App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.207 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.207/0.207/0.207/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (74.125.128.103) 56(84) bytes of data. 64 bytes from ec-in-f103.1e100.net (74.125.128.103): icmp_seq=1 ttl=96 time=37.6 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 37.634/37.634/37.634/0.000 ms
Step 4: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18422 0 18422 0 0 100k 0 --:--:-- --:--:-- --:--:-- 101k
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:www.google.com\]Show output
Oct 20 15:42:07.329612 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 15:42:07.331614 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 15:42:07.331662 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 15:42:07.339527 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal clear'. Oct 20 15:42:07.550714 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 15:42:07.775409 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:07.842318 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Oct 20 15:42:07.941229 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Oct 20 15:42:07.997898 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Oct 20 15:42:08.088135 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Oct 20 15:42:08.141995 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Oct 20 15:42:08.248134 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Oct 20 15:42:08.310997 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Oct 20 15:42:08.405676 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Oct 20 15:42:08.464746 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Oct 20 15:42:08.565442 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 15:42:08.627201 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Oct 20 15:42:08.764375 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 15:42:08.833170 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show working'. Oct 20 15:42:08.924087 osdx ubnt-cfgd[302571]: inactive Oct 20 15:42:08.964382 osdx INFO[302593]: FRR daemons did not change Oct 20 15:42:09.127626 osdx kernel: app-detect: module init Oct 20 15:42:09.127673 osdx kernel: app-detect: registered: sysctl net.appdetect Oct 20 15:42:09.127683 osdx kernel: app-detect: expression init Oct 20 15:42:09.127695 osdx kernel: app-detect: appid cache initialized Oct 20 15:42:09.127703 osdx kernel: app-detect: appid cache changes counter initialized Oct 20 15:42:09.167622 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 15:42:09.444593 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:09.455938 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:09.477639 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:09.635624 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 20 15:42:09.863837 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Oct 20 15:42:10.008036 osdx file_operation[302837]: using src url: https://www.google.com dst url: running://index.html Oct 20 15:42:10.099318 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=63669 PROTO=TCP SPT=443 DPT=52228 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.100176 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63670 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.100257 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63671 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.100350 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=111 ID=63672 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.138354 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=63673 PROTO=TCP SPT=443 DPT=52228 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.139292 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=63674 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.178813 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1035 TOS=0x00 PREC=0x00 TTL=111 ID=63675 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179061 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63676 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179167 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63677 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179277 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63678 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179487 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63679 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.180313 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63680 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.180432 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63681 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.182236 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63682 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.182443 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63683 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.183895 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63684 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.184015 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63685 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.185688 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63686 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.185814 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63687 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.187490 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=670 TOS=0x00 PREC=0x00 TTL=111 ID=63689 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.187503 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63688 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.206568 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Oct 20 15:42:10.231618 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=63690 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.231665 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=63691 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:www.google.com]
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1086 0 1086 0 0 16226 0 --:--:-- --:--:-- --:--:-- 16454
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Oct 20 15:42:07.329612 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 15:42:07.331614 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 15:42:07.331662 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 15:42:07.339527 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal clear'. Oct 20 15:42:07.550714 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 15:42:07.775409 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:07.842318 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Oct 20 15:42:07.941229 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Oct 20 15:42:07.997898 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Oct 20 15:42:08.088135 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Oct 20 15:42:08.141995 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Oct 20 15:42:08.248134 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Oct 20 15:42:08.310997 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Oct 20 15:42:08.405676 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Oct 20 15:42:08.464746 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Oct 20 15:42:08.565442 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 15:42:08.627201 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Oct 20 15:42:08.764375 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 15:42:08.833170 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show working'. Oct 20 15:42:08.924087 osdx ubnt-cfgd[302571]: inactive Oct 20 15:42:08.964382 osdx INFO[302593]: FRR daemons did not change Oct 20 15:42:09.127626 osdx kernel: app-detect: module init Oct 20 15:42:09.127673 osdx kernel: app-detect: registered: sysctl net.appdetect Oct 20 15:42:09.127683 osdx kernel: app-detect: expression init Oct 20 15:42:09.127695 osdx kernel: app-detect: appid cache initialized Oct 20 15:42:09.127703 osdx kernel: app-detect: appid cache changes counter initialized Oct 20 15:42:09.167622 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 15:42:09.444593 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:09.455938 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:09.477639 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:09.635624 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 20 15:42:09.863837 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Oct 20 15:42:10.008036 osdx file_operation[302837]: using src url: https://www.google.com dst url: running://index.html Oct 20 15:42:10.099318 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=63669 PROTO=TCP SPT=443 DPT=52228 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.100176 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63670 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.100257 