App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.231 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.231/0.231/0.231/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=45 time=11.2 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.189/11.189/11.189/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 1573 0 --:--:-- --:--:-- --:--:-- 1577
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Jun 24 13:55:16.378983 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 13:55:16.380036 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 13:55:16.380087 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 13:55:16.384770 osdx sudo[276114]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:16.390927 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal clear'. Jun 24 13:55:16.719538 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 13:55:16.988289 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:17.059059 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 24 13:55:17.174062 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 24 13:55:17.273117 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 24 13:55:17.336998 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jun 24 13:55:17.447399 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 24 13:55:17.513827 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 24 13:55:17.612042 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 24 13:55:17.665849 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 13:55:17.766430 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 24 13:55:17.827652 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 13:55:17.931653 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 24 13:55:18.000605 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 13:55:18.114647 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show working'. Jun 24 13:55:18.192690 osdx ubnt-cfgd[276149]: inactive Jun 24 13:55:18.232775 osdx INFO[276171]: FRR daemons did not change Jun 24 13:55:18.388031 osdx kernel: app-detect: module init Jun 24 13:55:18.388076 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 13:55:18.388086 osdx kernel: app-detect: expression init Jun 24 13:55:18.388093 osdx kernel: app-detect: appid cache initialized Jun 24 13:55:18.388101 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 13:55:18.402097 osdx sudo[276200]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:18.424031 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 13:55:18.733388 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:18.747629 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:18.773967 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:18.933849 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 13:55:19.107690 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jun 24 13:55:19.178017 osdx sudo[276412]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:19.263518 osdx file_operation[276415]: using src url: https://teldat.es dst url: running://index.html Jun 24 13:55:19.334909 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=42260 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.335018 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=42261 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.336050 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=42262 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.336092 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=42264 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.336659 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=42265 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.355852 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=42263 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.379341 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=42266 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.386987 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=42267 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.418413 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=42268 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.436047 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=42270 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.436119 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=42269 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.436134 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=42271 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.440400 osdx sudo[276423]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:19.442681 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1086 0 1086 0 0 34482 0 --:--:-- --:--:-- --:--:-- 35032
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Jun 24 13:55:16.378983 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 13:55:16.380036 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 13:55:16.380087 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 13:55:16.384770 osdx sudo[276114]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:16.390927 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal clear'. Jun 24 13:55:16.719538 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 13:55:16.988289 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:17.059059 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 24 13:55:17.174062 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 24 13:55:17.273117 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 24 13:55:17.336998 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jun 24 13:55:17.447399 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 24 13:55:17.513827 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 24 13:55:17.612042 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 24 13:55:17.665849 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 13:55:17.766430 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 24 13:55:17.827652 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 13:55:17.931653 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 24 13:55:18.000605 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 13:55:18.114647 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show working'. Jun 24 13:55:18.192690 osdx ubnt-cfgd[276149]: inactive Jun 24 13:55:18.232775 osdx INFO[276171]: FRR daemons did not change Jun 24 13:55:18.388031 osdx kernel: app-detect: module init Jun 24 13:55:18.388076 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 13:55:18.388086 osdx kernel: app-detect: expression init Jun 24 13:55:18.388093 osdx kernel: app-detect: appid cache initialized Jun 24 13:55:18.388101 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 13:55:18.402097 osdx sudo[276200]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:18.424031 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 13:55:18.733388 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:18.747629 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:18.773967 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:18.933849 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 13:55:19.107690 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jun 24 13:55:19.178017 osdx sudo[276412]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:19.263518 osdx file_operation[276415]: using src url: https://teldat.es dst url: running://index.html Jun 24 13:55:19.334909 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=42260 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.335018 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=42261 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.336050 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=42262 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.336092 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=45 ID=42264 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.336659 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=68 TOS=0x00 PREC=0x00 TTL=45 ID=42265 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.355852 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=42263 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.379341 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1252 TOS=0x00 PREC=0x00 TTL=45 ID=42266 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.386987 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=45 ID=42267 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.418413 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=45 ID=42268 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.436047 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=42270 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.436119 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=45 ID=42269 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.436134 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=42271 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.440400 osdx sudo[276423]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:19.442681 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Jun 24 13:55:19.524037 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=42272 DF PROTO=TCP SPT=443 DPT=56012 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 24 13:55:19.545298 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 13:55:19.686549 osdx sudo[276434]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:19.753893 osdx file_operation[276437]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 24 13:55:19.760040 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=5724 DF PROTO=TCP SPT=80 DPT=43776 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jun 24 13:55:19.788043 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1305 TOS=0x00 PREC=0x00 TTL=64 ID=5725 DF PROTO=TCP SPT=80 DPT=43776 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jun 24 13:55:19.805433 osdx sudo[276444]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:19.807906 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'. Jun 24 13:55:19.816032 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=5726 DF PROTO=TCP SPT=80 DPT=43776 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1]
