App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.222 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.222/0.222/0.222/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.36.4) 56(84) bytes of data. 64 bytes from ams15s44-in-f4.1e100.net (142.251.36.4): icmp_seq=1 ttl=107 time=34.4 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 34.394/34.394/34.394/0.000 ms
Step 4: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18822 0 18822 0 0 80931 0 --:--:-- --:--:-- --:--:-- 81129
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:www.google.com\]Show output
Nov 25 14:19:52.000183 osdx systemd-timedated[634199]: Changed local time to Tue 2025-11-25 14:19:52 UTC Nov 25 14:19:52.001563 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'set date 2025-11-25 14:19:52'. Nov 25 14:19:52.002513 osdx systemd-journald[542263]: Time jumped backwards, rotating. Nov 25 14:19:52.315809 osdx sudo[644165]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:52.319987 osdx systemd-journald[542263]: Runtime Journal (/run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32) is 1.8M, max 13.8M, 11.9M free. Nov 25 14:19:52.322516 osdx systemd-journald[542263]: Received client request to rotate journal, rotating. Nov 25 14:19:52.322585 osdx systemd-journald[542263]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32. Nov 25 14:19:52.324469 osdx sudo[644164]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:52.332234 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system journal clear'. Nov 25 14:19:52.553533 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system coredump delete all'. Nov 25 14:19:52.785777 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:19:52.900955 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Nov 25 14:19:52.984024 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Nov 25 14:19:53.098987 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Nov 25 14:19:53.183424 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Nov 25 14:19:53.322275 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Nov 25 14:19:53.394570 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Nov 25 14:19:53.513956 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Nov 25 14:19:53.585649 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Nov 25 14:19:53.663258 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Nov 25 14:19:53.767700 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 25 14:19:53.849667 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Nov 25 14:19:53.972301 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 25 14:19:54.074365 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show working'. Nov 25 14:19:54.151055 osdx ubnt-cfgd[644199]: inactive Nov 25 14:19:54.194168 osdx INFO[644221]: FRR daemons did not change Nov 25 14:19:54.374520 osdx kernel: app-detect: module init Nov 25 14:19:54.374568 osdx kernel: app-detect: registered: sysctl net.appdetect Nov 25 14:19:54.374578 osdx kernel: app-detect: expression init Nov 25 14:19:54.374586 osdx kernel: app-detect: appid cache initialized Nov 25 14:19:54.374594 osdx kernel: app-detect: appid cache changes counter initialized Nov 25 14:19:54.390626 osdx sudo[644250]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:54.418529 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 25 14:19:54.723637 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:19:54.735537 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:19:54.767870 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:19:54.907493 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 25 14:19:55.074100 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Nov 25 14:19:55.154573 osdx sudo[644459]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:55.222693 osdx file_operation[644462]: using src url: https://www.google.com dst url: running://index.html Nov 25 14:19:55.341092 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=37407 PROTO=TCP SPT=443 DPT=49916 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.343078 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37408 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.343101 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37409 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.343235 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1367 TOS=0x00 PREC=0x00 TTL=113 ID=37410 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.379608 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=37411 PROTO=TCP SPT=443 DPT=49916 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.380374 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=113 ID=37412 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.419312 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=37413 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.426921 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1047 TOS=0x00 PREC=0x00 TTL=113 ID=37414 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.427010 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37415 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430522 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37416 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430578 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37417 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430592 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37418 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430610 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37419 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430624 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37420 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.432535 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37421 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.432714 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37422 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.436294 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37423 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.436345 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37424 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.438524 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37425 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.442520 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37427 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.442555 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1039 TOS=0x00 PREC=0x00 TTL=113 ID=37428 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.455553 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37426 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.475981 osdx sudo[644470]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:55.477956 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Nov 25 14:19:55.490575 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37429 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.498522 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=37430 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:www.google.com]