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63671 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.100350 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=111 ID=63672 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.138354 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=63673 PROTO=TCP SPT=443 DPT=52228 WINDOW=1049 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.139292 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=63674 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.178813 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1035 TOS=0x00 PREC=0x00 TTL=111 ID=63675 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179061 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63676 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179167 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63677 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179277 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63678 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.179487 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63679 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.180313 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63680 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.180432 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63681 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.182236 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63682 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.182443 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63683 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.183895 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63684 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.184015 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63685 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.185688 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63686 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.185814 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63687 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.187490 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=670 TOS=0x00 PREC=0x00 TTL=111 ID=63689 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.187503 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=111 ID=63688 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.206568 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Oct 20 15:42:10.231618 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=63690 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.231665 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=63691 PROTO=TCP SPT=443 DPT=52228 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:www.google.com] Oct 20 15:42:10.320659 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal show | cat'. Oct 20 15:42:10.529910 osdx file_operation[302859]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Oct 20 15:42:10.535629 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=56086 DF PROTO=TCP SPT=80 DPT=35296 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Oct 20 15:42:10.597243 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1305 TOS=0x00 PREC=0x00 TTL=64 ID=56087 DF PROTO=TCP SPT=80 DPT=35296 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Oct 20 15:42:10.607627 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=56088 DF PROTO=TCP SPT=80 DPT=35296 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Oct 20 15:42:10.620455 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.238 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (74.125.128.106) 56(84) bytes of data. 64 bytes from ec-in-f106.1e100.net (74.125.128.106): icmp_seq=1 ttl=96 time=37.8 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 37.799/37.799/37.799/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 2339k 0 --:--:-- --:--:-- --:--:-- 2377k
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18548 0 18548 0 0 91497 0 --:--:-- --:--:-- --:--:-- 91821
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Oct 20 15:42:15.341048 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 15:42:15.343203 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 15:42:15.343249 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 15:42:15.353349 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal clear'. Oct 20 15:42:15.574696 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 15:42:15.855480 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:15.960360 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Oct 20 15:42:16.085472 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Oct 20 15:42:16.232322 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Oct 20 15:42:16.299922 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Oct 20 15:42:16.400248 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Oct 20 15:42:16.467168 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 15:42:16.567725 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Oct 20 15:42:16.659585 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 15:42:16.757406 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show working'. Oct 20 15:42:16.819008 osdx ubnt-cfgd[303131]: inactive Oct 20 15:42:16.857032 osdx INFO[303153]: FRR daemons did not change Oct 20 15:42:16.879213 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 15:42:17.176390 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:17.188382 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:17.205306 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:17.361710 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 20 15:42:17.537091 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Oct 20 15:42:17.691342 osdx file_operation[303363]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Oct 20 15:42:17.744338 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Oct 20 15:42:17.892189 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:17.960706 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Oct 20 15:42:18.045657 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Oct 20 15:42:18.109068 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Oct 20 15:42:18.218125 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show changes'. Oct 20 15:42:18.280792 osdx ubnt-cfgd[303380]: inactive Oct 20 15:42:18.301384 osdx INFO[303386]: FRR daemons did not change Oct 20 15:42:18.455219 osdx kernel: app-detect: module init Oct 20 15:42:18.455268 osdx kernel: app-detect: registered: sysctl net.appdetect Oct 20 15:42:18.455278 osdx kernel: app-detect: expression init Oct 20 15:42:18.455286 osdx kernel: app-detect: appid cache initialized Oct 20 15:42:18.455298 osdx kernel: app-detect: appid cache changes counter initialized Oct 20 15:42:18.658840 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:18.660510 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:18.683538 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:18.889323 osdx file_operation[303438]: using src url: https://www.google.com dst url: running://index.html Oct 20 15:42:18.991441 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29224 PROTO=TCP SPT=443 DPT=46690 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:18.995202 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29225 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:18.995227 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29226 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:18.995236 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=112 ID=29227 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.040046 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29228 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.040199 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=29230 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.040223 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=29229 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.059087 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29231 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.075452 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29232 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083206 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=112 ID=29233 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083241 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29234 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083251 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29235 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083259 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29236 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083273 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29237 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083281 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29238 