HTTP(S) URL and SNI/Hostname-Based Content Filtering FSM Plugin
- Former user (Deleted)
Design
Plugin purpose: blocking the HTTP(S) flows based on the requested URL (HTTP) or SNI/hostname (HTTPS).
The following steps are involved:
URL or SNI/hostname detection for a new IP flow
Query policies for the action to take
URL/SNI Detection for a New IP Flow
FSM uses the Walleye DPI plugin to detect the URL/SNI bound to a HTTP(S) flow.
Query Policies
The DPI plugin presents the URL or SNI a web categorization engine, and an FSM policy entry. The plugin then receives the action to take. If the received action is to block, the DPI plugin marks the flow for blocking.
Feature Scope
Ability for the Walleye DPI plugin to present an http URL, server/SNI to a web categorization plugin.
Ability for FSM to block a new flow based on a string (URL, SNI).
Ability for the Walleye DPI plugin to serve the app detection feature for a set of devices, and to serve URL/SNI based for another set of devices. The device sets might intersect.
Workflow
The approach includes implementing dedicated plugins which register their FSM session to the Walleye DPI plugin, and provide a callback to exercise detection of the relevant flow attribute.
The Walleye plugin gets configured to serve all client devices subjected to either app name or URL/SNI hostname filtering. On detection of an app name or URL/SNI hostname, the Walleye plugin triggers the call backs provided by the dedicated plugins. Each dedicated plugin validates if it is configured to process the provided device, triggers the FSM policy engine, and applies the resulting action.
Each flow attribute service plugin is responsible for reporting its activity in accordance with the FSM policies involved.
The Walleye plugin is responsible for notifying the core FSM dispatcher about the overall decision about the inspected flow (allow/block).
The core FSM feature requires these changes to accommodate the following:
Definition and configuration of plugins dedicated to the flow attributes (app name, URL/SNI hostname)
Registration of the flow attribute plugin to the flow attribute detection plugin
Implementation
A new FSM plugin type "dpi_client" has been created.
The plugin registers the devices it will process through these keys: excluded_devices and included_devices other_config.
The plugin indicates the flow attributes it will process, and which DPI plugin will deliver the flow attributes. The flow attributes values are presented in a set.
Finally, the plugin indicates which categorization plugin and policy table should be used to make a decision about the flow based on the flow attribute.
An example of such plugin entry is shown below:
$ ovsh -j s Flow_Service_Manager_Config -w handler==dpi_sni
[
{
"if_name": "",
"_version": [
"uuid",
"9251b80b-6332-4949-94c6-67e6ef8133bc"
],
"other_config": [
"map",
[
[
"dpi_plugin",
"walleye"
],
[
"dso_init",
"dpi_sni_init"
],
[
"excluded_devices",
"$[excluded_devices]"
],
[
"flow_attributes",
"$[url_attributes]"
],
[
"included_devices",
"$[included_devices]"
],
[
"mqtt_v",
"SNI/Requests/os_academy/XXXX8002B3/XXXX9f5acbb22513f0ae5e17"
],
[
"policy_table",
"webpulse"
],
[
"provider_plugin",
"webpulse"
]
]
],
"type": "dpi_client",
"plugin": "/usr/opensync/lib/libfsm_dpi_sni.so",
"_uuid": [
"uuid",
"20ba10f1-263d-4f35-8786-1cc0399e2c05"
],
"pkt_capt_filter": "",
"handler": "dpi_sni"
}
] |
Event Reporting
The reporting of policy decisions follows the model of DNS event reporting. A "reportType" field is added to the report to indicate the report type.
The following outlines policy entries added through FUTs, the dpi client configuration and report examples.
FUT FSM Policy Settings
In this example, Index 9 blocks adult content, index 10 allows everything and logs it.
$ ovsh s FSM_Policy -w policy==dev_opensync
---------------------------------------------------------------------
_uuid | 4096~84d1 | b159~658b |
_version | b21e~d6a0 | 0f09~7b66 |
action | drop | allow |
fqdn_op | ["set",[]] | ["set",[]] |
fqdncat_op | in | out |
fqdncats | 11 | ["set",[]] |
fqdns | ["set",[]] | ["set",[]] |
gatekeeper_policy | false | false |
idx | 9 | 10 |
ipaddr_op | ["set",[]] | ["set",[]] |
ipaddrs | ["set",[]] | ["set",[]] |
log | blocked | all |
mac_op | ["set",[]] | ["set",[]] |
macs | ["set",[]] | ["set",[]] |
name | dev_opensync_rule_0 | dev_opensync_rule_1 |
next | ["map",[]] | ["map",[]] |
other_config | ["map",[]] | ["map",[]] |
policy | dev_opensync | dev_opensync |
redirect | ["set",[]] | ["set",[]] |
risk_level | ["set",[]] | ["set",[]] |
risk_op | ["set",[]] | ["set",[]] |
--------------------------------------------------------------------- |
DPI Client Setting
$ ovsh -j s Flow_Service_Manager_Config -w handler==dev_fsm_dpi_sni
[
{
"if_name": "",
"_version": [
"uuid",
"27fb34af-cd29-4160-ab02-657b59695279"
],
"other_config": [
"map",
[
[
"dpi_plugin",
"walleye_dpi"
],
[
"dso_init",
"dpi_sni_plugin_init"
],
[
"flow_attributes",
"${dev_dpi_attrs}"
],
[
"mqtt_v",
"dev-test/DNS/Queries/futs/XXXX8002B3/XXXX9f5acbb22513f0ae5e17"
],
[
"policy_table",
"dev_opensync"
],
[
"provider_plugin",
"opensync"
],
[
"excluded_devices",
"${sni-devices-exclude}"
],
[
"included_devices",
"${sni-devices-include}"
]
]
],
"type": "dpi_client",
"plugin": "/usr/opensync/lib/libfsm_dpi_sni.so",
"_uuid": [
"uuid",
"35711ae1-9045-4cdd-895a-1d4e13f9f133"
],
"pkt_capt_filter": "",
"handler": "dev_fsm_dpi_sni"
}
] |
Report Examples
An HTTP request is triggered by the following command:
The report looks like:
An HTTPS request is triggered by the following command:
curl -A 'foo' https://www.playboy.com
The report looks like:
Published Content
https://www.opensync.io/s/EDE-021-030-501_FSM_Plugins.pdf
https://www.opensync.io/s/ERE-021-061-701_FSM_Plugin_Requirements.pdf