55:52.169368 osdx ubnt-cfgd[16986]: inactive Aug 20 09:55:52.205386 osdx INFO[17008]: FRR daemons did not change Aug 20 09:55:52.358884 osdx kernel: app-detect: module init Aug 20 09:55:52.358930 osdx kernel: app-detect: registered: sysctl net.appdetect Aug 20 09:55:52.358940 osdx kernel: app-detect: expression init Aug 20 09:55:52.358947 osdx kernel: app-detect: appid cache initialized Aug 20 09:55:52.358955 osdx kernel: app-detect: appid cache changes counter initialized Aug 20 09:55:52.398887 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 09:55:52.692202 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:55:52.703428 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:55:52.739613 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:55:53.024796 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Aug 20 09:55:53.243764 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Aug 20 09:55:53.399842 osdx file_operation[17248]: using src url: https://www.marca.com dst url: running://index.html Aug 20 09:55:53.434455 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=39533 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.436474 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39534 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.436543 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39535 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.436573 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39536 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.438876 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=39537 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.488923 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=39538 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.649257 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39539 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.722817 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39540 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:53.854359 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39541 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:54.178002 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39542 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:54.312814 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39543 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:55.086173 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=39544 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:55.179397 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39545 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:56.897542 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=39546 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:56.943085 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=39547 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:58.356326 osdx file_operation.py[17248]: Operation aborted by user. Aug 20 09:55:58.374769 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Aug 20 09:55:58.390922 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=39548 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:58.390980 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=39549 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:55:58.609536 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal show | cat'. Aug 20 09:55:58.815270 osdx file_operation[17268]: using src url: http://www.google.com dst url: running://index.html Aug 20 09:55:58.946406 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=20085 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.978029 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20086 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.978085 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20087 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.978102 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20088 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.978146 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20089 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.979172 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20090 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.979268 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20091 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.979381 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20092 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.979503 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20093 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.979626 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20094 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:58.979744 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20095 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:59.107373 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20096 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:59.212053 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=111 ID=20097 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:59.371447 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20098 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:59.492099 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=111 ID=20099 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:55:59.899014 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20100 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:56:00.049042 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=111 ID=20101 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:56:00.418042 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=39550 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:00.587399 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=39551 DF PROTO=TCP SPT=443 DPT=39900 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:00.988406 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20102 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:56:01.094921 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=111 ID=20103 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:56:03.099229 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=20104 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:56:03.275697 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=111 ID=20105 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Aug 20 09:56:03.790484 osdx file_operation.py[17268]: Operation aborted by user. Aug 20 09:56:03.805875 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Aug 20 09:56:03.869883 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=142.251.31.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=20106 PROTO=TCP SPT=80 DPT=47980 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.214 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.214/0.214/0.214/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=52 time=3.20 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.199/3.199/3.199/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 11.3M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Aug 20 09:56:09.350803 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.2M free. Aug 20 09:56:09.353500 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 09:56:09.353557 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 09:56:09.362169 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 09:56:09.591376 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 09:56:09.844702 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:56:09.928534 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 09:56:10.037013 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Aug 20 09:56:10.137397 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 09:56:10.254313 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 09:56:10.327401 osdx ubnt-cfgd[17531]: inactive Aug 20 09:56:10.349797 osdx INFO[17539]: FRR daemons did not change Aug 20 09:56:10.373508 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 09:56:10.472038 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:56:10.487227 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:56:10.519768 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:56:10.697281 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Aug 20 09:56:10.884627 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Aug 20 09:56:11.043078 osdx file_operation[17729]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Aug 20 09:56:11.073024 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Aug 20 09:56:11.207258 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 09:56:11.308024 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Aug 20 09:56:11.427625 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Aug 20 09:56:11.516976 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Aug 20 09:56:11.630953 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Aug 20 09:56:11.754560 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Aug 20 09:56:11.822865 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Aug 20 09:56:11.931236 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Aug 20 09:56:12.011431 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Aug 20 09:56:12.129349 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Aug 20 09:56:12.228299 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Aug 20 09:56:12.312595 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show changes'. Aug 20 09:56:12.416010 osdx ubnt-cfgd[17756]: inactive Aug 20 09:56:12.454561 osdx INFO[17776]: FRR daemons did not change Aug 20 09:56:12.625505 osdx kernel: app-detect: module init Aug 20 09:56:12.625554 osdx kernel: app-detect: registered: sysctl net.appdetect Aug 20 09:56:12.625563 osdx kernel: app-detect: expression init Aug 20 09:56:12.625571 osdx kernel: app-detect: appid cache initialized Aug 20 09:56:12.625579 osdx kernel: app-detect: appid cache changes counter initialized Aug 20 09:56:12.994473 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 09:56:12.996730 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 09:56:13.027875 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 09:56:13.268110 osdx file_operation[17849]: using src url: https://www.marca.com dst url: running://index.html Aug 20 09:56:13.329947 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=59233 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.330058 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=59234 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.330143 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=59235 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.330205 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=59236 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.330523 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=59237 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.380550 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=59238 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.521717 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=59239 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.610665 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=59240 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:13.740150 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=59241 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:14.073657 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=59242 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:14.195798 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=59243 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:15.001565 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=59244 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:15.095772 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=59245 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:16.842622 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=59246 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:16.857705 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=59247 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:18.213174 osdx file_operation.py[17849]: Operation aborted by user. Aug 20 09:56:18.229431 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Aug 20 09:56:18.269507 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=59248 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Aug 20 09:56:18.269561 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:34:fc:e3:14:74:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=59249 DF PROTO=TCP SPT=443 DPT=41828 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]