App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.194 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.194/0.194/0.194/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=42 time=12.1 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 12.050/12.050/12.050/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 883 0 --:--:-- --:--:-- --:--:-- 883
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
May 13 13:44:46.338544 osdx systemd-journald[1688]: Runtime Journal (/run/log/journal/78d6c860b8a549a191d002c20b18506e) is 2.0M, max 15.3M, 13.3M free. May 13 13:44:46.342180 osdx systemd-journald[1688]: Received client request to rotate journal, rotating. May 13 13:44:46.342259 osdx systemd-journald[1688]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78d6c860b8a549a191d002c20b18506e. May 13 13:44:46.348772 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 13 13:44:46.769062 osdx osdx-coredump[7193]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 13:44:46.777045 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 13 13:44:47.320032 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:44:47.392808 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 13 13:44:47.499231 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 13 13:44:47.555110 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 13 13:44:47.659523 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 13 13:44:47.723725 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 13 13:44:47.870415 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 13 13:44:47.927460 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 13 13:44:48.025703 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 13 13:44:48.126330 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 13 13:44:48.191987 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 13:44:48.291681 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 13 13:44:48.367125 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 13:44:48.472386 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 13 13:44:48.543580 osdx ubnt-cfgd[7221]: inactive May 13 13:44:48.579745 osdx INFO[7243]: FRR daemons did not change May 13 13:44:48.726162 osdx kernel: app-detect: module init May 13 13:44:48.726228 osdx kernel: app-detect: registered: sysctl net.appdetect May 13 13:44:48.726247 osdx kernel: app-detect: expression init May 13 13:44:48.726260 osdx kernel: app-detect: appid cache initialized May 13 13:44:48.726272 osdx kernel: app-detect: appid cache changes counter initialized May 13 13:44:49.055072 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:44:49.067503 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:44:49.087964 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:44:49.253589 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 13 13:44:49.606830 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 13 13:44:49.794473 osdx file_operation[7487]: using src url: https://teldat.es dst url: running://index.html May 13 13:44:50.011017 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19713 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011178 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19714 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011287 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19715 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011364 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=19716 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011867 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19718 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011932 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=19719 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.040396 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=19720 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.069898 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=19721 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.094163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=19722 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.094221 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19723 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.094231 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19724 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.099382 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 845 0 845 0 0 176k 0 --:--:-- --:--:-- --:--:-- 206k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
May 13 13:44:46.338544 osdx systemd-journald[1688]: Runtime Journal (/run/log/journal/78d6c860b8a549a191d002c20b18506e) is 2.0M, max 15.3M, 13.3M free. May 13 13:44:46.342180 osdx systemd-journald[1688]: Received client request to rotate journal, rotating. May 13 13:44:46.342259 osdx systemd-journald[1688]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78d6c860b8a549a191d002c20b18506e. May 13 13:44:46.348772 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 13 13:44:46.769062 osdx osdx-coredump[7193]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 13:44:46.777045 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 13 13:44:47.320032 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:44:47.392808 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 13 13:44:47.499231 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 13 13:44:47.555110 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 13 13:44:47.659523 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. May 13 13:44:47.723725 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 13 13:44:47.870415 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 13 13:44:47.927460 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 13 13:44:48.025703 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 13 13:44:48.126330 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 13 13:44:48.191987 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 13:44:48.291681 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 13 13:44:48.367125 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 13:44:48.472386 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 13 13:44:48.543580 osdx ubnt-cfgd[7221]: inactive May 13 13:44:48.579745 osdx INFO[7243]: FRR daemons did not change May 13 13:44:48.726162 osdx kernel: app-detect: module init May 13 13:44:48.726228 osdx kernel: app-detect: registered: sysctl net.appdetect May 13 13:44:48.726247 osdx kernel: app-detect: expression init May 13 13:44:48.726260 osdx kernel: app-detect: appid cache initialized May 13 13:44:48.726272 osdx kernel: app-detect: appid cache changes counter initialized May 13 13:44:49.055072 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:44:49.067503 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:44:49.087964 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:44:49.253589 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 13 13:44:49.606830 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. May 13 13:44:49.794473 osdx file_operation[7487]: using src url: https://teldat.es dst url: running://index.html May 13 13:44:50.011017 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19713 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011178 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19714 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011287 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19715 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011364 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=19716 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011867 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=19718 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.011932 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=19719 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.040396 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=19720 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.069898 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=19721 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.094163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=19722 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.094221 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19723 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.094231 