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.223 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.223/0.223/0.223/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.31.99) 56(84) bytes of data. 64 bytes from eq-in-f99.1e100.net (142.251.31.99): icmp_seq=1 ttl=96 time=37.7 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 37.712/37.712/37.712/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 26.4M 0 --:--:-- --:--:-- --:--:-- 32.5M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18373 0 18373 0 0 95332 0 --:--:-- --:--:-- --:--:-- 95692
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Jun 24 13:55:25.000197 osdx systemd-timedated[274332]: Changed local time to Tue 2025-06-24 13:55:25 UTC Jun 24 13:55:25.001882 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'set date 2025-06-24 13:55:25'. Jun 24 13:55:25.003108 osdx systemd-journald[165652]: Time jumped backwards, rotating. Jun 24 13:55:25.322077 osdx sudo[276680]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:25.325903 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 13:55:25.327122 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 13:55:25.327188 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 13:55:25.331304 osdx sudo[276679]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:25.338945 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal clear'. Jun 24 13:55:25.582925 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 13:55:25.843071 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:25.908194 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 24 13:55:26.057326 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 24 13:55:26.134816 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 24 13:55:26.238192 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jun 24 13:55:26.296473 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 24 13:55:26.400400 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 13:55:26.472633 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 24 13:55:26.597834 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 13:55:26.744080 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show working'. Jun 24 13:55:26.840958 osdx ubnt-cfgd[276710]: inactive Jun 24 13:55:26.890570 osdx INFO[276732]: FRR daemons did not change Jun 24 13:55:26.915119 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 13:55:27.188324 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:27.208333 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:27.236180 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:27.402610 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 13:55:27.611900 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 24 13:55:27.683298 osdx sudo[276939]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:27.755689 osdx file_operation[276942]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 24 13:55:27.775661 osdx sudo[276949]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:27.777723 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 24 13:55:27.908724 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:27.974969 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 24 13:55:28.073813 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 13:55:28.135829 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 24 13:55:28.244755 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show changes'. Jun 24 13:55:28.311949 osdx ubnt-cfgd[276959]: inactive Jun 24 13:55:28.332469 osdx INFO[276965]: FRR daemons did not change Jun 24 13:55:28.503112 osdx kernel: app-detect: module init Jun 24 13:55:28.503175 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 13:55:28.503185 osdx kernel: app-detect: expression init Jun 24 13:55:28.503193 osdx kernel: app-detect: appid cache initialized Jun 24 13:55:28.503201 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 13:55:28.690306 osdx sudo[277001]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:28.695149 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:28.697200 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:28.718725 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:28.856197 osdx sudo[277015]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:28.926432 osdx file_operation[277018]: using src url: https://www.google.com dst url: running://index.html Jun 24 13:55:29.009749 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64821 PROTO=TCP SPT=443 DPT=49902 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.010662 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64823 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.010700 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=112 ID=64824 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.013792 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64822 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.062023 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64825 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.062220 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=64827 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.062263 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=64826 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.069201 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64828 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106069 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=112 ID=64830 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106344 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64831 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106379 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64832 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106579 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64834 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.108003 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64836 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.108047 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64835 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.109613 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64837 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.109804 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64838 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.110662 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64833 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.111163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64839 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115107 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64840 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115145 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64842 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115160 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=621 TOS=0x00 PREC=0x00 TTL=112 ID=64844 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115173 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64843 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.116545 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64829 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.119670 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64841 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.137883 osdx sudo[277026]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:29.139636 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jun 24 13:55:29.163148 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64845 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.171112 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64846 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1203 0 1203 0 0 420k 0 --:--:-- --:--:-- --:--:-- 587k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Jun 24 13:55:25.000197 osdx systemd-timedated[274332]: Changed local time to Tue 2025-06-24 13:55:25 UTC Jun 24 13:55:25.001882 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'set date 2025-06-24 13:55:25'. Jun 24 13:55:25.003108 osdx systemd-journald[165652]: Time jumped backwards, rotating. Jun 24 13:55:25.322077 osdx sudo[276680]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:25.325903 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 13:55:25.327122 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 13:55:25.327188 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 13:55:25.331304 osdx sudo[276679]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:25.338945 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal clear'. Jun 24 13:55:25.582925 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 