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29239 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.087230 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29240 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.087274 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29241 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.087289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29242 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.091220 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29243 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.091242 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29244 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.091252 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29245 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.095203 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=2196 TOS=0x00 PREC=0x00 TTL=112 ID=29246 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.114959 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Oct 20 15:42:19.131213 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29248 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1203 0 1203 0 0 203k 0 --:--:-- --:--:-- --:--:-- 234k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Oct 20 15:42:15.341048 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 15:42:15.343203 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 15:42:15.343249 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 15:42:15.353349 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal clear'. Oct 20 15:42:15.574696 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 15:42:15.855480 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:15.960360 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Oct 20 15:42:16.085472 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Oct 20 15:42:16.232322 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Oct 20 15:42:16.299922 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Oct 20 15:42:16.400248 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Oct 20 15:42:16.467168 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 15:42:16.567725 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Oct 20 15:42:16.659585 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 15:42:16.757406 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show working'. Oct 20 15:42:16.819008 osdx ubnt-cfgd[303131]: inactive Oct 20 15:42:16.857032 osdx INFO[303153]: FRR daemons did not change Oct 20 15:42:16.879213 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 15:42:17.176390 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:17.188382 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:17.205306 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:17.361710 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 20 15:42:17.537091 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Oct 20 15:42:17.691342 osdx file_operation[303363]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Oct 20 15:42:17.744338 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Oct 20 15:42:17.892189 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:17.960706 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Oct 20 15:42:18.045657 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Oct 20 15:42:18.109068 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Oct 20 15:42:18.218125 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show changes'. Oct 20 15:42:18.280792 osdx ubnt-cfgd[303380]: inactive Oct 20 15:42:18.301384 osdx INFO[303386]: FRR daemons did not change Oct 20 15:42:18.455219 osdx kernel: app-detect: module init Oct 20 15:42:18.455268 osdx kernel: app-detect: registered: sysctl net.appdetect Oct 20 15:42:18.455278 osdx kernel: app-detect: expression init Oct 20 15:42:18.455286 osdx kernel: app-detect: appid cache initialized Oct 20 15:42:18.455298 osdx kernel: app-detect: appid cache changes counter initialized Oct 20 15:42:18.658840 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:18.660510 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:18.683538 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:18.889323 osdx file_operation[303438]: using src url: https://www.google.com dst url: running://index.html Oct 20 15:42:18.991441 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29224 PROTO=TCP SPT=443 DPT=46690 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:18.995202 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29225 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:18.995227 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29226 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:18.995236 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=112 ID=29227 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.040046 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29228 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.040199 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=29230 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.040223 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=29229 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.059087 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29231 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.075452 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29232 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083206 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1034 TOS=0x00 PREC=0x00 TTL=112 ID=29233 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083241 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29234 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083251 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29235 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083259 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29236 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083273 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29237 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083281 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29238 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.083289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29239 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.087230 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29240 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.087274 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29241 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.087289 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29242 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.091220 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29243 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.091242 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29244 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.091252 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=29245 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.095203 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=2196 TOS=0x00 PREC=0x00 TTL=112 ID=29246 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.114959 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Oct 20 15:42:19.131213 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=74.125.128.104 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=29248 PROTO=TCP SPT=443 DPT=46690 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Oct 20 15:42:19.237528 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal show | cat'. Oct 20 15:42:19.440559 osdx file_operation[303460]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Oct 20 15:42:19.447205 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3474 DF PROTO=TCP SPT=80 DPT=35308 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Oct 20 15:42:19.447243 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1422 TOS=0x00 PREC=0x00 TTL=64 ID=3475 DF PROTO=TCP SPT=80 DPT=35308 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Oct 20 15:42:19.451211 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3476 DF PROTO=TCP SPT=80 DPT=35308 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Oct 20 15:42:19.469568 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=51 time=3.59 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.590/3.590/3.590/0.000 ms
Step 3: Ping IP address www.facebook.es from DUT0:
admin@DUT0$ ping www.facebook.es count 1 size 56 timeout 1Show output