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=19724 DF PROTO=TCP SPT=443 DPT=39970 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] May 13 13:44:50.099382 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. May 13 13:44:50.192341 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal show | cat'. May 13 13:44:50.400214 osdx file_operation[7509]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 13 13:44:50.406166 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=29172 DF PROTO=TCP SPT=80 DPT=56262 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 13 13:44:50.406241 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1064 TOS=0x00 PREC=0x00 TTL=64 ID=29173 DF PROTO=TCP SPT=80 DPT=56262 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 13 13:44:50.410165 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=29174 DF PROTO=TCP SPT=80 DPT=56262 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] May 13 13:44:50.426970 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.208 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.208/0.208/0.208/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.179.196) 56(84) bytes of data. 64 bytes from ams15s42-in-f4.1e100.net (142.250.179.196): icmp_seq=1 ttl=105 time=32.0 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.978/31.978/31.978/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 11.0M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18275 0 18275 0 0 62198 0 --:--:-- --:--:-- --:--:-- 62372
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
May 13 13:44:56.306285 osdx systemd-journald[1688]: Runtime Journal (/run/log/journal/78d6c860b8a549a191d002c20b18506e) is 2.0M, max 15.3M, 13.3M free. May 13 13:44:56.308501 osdx systemd-journald[1688]: Received client request to rotate journal, rotating. May 13 13:44:56.308556 osdx systemd-journald[1688]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78d6c860b8a549a191d002c20b18506e. May 13 13:44:56.317233 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 13 13:44:56.639805 osdx osdx-coredump[7769]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 13:44:56.650269 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 13 13:44:57.243522 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:44:57.355849 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 13 13:44:57.427483 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 13 13:44:57.547253 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 13 13:44:57.651718 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 13 13:44:57.759994 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 13 13:44:57.883172 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 13:44:57.987954 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 13 13:44:58.065426 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 13:44:58.171143 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 13 13:44:58.283923 osdx ubnt-cfgd[7793]: inactive May 13 13:44:58.323254 osdx INFO[7815]: FRR daemons did not change May 13 13:44:58.653812 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:44:58.669220 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:44:58.699995 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:44:58.871890 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 13 13:44:59.393471 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 13 13:44:59.532045 osdx file_operation[8025]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 13 13:44:59.562968 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 13 13:44:59.720781 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:44:59.783959 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 13 13:44:59.883962 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 13 13:44:59.983810 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 13 13:45:00.071513 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show changes'. May 13 13:45:00.179866 osdx ubnt-cfgd[8042]: inactive May 13 13:45:00.201510 osdx INFO[8048]: FRR daemons did not change May 13 13:45:00.368534 osdx kernel: app-detect: module init May 13 13:45:00.368623 osdx kernel: app-detect: registered: sysctl net.appdetect May 13 13:45:00.368647 osdx kernel: app-detect: expression init May 13 13:45:00.368669 osdx kernel: app-detect: appid cache initialized May 13 13:45:00.368703 osdx kernel: app-detect: appid cache changes counter initialized May 13 13:45:00.594919 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:45:00.596768 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:45:00.623686 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:45:00.858348 osdx file_operation[8101]: using src url: https://www.google.com dst url: running://index.html May 13 13:45:01.015278 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56180 PROTO=TCP SPT=443 DPT=48166 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.020495 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56181 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.020531 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56182 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.020540 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1512 TOS=0x00 PREC=0x00 TTL=111 ID=56183 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.085437 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56185 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.088518 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=56186 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.088568 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=56187 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.096502 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56188 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.136870 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1041 TOS=0x00 PREC=0x00 TTL=111 ID=56189 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137006 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56190 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137022 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56191 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137033 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56192 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137044 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56193 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152534 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56194 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152683 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56195 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152698 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=111 ID=56196 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152718 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56198 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152730 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56199 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152757 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56200 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152770 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56201 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152782 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=111 ID=56202 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152795 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=122 TOS=0x00 PREC=0x00 TTL=111 ID=56204 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152806 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56205 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.173894 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 13 13:45:01.192448 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56206 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.192698 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56207 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 962 0 962 0 0 164k 0 --:--:-- --:--:-- --:--:-- 187k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