13:55:25.843071 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:25.908194 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 24 13:55:26.057326 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 24 13:55:26.134816 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 24 13:55:26.238192 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jun 24 13:55:26.296473 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 24 13:55:26.400400 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 13:55:26.472633 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 24 13:55:26.597834 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 13:55:26.744080 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show working'. Jun 24 13:55:26.840958 osdx ubnt-cfgd[276710]: inactive Jun 24 13:55:26.890570 osdx INFO[276732]: FRR daemons did not change Jun 24 13:55:26.915119 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 13:55:27.188324 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:27.208333 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:27.236180 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:27.402610 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 13:55:27.611900 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 24 13:55:27.683298 osdx sudo[276939]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:27.755689 osdx file_operation[276942]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 24 13:55:27.775661 osdx sudo[276949]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:27.777723 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 24 13:55:27.908724 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:27.974969 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 24 13:55:28.073813 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 13:55:28.135829 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 24 13:55:28.244755 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show changes'. Jun 24 13:55:28.311949 osdx ubnt-cfgd[276959]: inactive Jun 24 13:55:28.332469 osdx INFO[276965]: FRR daemons did not change Jun 24 13:55:28.503112 osdx kernel: app-detect: module init Jun 24 13:55:28.503175 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 13:55:28.503185 osdx kernel: app-detect: expression init Jun 24 13:55:28.503193 osdx kernel: app-detect: appid cache initialized Jun 24 13:55:28.503201 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 13:55:28.690306 osdx sudo[277001]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:28.695149 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:28.697200 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:28.718725 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:28.856197 osdx sudo[277015]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:28.926432 osdx file_operation[277018]: using src url: https://www.google.com dst url: running://index.html Jun 24 13:55:29.009749 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64821 PROTO=TCP SPT=443 DPT=49902 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.010662 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64823 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.010700 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=112 ID=64824 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.013792 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64822 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.062023 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64825 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.062220 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=64827 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.062263 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=112 ID=64826 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.069201 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64828 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106069 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=112 ID=64830 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106344 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64831 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106379 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64832 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.106579 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64834 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.108003 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64836 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.108047 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64835 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.109613 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64837 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.109804 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64838 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.110662 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64833 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.111163 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64839 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115107 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64840 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115145 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64842 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115160 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=621 TOS=0x00 PREC=0x00 TTL=112 ID=64844 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.115173 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64843 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.116545 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64829 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.119670 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=64841 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.137883 osdx sudo[277026]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:29.139636 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jun 24 13:55:29.163148 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64845 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.171112 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.99 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=64846 PROTO=TCP SPT=443 DPT=49902 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 24 13:55:29.260271 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 13:55:29.426664 osdx sudo[277037]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:29.488161 osdx file_operation[277040]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 24 13:55:29.495127 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=14955 DF PROTO=TCP SPT=80 DPT=38346 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 24 13:55:29.495173 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1422 TOS=0x00 PREC=0x00 TTL=64 ID=14956 DF PROTO=TCP SPT=80 DPT=38346 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 24 13:55:29.495183 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=14957 DF PROTO=TCP SPT=80 DPT=38346 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 24 13:55:29.508082 osdx sudo[277047]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:29.510056 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=51 time=6.65 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 6.648/6.648/6.648/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.31.105) 56(84) bytes of data. 64 bytes from eq-in-f105.1e100.net (142.251.31.105): icmp_seq=1 ttl=96 time=38.5 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 38.458/38.458/38.458/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jun 24 13:55:34.000178 osdx systemd-timedated[274332]: Changed local time to Tue 2025-06-24 13:55:34 UTC Jun 24 13:55:34.001600 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'set date 2025-06-24 13:55:34'. Jun 24 13:55:34.001744 osdx systemd-journald[165652]: Time jumped backwards, rotating. Jun 24 13:55:34.335617 osdx sudo[277287]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:34.338860 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 13:55:34.341720 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 13:55:34.341800 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 13:55:34.343164 osdx sudo[277286]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:34.349739 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal clear'. Jun 24 13:55:34.603443 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 13:55:34.925218 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:34.991501 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 24 13:55:35.099175 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 24 13:55:35.165439 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 24 13:55:35.282669 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 24 13:55:35.417663 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jun 24 13:55:35.501547 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 24 13:55:35.632570 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 24 13:55:35.777935 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 24 13:55:35.855733 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 13:55:35.969650 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 24 13:55:36.044967 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 13:55:36.145454 