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4352 0 4352 0 0 635k 0 --:--:-- --:--:-- --:--:-- 708k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Nov 25 14:19:52.000183 osdx systemd-timedated[634199]: Changed local time to Tue 2025-11-25 14:19:52 UTC Nov 25 14:19:52.001563 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'set date 2025-11-25 14:19:52'. Nov 25 14:19:52.002513 osdx systemd-journald[542263]: Time jumped backwards, rotating. Nov 25 14:19:52.315809 osdx sudo[644165]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:52.319987 osdx systemd-journald[542263]: Runtime Journal (/run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32) is 1.8M, max 13.8M, 11.9M free. Nov 25 14:19:52.322516 osdx systemd-journald[542263]: Received client request to rotate journal, rotating. Nov 25 14:19:52.322585 osdx systemd-journald[542263]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32. Nov 25 14:19:52.324469 osdx sudo[644164]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:52.332234 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system journal clear'. Nov 25 14:19:52.553533 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system coredump delete all'. Nov 25 14:19:52.785777 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:19:52.900955 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Nov 25 14:19:52.984024 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Nov 25 14:19:53.098987 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Nov 25 14:19:53.183424 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Nov 25 14:19:53.322275 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Nov 25 14:19:53.394570 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Nov 25 14:19:53.513956 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Nov 25 14:19:53.585649 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Nov 25 14:19:53.663258 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Nov 25 14:19:53.767700 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 25 14:19:53.849667 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Nov 25 14:19:53.972301 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 25 14:19:54.074365 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show working'. Nov 25 14:19:54.151055 osdx ubnt-cfgd[644199]: inactive Nov 25 14:19:54.194168 osdx INFO[644221]: FRR daemons did not change Nov 25 14:19:54.374520 osdx kernel: app-detect: module init Nov 25 14:19:54.374568 osdx kernel: app-detect: registered: sysctl net.appdetect Nov 25 14:19:54.374578 osdx kernel: app-detect: expression init Nov 25 14:19:54.374586 osdx kernel: app-detect: appid cache initialized Nov 25 14:19:54.374594 osdx kernel: app-detect: appid cache changes counter initialized Nov 25 14:19:54.390626 osdx sudo[644250]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:54.418529 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 25 14:19:54.723637 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:19:54.735537 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:19:54.767870 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:19:54.907493 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 25 14:19:55.074100 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Nov 25 14:19:55.154573 osdx sudo[644459]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:55.222693 osdx file_operation[644462]: using src url: https://www.google.com dst url: running://index.html Nov 25 14:19:55.341092 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=37407 PROTO=TCP SPT=443 DPT=49916 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.343078 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37408 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.343101 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37409 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.343235 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1367 TOS=0x00 PREC=0x00 TTL=113 ID=37410 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.379608 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=37411 PROTO=TCP SPT=443 DPT=49916 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.380374 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=113 ID=37412 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.419312 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=37413 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.426921 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1047 TOS=0x00 PREC=0x00 TTL=113 ID=37414 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.427010 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37415 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430522 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37416 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430578 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37417 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430592 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37418 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430610 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37419 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.430624 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37420 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.432535 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37421 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.432714 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37422 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.436294 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37423 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.436345 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37424 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.438524 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37425 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.442520 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37427 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.442555 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1039 TOS=0x00 PREC=0x00 TTL=113 ID=37428 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.455553 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37426 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.475981 osdx sudo[644470]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:55.477956 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Nov 25 14:19:55.490575 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=37429 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.498522 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=37430 PROTO=TCP SPT=443 DPT=49916 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Nov 25 14:19:55.603206 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system journal show | cat'. Nov 25 14:19:55.756378 osdx sudo[644481]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:55.826642 osdx file_operation[644484]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Nov 25 14:19:55.834516 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=13945 DF PROTO=TCP SPT=80 DPT=36446 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Nov 25 14:19:55.834562 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=13946 DF PROTO=TCP SPT=80 DPT=36446 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Nov 25 14:19:55.834578 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=13947 DF PROTO=TCP SPT=80 DPT=36446 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Nov 25 14:19:55.834586 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=13948 DF PROTO=TCP SPT=80 DPT=36446 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Nov 25 14:19:55.834594 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=13949 DF PROTO=TCP SPT=80 DPT=36446 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Nov 25 14:19:55.853160 osdx sudo[644491]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:19:55.855416 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'. Nov 25 14:19:55.870532 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=13950 DF PROTO=TCP SPT=80 DPT=36446 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1]
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.283 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.283/0.283/0.283/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.36.4) 56(84) bytes of data. 64 bytes from ams15s44-in-f4.1e100.net (142.251.36.4): icmp_seq=1 ttl=107 time=34.3 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 34.314/34.314/34.314/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 1160k 0 --:--:-- --:--:-- --:--:-- 1168k