May 13 13:44:56.306285 osdx systemd-journald[1688]: Runtime Journal (/run/log/journal/78d6c860b8a549a191d002c20b18506e) is 2.0M, max 15.3M, 13.3M free. May 13 13:44:56.308501 osdx systemd-journald[1688]: Received client request to rotate journal, rotating. May 13 13:44:56.308556 osdx systemd-journald[1688]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78d6c860b8a549a191d002c20b18506e. May 13 13:44:56.317233 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 13 13:44:56.639805 osdx osdx-coredump[7769]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 13:44:56.650269 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 13 13:44:57.243522 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:44:57.355849 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 13 13:44:57.427483 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 13 13:44:57.547253 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 13 13:44:57.651718 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. May 13 13:44:57.759994 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 13 13:44:57.883172 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 13:44:57.987954 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 13 13:44:58.065426 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 13:44:58.171143 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 13 13:44:58.283923 osdx ubnt-cfgd[7793]: inactive May 13 13:44:58.323254 osdx INFO[7815]: FRR daemons did not change May 13 13:44:58.653812 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:44:58.669220 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:44:58.699995 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:44:58.871890 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 13 13:44:59.393471 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 13 13:44:59.532045 osdx file_operation[8025]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 13 13:44:59.562968 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 13 13:44:59.720781 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:44:59.783959 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 13 13:44:59.883962 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 13 13:44:59.983810 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 13 13:45:00.071513 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show changes'. May 13 13:45:00.179866 osdx ubnt-cfgd[8042]: inactive May 13 13:45:00.201510 osdx INFO[8048]: FRR daemons did not change May 13 13:45:00.368534 osdx kernel: app-detect: module init May 13 13:45:00.368623 osdx kernel: app-detect: registered: sysctl net.appdetect May 13 13:45:00.368647 osdx kernel: app-detect: expression init May 13 13:45:00.368669 osdx kernel: app-detect: appid cache initialized May 13 13:45:00.368703 osdx kernel: app-detect: appid cache changes counter initialized May 13 13:45:00.594919 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:45:00.596768 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:45:00.623686 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:45:00.858348 osdx file_operation[8101]: using src url: https://www.google.com dst url: running://index.html May 13 13:45:01.015278 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56180 PROTO=TCP SPT=443 DPT=48166 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.020495 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56181 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.020531 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56182 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.020540 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1512 TOS=0x00 PREC=0x00 TTL=111 ID=56183 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.085437 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56185 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.088518 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=56186 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.088568 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=56187 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.096502 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56188 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.136870 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1041 TOS=0x00 PREC=0x00 TTL=111 ID=56189 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137006 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56190 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137022 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56191 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137033 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56192 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.137044 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56193 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152534 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56194 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152683 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56195 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152698 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=111 ID=56196 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152718 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56198 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152730 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56199 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152757 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56200 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152770 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=56201 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152782 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=2708 TOS=0x00 PREC=0x00 TTL=111 ID=56202 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152795 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=122 TOS=0x00 PREC=0x00 TTL=111 ID=56204 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.152806 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56205 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.173894 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. May 13 13:45:01.192448 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56206 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.192698 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=56207 PROTO=TCP SPT=443 DPT=48166 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] May 13 13:45:01.322810 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal show | cat'. May 13 13:45:01.510669 osdx file_operation[8123]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html May 13 13:45:01.520507 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47550 DF PROTO=TCP SPT=80 DPT=58472 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 13 13:45:01.520571 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1181 TOS=0x00 PREC=0x00 TTL=64 ID=47551 DF PROTO=TCP SPT=80 DPT=58472 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 13 13:45:01.520584 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47552 DF PROTO=TCP SPT=80 DPT=58472 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] May 13 13:45:01.537121 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=4.98 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.975/4.975/4.975/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.179.196) 56(84) bytes of data. 64 bytes from ams15s42-in-f4.1e100.net (142.250.179.196): icmp_seq=1 ttl=105 time=38.6 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 38.620/38.620/38.620/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 13 13:45:07.379788 osdx systemd-journald[1688]: Runtime Journal (/run/log/journal/78d6c860b8a549a191d002c20b18506e) is 2.0M, max 15.3M, 13.2M free. May 13 13:45:07.381840 osdx systemd-journald[1688]: Received client request to rotate journal, rotating. May 13 13:45:07.381913 osdx systemd-journald[1688]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78d6c860b8a549a191d002c20b18506e. May 13 13:45:07.397657 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 13 13:45:07.971196 osdx osdx-coredump[8386]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 13:45:07.984319 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 13 13:45:08.564850 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:45:08.671675 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 13 13:45:08.743717 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 13 13:45:08.859559 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 13 13:45:08.916579 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 13 13:45:09.024731 