PING star-mini.c10r.facebook.com (57.144.222.1) 56(84) bytes of data. 64 bytes from edge-star-mini-shv-01-ams2.facebook.com (57.144.222.1): icmp_seq=1 ttl=43 time=37.8 ms --- star-mini.c10r.facebook.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 37.798/37.798/37.798/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Oct 20 15:42:25.299755 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 15:42:25.302404 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 15:42:25.302449 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 15:42:25.312246 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal clear'. Oct 20 15:42:25.529699 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 15:42:25.770700 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:25.832821 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Oct 20 15:42:25.930041 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Oct 20 15:42:25.984804 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Oct 20 15:42:26.082936 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Oct 20 15:42:26.156679 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Oct 20 15:42:26.238053 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Oct 20 15:42:26.305513 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Oct 20 15:42:26.405185 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Oct 20 15:42:26.457122 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Oct 20 15:42:26.554940 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Oct 20 15:42:26.622832 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 15:42:26.722358 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Oct 20 15:42:26.802723 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 15:42:26.917828 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show working'. Oct 20 15:42:26.999959 osdx ubnt-cfgd[303739]: inactive Oct 20 15:42:27.035132 osdx INFO[303761]: FRR daemons did not change Oct 20 15:42:27.222420 osdx kernel: app-detect: module init Oct 20 15:42:27.222524 osdx kernel: app-detect: registered: sysctl net.appdetect Oct 20 15:42:27.222557 osdx kernel: app-detect: expression init Oct 20 15:42:27.222591 osdx kernel: app-detect: appid cache initialized Oct 20 15:42:27.222630 osdx kernel: app-detect: appid cache changes counter initialized Oct 20 15:42:27.278399 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 15:42:27.587417 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:27.601176 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:27.622860 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:27.815588 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Oct 20 15:42:28.020409 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.facebook.es count 1 size 56 timeout 1'. Oct 20 15:42:28.181227 osdx file_operation[304002]: using src url: https://www.marca.com dst url: running://index.html Oct 20 15:42:28.230048 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=5713 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.230390 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5715 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.230404 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5714 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.234394 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5716 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.234411 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=5717 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.259287 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=5718 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.435103 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5719 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.486525 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5720 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.641390 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5721 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.944457 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5722 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:29.094444 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5723 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:29.842126 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5724 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:29.946647 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5725 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:31.632128 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=5726 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:31.674551 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=5727 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:33.173041 osdx file_operation.py[304002]: Operation aborted by user. Oct 20 15:42:33.189058 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Oct 20 15:42:33.218391 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=5728 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:33.218427 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=5729 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.facebook.es\]Show output
Oct 20 15:42:25.299755 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 15:42:25.302404 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 15:42:25.302449 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 15:42:25.312246 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal clear'. Oct 20 15:42:25.529699 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 15:42:25.770700 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:25.832821 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Oct 20 15:42:25.930041 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Oct 20 15:42:25.984804 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Oct 20 15:42:26.082936 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Oct 20 15:42:26.156679 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Oct 20 15:42:26.238053 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Oct 20 15:42:26.305513 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Oct 20 15:42:26.405185 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Oct 20 15:42:26.457122 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Oct 20 15:42:26.554940 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Oct 20 15:42:26.622832 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 15:42:26.722358 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Oct 20 15:42:26.802723 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 15:42:26.917828 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show working'. Oct 20 15:42:26.999959 osdx ubnt-cfgd[303739]: inactive Oct 20 15:42:27.035132 osdx INFO[303761]: FRR daemons did not change Oct 20 15:42:27.222420 osdx kernel: app-detect: module init Oct 20 15:42:27.222524 osdx kernel: app-detect: registered: sysctl net.appdetect Oct 20 15:42:27.222557 osdx kernel: app-detect: expression init Oct 20 15:42:27.222591 osdx kernel: app-detect: appid cache initialized Oct 20 15:42:27.222630 osdx kernel: app-detect: appid cache changes counter initialized Oct 20 15:42:27.278399 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 15:42:27.587417 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:27.601176 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:27.622860 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:27.815588 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Oct 20 15:42:28.020409 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.facebook.es count 1 size 56 timeout 1'. Oct 20 15:42:28.181227 osdx file_operation[304002]: using src url: https://www.marca.com dst url: running://index.html Oct 20 15:42:28.230048 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=5713 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.230390 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5715 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.230404 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5714 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.234394 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5716 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.234411 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=5717 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.259287 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=5718 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.435103 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5719 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.486525 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5720 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.641390 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5721 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:28.944457 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5722 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:29.094444 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5723 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:29.842126 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=5724 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:29.946647 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=5725 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:31.632128 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=5726 