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18838 0 18838 0 0 86432 0 --:--:-- --:--:-- --:--:-- 86811
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Nov 25 14:20:01.000181 osdx systemd-timedated[634199]: Changed local time to Tue 2025-11-25 14:20:01 UTC Nov 25 14:20:01.001759 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'set date 2025-11-25 14:20:01'. Nov 25 14:20:01.002733 osdx systemd-journald[542263]: Time jumped backwards, rotating. Nov 25 14:20:01.383900 osdx sudo[644725]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:01.388035 osdx systemd-journald[542263]: Runtime Journal (/run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32) is 1.9M, max 13.8M, 11.8M free. Nov 25 14:20:01.390746 osdx systemd-journald[542263]: Received client request to rotate journal, rotating. Nov 25 14:20:01.390810 osdx systemd-journald[542263]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32. Nov 25 14:20:01.393348 osdx sudo[644724]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:01.401562 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system journal clear'. Nov 25 14:20:01.406366 osdx CRON[644731]: pam_limits(cron:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:01.784298 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system coredump delete all'. Nov 25 14:20:02.096818 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:20:02.180565 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Nov 25 14:20:02.328877 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Nov 25 14:20:02.399375 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Nov 25 14:20:02.498687 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Nov 25 14:20:02.568031 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Nov 25 14:20:02.705794 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 25 14:20:02.790060 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Nov 25 14:20:02.920132 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 25 14:20:03.054927 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show working'. Nov 25 14:20:03.137945 osdx ubnt-cfgd[644758]: inactive Nov 25 14:20:03.187439 osdx INFO[644780]: FRR daemons did not change Nov 25 14:20:03.214749 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 25 14:20:03.515990 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:20:03.531011 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:20:03.569721 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:20:03.754979 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 25 14:20:03.896936 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Nov 25 14:20:03.979320 osdx sudo[644987]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:04.071827 osdx file_operation[644990]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Nov 25 14:20:04.150110 osdx sudo[644997]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:04.156866 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Nov 25 14:20:04.318749 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:20:04.402134 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Nov 25 14:20:04.492506 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Nov 25 14:20:04.570490 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Nov 25 14:20:04.701675 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show changes'. Nov 25 14:20:04.830570 osdx ubnt-cfgd[645007]: inactive Nov 25 14:20:04.865408 osdx INFO[645013]: FRR daemons did not change Nov 25 14:20:05.014749 osdx kernel: app-detect: module init Nov 25 14:20:05.014818 osdx kernel: app-detect: registered: sysctl net.appdetect Nov 25 14:20:05.014833 osdx kernel: app-detect: expression init Nov 25 14:20:05.014852 osdx kernel: app-detect: appid cache initialized Nov 25 14:20:05.014864 osdx kernel: app-detect: appid cache changes counter initialized Nov 25 14:20:05.251082 osdx sudo[645049]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:05.256016 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:20:05.258061 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:20:05.285681 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:20:05.495183 osdx sudo[645063]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:05.561455 osdx file_operation[645066]: using src url: https://www.google.com dst url: running://index.html Nov 25 14:20:05.665254 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15076 PROTO=TCP SPT=443 DPT=42608 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.670737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15077 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.670779 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15078 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.670790 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1366 TOS=0x00 PREC=0x00 TTL=113 ID=15079 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.726844 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15080 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.726923 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15081 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.730780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=15082 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.730831 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=113 ID=15083 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.772299 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15084 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774748 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=113 ID=15085 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774810 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15086 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774831 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15087 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774844 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15088 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774856 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15089 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774868 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15090 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774881 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15091 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778745 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15092 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778790 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15093 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778809 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15094 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778830 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15095 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778843 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15096 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778855 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15097 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.785292 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15098 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.785334 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1055 TOS=0x00 PREC=0x00 TTL=113 ID=15099 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.805304 osdx sudo[645074]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:05.807625 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Nov 25 14:20:05.818854 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15100 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4469 0 4469 0 0 698k 0 --:--:-- --:--:-- --:--:-- 727k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Nov 25 14:20:01.000181 osdx systemd-timedated[634199]: Changed local time to Tue 