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 24 13:55:36.226238 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 13:55:36.336841 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show working'. Jun 24 13:55:36.417245 osdx ubnt-cfgd[277322]: inactive Jun 24 13:55:36.463989 osdx INFO[277344]: FRR daemons did not change Jun 24 13:55:36.597720 osdx kernel: app-detect: module init Jun 24 13:55:36.597775 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 13:55:36.597785 osdx kernel: app-detect: expression init Jun 24 13:55:36.597793 osdx kernel: app-detect: appid cache initialized Jun 24 13:55:36.597801 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 13:55:36.618339 osdx sudo[277373]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:36.645716 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 13:55:36.946571 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:36.958100 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:36.977050 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:37.250064 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 24 13:55:37.499539 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 24 13:55:37.599485 osdx sudo[277582]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:37.667321 osdx file_operation[277585]: using src url: https://www.marca.com dst url: running://index.html Jun 24 13:55:37.694229 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=11880 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696144 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11881 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696235 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11882 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696306 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11883 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696321 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=11884 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.738783 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=11885 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.899980 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11886 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.965365 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11887 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:38.131529 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11888 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:38.425098 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11889 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:38.565021 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11890 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:39.332709 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11891 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:39.417026 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11892 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:41.138820 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=11894 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:42.646634 osdx file_operation.py[277585]: Operation aborted by user. Jun 24 13:55:42.661308 osdx sudo[277591]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:42.663297 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jun 24 13:55:42.677712 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=11896 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:42.677754 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=11895 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Jun 24 13:55:34.000178 osdx systemd-timedated[274332]: Changed local time to Tue 2025-06-24 13:55:34 UTC Jun 24 13:55:34.001600 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'set date 2025-06-24 13:55:34'. Jun 24 13:55:34.001744 osdx systemd-journald[165652]: Time jumped backwards, rotating. Jun 24 13:55:34.335617 osdx sudo[277287]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:34.338860 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 13:55:34.341720 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 13:55:34.341800 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 13:55:34.343164 osdx sudo[277286]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:34.349739 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal clear'. Jun 24 13:55:34.603443 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 13:55:34.925218 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:34.991501 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 24 13:55:35.099175 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 24 13:55:35.165439 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 24 13:55:35.282669 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 24 13:55:35.417663 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jun 24 13:55:35.501547 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 24 13:55:35.632570 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 24 13:55:35.777935 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 24 13:55:35.855733 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 13:55:35.969650 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 24 13:55:36.044967 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 13:55:36.145454 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 24 13:55:36.226238 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 13:55:36.336841 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show working'. Jun 24 13:55:36.417245 osdx ubnt-cfgd[277322]: inactive Jun 24 13:55:36.463989 osdx INFO[277344]: FRR daemons did not change Jun 24 13:55:36.597720 osdx kernel: app-detect: module init Jun 24 13:55:36.597775 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 13:55:36.597785 osdx kernel: app-detect: expression init Jun 24 13:55:36.597793 osdx kernel: app-detect: appid cache initialized Jun 24 13:55:36.597801 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 13:55:36.618339 osdx sudo[277373]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:36.645716 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 13:55:36.946571 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:36.958100 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:36.977050 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:37.250064 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 24 13:55:37.499539 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 24 13:55:37.599485 osdx sudo[277582]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:37.667321 osdx file_operation[277585]: using src url: https://www.marca.com dst url: running://index.html Jun 24 13:55:37.694229 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=11880 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696144 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11881 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696235 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11882 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696306 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11883 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.696321 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=11884 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.738783 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=11885 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.899980 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11886 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:37.965365 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11887 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:38.131529 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11888 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:38.425098 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11889 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:38.565021 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11890 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:39.332709 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=11891 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:39.417026 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=11892 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:41.138820 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=11894 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:42.646634 osdx file_operation.py[277585]: Operation aborted by user. Jun 24 13:55:42.661308 osdx sudo[277591]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:42.663297 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jun 24 13:55:42.677712 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=11896 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:42.677754 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=11895 DF PROTO=TCP SPT=443 DPT=41102 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:42.892978 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 13:55:43.000059 osdx sudo[277602]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:43.076273 osdx sudo[277607]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:43.080804 osdx file_operation[277605]: using src url: http://www.google.com dst url: running://index.html Jun 24 13:55:43.174810 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=25710 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.275400 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25711 