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 13 13:45:09.086173 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 13 13:45:09.208771 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 13 13:45:09.276739 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 13 13:45:09.375126 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 13 13:45:09.490048 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 13 13:45:09.563017 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 13:45:09.661614 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 13 13:45:09.763266 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 13:45:09.882038 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 13 13:45:09.961920 osdx ubnt-cfgd[8415]: inactive May 13 13:45:09.998673 osdx INFO[8437]: FRR daemons did not change May 13 13:45:10.149812 osdx kernel: app-detect: module init May 13 13:45:10.149866 osdx kernel: app-detect: registered: sysctl net.appdetect May 13 13:45:10.149875 osdx kernel: app-detect: expression init May 13 13:45:10.149883 osdx kernel: app-detect: appid cache initialized May 13 13:45:10.149891 osdx kernel: app-detect: appid cache changes counter initialized May 13 13:45:10.482957 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:45:10.494314 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:45:10.533655 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:45:10.867185 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 13 13:45:11.035813 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 13 13:45:11.191481 osdx file_operation[8678]: using src url: https://www.marca.com dst url: running://index.html May 13 13:45:11.222742 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=33045 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225367 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33046 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225524 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33047 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225681 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33048 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225914 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=33049 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.269583 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=33050 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.420901 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33051 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.496787 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33052 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.630512 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33053 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.944806 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33054 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:12.061819 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33055 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:12.832735 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33056 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:12.921982 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33057 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:14.628428 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33058 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:14.629218 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33059 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:16.164438 osdx file_operation.py[8678]: Operation aborted by user. May 13 13:45:16.177812 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=33060 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:16.177864 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=33061 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:16.181172 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
May 13 13:45:07.379788 osdx systemd-journald[1688]: Runtime Journal (/run/log/journal/78d6c860b8a549a191d002c20b18506e) is 2.0M, max 15.3M, 13.2M free. May 13 13:45:07.381840 osdx systemd-journald[1688]: Received client request to rotate journal, rotating. May 13 13:45:07.381913 osdx systemd-journald[1688]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78d6c860b8a549a191d002c20b18506e. May 13 13:45:07.397657 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 13 13:45:07.971196 osdx osdx-coredump[8386]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 13:45:07.984319 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 13 13:45:08.564850 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:45:08.671675 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 13 13:45:08.743717 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 13 13:45:08.859559 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 13 13:45:08.916579 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 13 13:45:09.024731 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. May 13 13:45:09.086173 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 13 13:45:09.208771 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. May 13 13:45:09.276739 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. May 13 13:45:09.375126 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 13 13:45:09.490048 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 13 13:45:09.563017 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 13:45:09.661614 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 13 13:45:09.763266 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 13:45:09.882038 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 13 13:45:09.961920 osdx ubnt-cfgd[8415]: inactive May 13 13:45:09.998673 osdx INFO[8437]: FRR daemons did not change May 13 13:45:10.149812 osdx kernel: app-detect: module init May 13 13:45:10.149866 osdx kernel: app-detect: registered: sysctl net.appdetect May 13 13:45:10.149875 osdx kernel: app-detect: expression init May 13 13:45:10.149883 osdx kernel: app-detect: appid cache initialized May 13 13:45:10.149891 osdx kernel: app-detect: appid cache changes counter initialized May 13 13:45:10.482957 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:45:10.494314 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:45:10.533655 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:45:10.867185 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 13 13:45:11.035813 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. May 13 13:45:11.191481 osdx file_operation[8678]: using src url: https://www.marca.com dst url: running://index.html May 13 13:45:11.222742 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=33045 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225367 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33046 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225524 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33047 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225681 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33048 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.225914 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=33049 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.269583 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=33050 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.420901 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33051 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.496787 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33052 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.630512 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33053 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:11.944806 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33054 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:12.061819 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33055 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:12.832735 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33056 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:12.921982 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33057 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:14.628428 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33058 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:14.629218 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33059 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:16.164438 