2025-11-25 14:20:01 UTC Nov 25 14:20:01.001759 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'set date 2025-11-25 14:20:01'. Nov 25 14:20:01.002733 osdx systemd-journald[542263]: Time jumped backwards, rotating. Nov 25 14:20:01.383900 osdx sudo[644725]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:01.388035 osdx systemd-journald[542263]: Runtime Journal (/run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32) is 1.9M, max 13.8M, 11.8M free. Nov 25 14:20:01.390746 osdx systemd-journald[542263]: Received client request to rotate journal, rotating. Nov 25 14:20:01.390810 osdx systemd-journald[542263]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32. Nov 25 14:20:01.393348 osdx sudo[644724]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:01.401562 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system journal clear'. Nov 25 14:20:01.406366 osdx CRON[644731]: pam_limits(cron:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:01.784298 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system coredump delete all'. Nov 25 14:20:02.096818 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:20:02.180565 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Nov 25 14:20:02.328877 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Nov 25 14:20:02.399375 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Nov 25 14:20:02.498687 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Nov 25 14:20:02.568031 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Nov 25 14:20:02.705794 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 25 14:20:02.790060 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Nov 25 14:20:02.920132 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 25 14:20:03.054927 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show working'. Nov 25 14:20:03.137945 osdx ubnt-cfgd[644758]: inactive Nov 25 14:20:03.187439 osdx INFO[644780]: FRR daemons did not change Nov 25 14:20:03.214749 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 25 14:20:03.515990 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:20:03.531011 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:20:03.569721 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:20:03.754979 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 25 14:20:03.896936 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Nov 25 14:20:03.979320 osdx sudo[644987]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:04.071827 osdx file_operation[644990]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Nov 25 14:20:04.150110 osdx sudo[644997]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:04.156866 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Nov 25 14:20:04.318749 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:20:04.402134 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Nov 25 14:20:04.492506 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Nov 25 14:20:04.570490 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Nov 25 14:20:04.701675 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show changes'. Nov 25 14:20:04.830570 osdx ubnt-cfgd[645007]: inactive Nov 25 14:20:04.865408 osdx INFO[645013]: FRR daemons did not change Nov 25 14:20:05.014749 osdx kernel: app-detect: module init Nov 25 14:20:05.014818 osdx kernel: app-detect: registered: sysctl net.appdetect Nov 25 14:20:05.014833 osdx kernel: app-detect: expression init Nov 25 14:20:05.014852 osdx kernel: app-detect: appid cache initialized Nov 25 14:20:05.014864 osdx kernel: app-detect: appid cache changes counter initialized Nov 25 14:20:05.251082 osdx sudo[645049]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:05.256016 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:20:05.258061 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:20:05.285681 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:20:05.495183 osdx sudo[645063]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:05.561455 osdx file_operation[645066]: using src url: https://www.google.com dst url: running://index.html Nov 25 14:20:05.665254 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15076 PROTO=TCP SPT=443 DPT=42608 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.670737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15077 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.670779 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15078 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.670790 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1366 TOS=0x00 PREC=0x00 TTL=113 ID=15079 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.726844 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15080 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.726923 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15081 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.730780 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=15082 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.730831 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=113 ID=15083 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.772299 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15084 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774748 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=113 ID=15085 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774810 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15086 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774831 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15087 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774844 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15088 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774856 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15089 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774868 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15090 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.774881 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15091 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778745 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15092 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778790 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15093 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778809 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15094 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778830 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15095 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778843 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15096 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.778855 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15097 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.785292 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=15098 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.785334 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=1055 TOS=0x00 PREC=0x00 TTL=113 ID=15099 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.805304 osdx sudo[645074]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:05.807625 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Nov 25 14:20:05.818854 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=142.251.36.4 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=15100 PROTO=TCP SPT=443 DPT=42608 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Nov 25 14:20:05.979091 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system journal show | cat'. Nov 25 14:20:06.406003 osdx sudo[645085]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:06.506941 osdx file_operation[645088]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Nov 25 14:20:06.514781 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15962 DF PROTO=TCP SPT=80 DPT=47012 