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.275496 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=2852 TOS=0x00 PREC=0x00 TTL=112 ID=25713 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.275523 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25715 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.275565 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25716 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.275865 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25719 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.276020 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25720 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.279047 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25717 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.284067 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25718 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.347742 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25712 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.354243 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25721 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.415034 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=25722 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.592821 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25723 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:43.635465 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=25724 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:44.064817 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25725 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:44.135807 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=25726 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:45.020724 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25727 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:45.095381 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=25728 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:46.963448 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=25729 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:47.043757 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=112 ID=25730 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 24 13:55:48.022702 osdx file_operation.py[277605]: Operation aborted by user. Jun 24 13:55:48.040546 osdx sudo[277614]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:48.043017 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Jun 24 13:55:48.077720 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=142.251.31.147 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=25731 PROTO=TCP SPT=80 DPT=59074 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.169 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.169/0.169/0.169/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=51 time=15.5 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 15.504/15.504/15.504/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 11.1M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jun 24 13:55:53.337772 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.2M, max 15.3M, 13.1M free. Jun 24 13:55:53.338962 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 13:55:53.339011 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 13:55:53.342861 osdx sudo[277840]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:53.350381 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system journal clear'. Jun 24 13:55:53.572844 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 13:55:53.886256 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:53.959976 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 13:55:54.057639 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 24 13:55:54.160136 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 13:55:54.253979 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show working'. Jun 24 13:55:54.335878 osdx ubnt-cfgd[277866]: inactive Jun 24 13:55:54.358755 osdx INFO[277874]: FRR daemons did not change Jun 24 13:55:54.378975 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 13:55:54.477580 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:54.496189 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:54.512435 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:54.659778 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 13:55:54.855209 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 24 13:55:54.919614 osdx sudo[278061]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:54.981907 osdx sudo[278066]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:54.986502 osdx file_operation[278064]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 24 13:55:55.011616 osdx sudo[278074]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:55.014008 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 24 13:55:55.165033 osdx OSDxCLI[190401]: User 'admin' entered the configuration menu. Jun 24 13:55:55.246442 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 24 13:55:55.305164 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 24 13:55:55.401949 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 24 13:55:55.462169 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 24 13:55:55.575550 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 24 13:55:55.665650 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Jun 24 13:55:55.765283 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 24 13:55:55.836016 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 24 13:55:55.924919 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 13:55:56.006198 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 24 13:55:56.116346 osdx OSDxCLI[190401]: User 'admin' added a new cfg line: 'show changes'. Jun 24 13:55:56.196216 osdx ubnt-cfgd[278091]: inactive Jun 24 13:55:56.234275 osdx INFO[278111]: FRR daemons did not change Jun 24 13:55:56.386986 osdx kernel: app-detect: module init Jun 24 13:55:56.387074 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 13:55:56.387095 osdx kernel: app-detect: expression init Jun 24 13:55:56.387114 osdx kernel: app-detect: appid cache initialized Jun 24 13:55:56.387131 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 13:55:56.570962 osdx sudo[278147]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:56.728167 osdx cfgd[1460]: [190401]Completed change to active configuration Jun 24 13:55:56.730602 osdx OSDxCLI[190401]: User 'admin' committed the configuration. Jun 24 13:55:56.756894 osdx OSDxCLI[190401]: User 'admin' left the configuration menu. Jun 24 13:55:56.889526 osdx sudo[278181]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:55:56.957006 osdx file_operation[278184]: using src url: https://www.marca.com dst url: running://index.html Jun 24 13:55:56.983377 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=50742 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:56.985638 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=50744 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:56.985705 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=50746 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:56.988159 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=50745 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:56.996179 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=50743 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:57.023097 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=52 ID=50747 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:57.178904 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=50748 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:57.247703 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=50749 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:57.388274 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=50750 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:57.687894 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=50751 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:57.822894 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=50752 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:58.583708 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=50753 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:55:58.654963 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=50754 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:56:00.344421 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=50755 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:56:00.412795 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=50756 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:56:01.248648 osdx CRON[278190]: pam_limits(cron:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:56:01.921610 osdx file_operation.py[278184]: Operation aborted by user. Jun 24 13:56:01.934578 osdx sudo[278194]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 13:56:01.936483 osdx OSDxCLI[190401]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jun 24 13:56:01.950979 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=50758 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 24 13:56:01.951028 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:3c:ac:41:3d:8b:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=50757 DF PROTO=TCP SPT=443 DPT=55012 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]