osdx file_operation.py[8678]: Operation aborted by user. May 13 13:45:16.177812 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=33060 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:16.177864 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=33061 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:16.181172 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 13 13:45:16.406157 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal show | cat'. May 13 13:45:16.585994 osdx file_operation[8698]: using src url: http://www.google.com dst url: running://index.html May 13 13:45:16.962203 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=33211 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.002658 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33212 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.002997 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33213 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.003396 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33214 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.003980 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33215 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.004709 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33216 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.005727 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33217 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.008040 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33219 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.009856 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33220 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.012103 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33221 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.333923 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=33223 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:17.846055 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=111 ID=33225 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:18.206996 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=33062 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:18.211431 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=33063 DF PROTO=TCP SPT=443 DPT=49014 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:20.888279 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=111 ID=33229 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] May 13 13:45:21.521445 osdx file_operation.py[8698]: Operation aborted by user. May 13 13:45:21.540957 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. May 13 13:45:21.597830 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=142.250.179.196 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=33230 PROTO=TCP SPT=80 DPT=54852 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.213 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=48 time=31.7 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.665/31.665/31.665/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 10.4M 0 --:--:-- --:--:-- --:--:-- 10.8M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
May 13 13:45:27.343463 osdx systemd-journald[1688]: Runtime Journal (/run/log/journal/78d6c860b8a549a191d002c20b18506e) is 2.0M, max 15.3M, 13.2M free. May 13 13:45:27.346491 osdx systemd-journald[1688]: Received client request to rotate journal, rotating. May 13 13:45:27.346538 osdx systemd-journald[1688]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78d6c860b8a549a191d002c20b18506e. May 13 13:45:27.352759 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 13 13:45:27.779737 osdx osdx-coredump[8950]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 13:45:27.787409 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 13 13:45:28.346664 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:45:28.462328 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 13:45:28.519133 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. May 13 13:45:28.641004 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 13:45:28.724217 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 13 13:45:28.822811 osdx ubnt-cfgd[8969]: inactive May 13 13:45:28.842093 osdx INFO[8977]: FRR daemons did not change May 13 13:45:28.978088 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:45:28.989778 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:45:29.006759 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:45:29.173911 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 13 13:45:29.357066 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. May 13 13:45:29.527481 osdx file_operation[9167]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz May 13 13:45:29.554830 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. May 13 13:45:29.729302 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 13 13:45:29.802274 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. May 13 13:45:29.930342 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. May 13 13:45:30.014326 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. May 13 13:45:30.117904 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 13 13:45:30.194908 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. May 13 13:45:30.319965 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. May 13 13:45:30.393520 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. May 13 13:45:30.550466 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. May 13 13:45:30.624372 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. May 13 13:45:30.690416 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. May 13 13:45:30.820047 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show changes'. May 13 13:45:30.910785 osdx ubnt-cfgd[9194]: inactive May 13 13:45:30.947152 osdx INFO[9214]: FRR daemons did not change May 13 13:45:31.086498 osdx kernel: app-detect: module init May 13 13:45:31.086559 osdx kernel: app-detect: registered: sysctl net.appdetect May 13 13:45:31.086573 osdx kernel: app-detect: expression init May 13 13:45:31.086585 osdx kernel: app-detect: appid cache initialized May 13 13:45:31.086597 osdx kernel: app-detect: appid cache changes counter initialized May 13 13:45:31.448029 osdx cfgd[1466]: [2678]Completed change to active configuration May 13 13:45:31.450848 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 13 13:45:31.471685 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 13 13:45:31.695982 osdx file_operation[9286]: using src url: https://www.marca.com dst url: running://index.html May 13 13:45:31.810485 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=43875 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:31.933415 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=43879 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:32.018915 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=43880 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:32.198103 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=43881 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:32.739557 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=43883 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:32.757530 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=43884 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:33.741357 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=43885 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:33.814332 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=43886 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:35.713849 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=43887 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:35.938155 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=43888 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:36.687990 osdx file_operation.py[9286]: Operation aborted by user. May 13 13:45:36.707440 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. May 13 13:45:36.804919 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=43889 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] May 13 13:45:36.806494 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:08:ee:a6:7f:55:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=43890 DF PROTO=TCP SPT=443 DPT=41422 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]