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Nov 25 14:20:06.514838 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=15963 DF PROTO=TCP SPT=80 DPT=47012 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Nov 25 14:20:06.514867 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=15964 DF PROTO=TCP SPT=80 DPT=47012 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Nov 25 14:20:06.514925 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=15965 DF PROTO=TCP SPT=80 DPT=47012 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Nov 25 14:20:06.514939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=345 TOS=0x00 PREC=0x00 TTL=64 ID=15966 DF PROTO=TCP SPT=80 DPT=47012 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Nov 25 14:20:06.514950 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15967 DF PROTO=TCP SPT=80 DPT=47012 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Nov 25 14:20:06.533348 osdx sudo[645095]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:20:06.535776 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.271 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.271/0.271/0.271/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=52 time=290 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 289.758/289.758/289.758/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 10.4M 0 --:--:-- --:--:-- --:--:-- 10.8M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Nov 25 14:21:06.373234 osdx systemd-journald[542263]: Runtime Journal (/run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32) is 1.7M, max 13.8M, 12.0M free. Nov 25 14:21:06.376504 osdx systemd-journald[542263]: Received client request to rotate journal, rotating. Nov 25 14:21:06.376554 osdx systemd-journald[542263]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32. Nov 25 14:21:06.377177 osdx sudo[645866]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:21:06.382806 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system journal clear'. Nov 25 14:21:06.623339 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'system coredump delete all'. Nov 25 14:21:06.902963 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:21:06.968924 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 25 14:21:07.067542 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Nov 25 14:21:07.140116 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 25 14:21:07.248316 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show working'. Nov 25 14:21:07.322350 osdx ubnt-cfgd[645892]: inactive Nov 25 14:21:07.344312 osdx INFO[645900]: FRR daemons did not change Nov 25 14:21:07.364516 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 25 14:21:07.478909 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:21:07.492422 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:21:07.515641 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:21:07.690619 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 25 14:21:08.713594 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Nov 25 14:21:08.802329 osdx sudo[646087]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:21:08.878709 osdx file_operation[646090]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Nov 25 14:21:08.905910 osdx sudo[646097]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:21:08.908096 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Nov 25 14:21:09.083370 osdx OSDxCLI[594928]: User 'admin' entered the configuration menu. Nov 25 14:21:09.151783 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Nov 25 14:21:09.280545 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Nov 25 14:21:09.350272 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Nov 25 14:21:09.473964 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Nov 25 14:21:09.597308 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Nov 25 14:21:09.731110 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Nov 25 14:21:09.842855 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Nov 25 14:21:09.959058 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Nov 25 14:21:10.040481 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Nov 25 14:21:10.140729 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Nov 25 14:21:10.208167 osdx OSDxCLI[594928]: User 'admin' added a new cfg line: 'show changes'. Nov 25 14:21:10.320858 osdx ubnt-cfgd[646114]: inactive Nov 25 14:21:10.358303 osdx INFO[646134]: FRR daemons did not change Nov 25 14:21:10.540517 osdx kernel: app-detect: module init Nov 25 14:21:10.540572 osdx kernel: app-detect: registered: sysctl net.appdetect Nov 25 14:21:10.540582 osdx kernel: app-detect: expression init Nov 25 14:21:10.540597 osdx kernel: app-detect: appid cache initialized Nov 25 14:21:10.540607 osdx kernel: app-detect: appid cache changes counter initialized Nov 25 14:21:10.745204 osdx sudo[646171]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:21:10.925758 osdx cfgd[1655]: [594928]Completed change to active configuration Nov 25 14:21:10.928117 osdx OSDxCLI[594928]: User 'admin' committed the configuration. Nov 25 14:21:10.945326 osdx OSDxCLI[594928]: User 'admin' left the configuration menu. Nov 25 14:21:11.075717 osdx sudo[646205]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:21:11.140960 osdx file_operation[646208]: using src url: https://www.marca.com dst url: running://index.html Nov 25 14:21:11.168521 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=32235 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.168592 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=32236 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.168607 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=32237 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.168621 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=32238 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.168633 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=32239 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.206306 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=32240 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.359791 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=32241 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.432542 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=32242 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.568379 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=32243 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:11.871332 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=32244 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:12.003863 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=32245 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:12.775382 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=32246 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:12.835906 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=32247 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:14.504272 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=32248 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:14.567267 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=32249 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:16.096437 osdx file_operation.py[646208]: Operation aborted by user. Nov 25 14:21:16.113882 osdx sudo[646214]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Nov 25 14:21:16.116244 osdx OSDxCLI[594928]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Nov 25 14:21:16.124573 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=32250 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Nov 25 14:21:16.124636 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:10:f3:ab:d4:a1:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=32251 DF PROTO=TCP SPT=443 DPT=37672 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]