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:31.674551 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=5727 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:33.173041 osdx file_operation.py[304002]: Operation aborted by user. Oct 20 15:42:33.189058 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Oct 20 15:42:33.218391 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=5728 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:33.218427 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=5729 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:33.417340 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal show | cat'. Oct 20 15:42:33.609906 osdx file_operation[304022]: using src url: http://www.facebook.es dst url: running://index.html Oct 20 15:42:33.711369 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=58186 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:33.834712 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=58187 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:33.947827 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=58188 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:34.058269 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=58189 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:34.199945 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=58190 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:34.314404 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=58191 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:34.715883 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=58192 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:34.803224 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=58193 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:35.152228 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=5730 DF PROTO=TCP SPT=443 DPT=35516 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:35.744650 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=58194 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:35.834246 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=58195 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:37.755869 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=58196 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:37.818369 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=58197 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Oct 20 15:42:38.569768 osdx file_operation.py[304022]: Operation aborted by user. Oct 20 15:42:38.591278 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy http://www.facebook.es running://index.html force'. Oct 20 15:42:38.622429 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=57.144.222.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=58198 DF PROTO=TCP SPT=80 DPT=52610 WINDOW=261 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:80 http-host:www.facebook.es]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.185 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.185/0.185/0.185/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=52 time=3.43 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.431/3.431/3.431/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 14.4M 0 --:--:-- --:--:-- --:--:-- 16.2M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Oct 20 15:42:43.327955 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 15:42:43.330245 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 15:42:43.330304 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 15:42:43.339729 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system journal clear'. Oct 20 15:42:43.581860 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 15:42:43.861649 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:43.925695 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 15:42:44.020688 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Oct 20 15:42:44.091403 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 15:42:44.180305 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show working'. Oct 20 15:42:44.240717 osdx ubnt-cfgd[304283]: inactive Oct 20 15:42:44.266533 osdx INFO[304291]: FRR daemons did not change Oct 20 15:42:44.290233 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 15:42:44.395354 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:44.405867 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:44.433371 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:44.582303 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 20 15:42:44.715298 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Oct 20 15:42:44.846675 osdx file_operation[304481]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Oct 20 15:42:44.871296 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Oct 20 15:42:45.022368 osdx OSDxCLI[223371]: User 'admin' entered the configuration menu. Oct 20 15:42:45.099078 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Oct 20 15:42:45.189666 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Oct 20 15:42:45.242763 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Oct 20 15:42:45.342099 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Oct 20 15:42:45.413281 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Oct 20 15:42:45.476223 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Oct 20 15:42:45.572236 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Oct 20 15:42:45.634068 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Oct 20 15:42:45.727943 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Oct 20 15:42:45.805245 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Oct 20 15:42:45.906198 osdx OSDxCLI[223371]: User 'admin' added a new cfg line: 'show changes'. Oct 20 15:42:45.966203 osdx ubnt-cfgd[304508]: inactive Oct 20 15:42:46.001485 osdx INFO[304528]: FRR daemons did not change Oct 20 15:42:46.190258 osdx kernel: app-detect: module init Oct 20 15:42:46.190316 osdx kernel: app-detect: registered: sysctl net.appdetect Oct 20 15:42:46.190326 osdx kernel: app-detect: expression init Oct 20 15:42:46.190334 osdx kernel: app-detect: appid cache initialized Oct 20 15:42:46.190342 osdx kernel: app-detect: appid cache changes counter initialized Oct 20 15:42:46.555332 osdx cfgd[1655]: [223371]Completed change to active configuration Oct 20 15:42:46.557725 osdx OSDxCLI[223371]: User 'admin' committed the configuration. Oct 20 15:42:46.574515 osdx OSDxCLI[223371]: User 'admin' left the configuration menu. Oct 20 15:42:46.788788 osdx file_operation[304600]: using src url: https://www.marca.com dst url: running://index.html Oct 20 15:42:46.844055 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=41968 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:46.844146 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=2684 TOS=0x00 PREC=0x00 TTL=52 ID=41969 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:46.844160 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=41971 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:46.844172 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=41972 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:46.928132 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=41973 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:47.057608 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=41974 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:47.176146 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=41975 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:47.290116 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=41976 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:47.664239 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=41977 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:47.769688 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=41978 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:48.648186 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=41979 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:48.697878 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=41980 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:50.553588 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=41981 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:50.632038 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=41982 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:51.757919 osdx file_operation.py[304600]: Operation aborted by user. Oct 20 15:42:51.773838 osdx OSDxCLI[223371]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Oct 20 15:42:51.774223 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=41983 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Oct 20 15:42:51.774239 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:2a:20:9a:2e:db:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=41984 DF PROTO=TCP SPT=443 DPT=39578 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]