쫑콩아빠의 지금 이 순간...

https://www.gigamon.com/products/optimize-traffic/traffic-intelligence/gigasmart/adaptive-packet-filtering.html

Filter matching packet content

The Adaptive Packet Filtering feature is a licensable addition to the GigaSMART® engine that can identify patterns across any part of the network packet, including the packet payload. Adaptive Packet Filtering can use this awareness to filter based on packet contents beyond Layer 2, 3, and 4 headers, including URLs, patterns in BitTorrent packets, basic application identification, and specific encapsulation protocols. Operators can define custom signatures through regular expressions to match their specific applications. The signatures can also identify sensitive data and obscure it before forwarding to tools.

Adaptive Packet Filtering can identify and forward packets based on multiple complex headers and encapsulations, including MPLS, VXLAN, MAC-in-MAC, IP-in-IP (IPv4 and/or IPv6) and others.

Benefits of the Adaptive Packet Filtering feature:

• Identifies and filters packets which use dynamic IP addresses and non-standard ports.
• Filters web-based applications that share the same L2-L4 header information. 
• Removes bandwidth-hogging traffic such as streaming services which doesn’t require monitoring and storage.
• Obscures sensitive data such as credit card and identification numbers wherever they may occur within the packet before sending the packet to monitoring and storage tools.

AFP, ASF Sample

gigamon-2c013c (config) # sh running-config
##
## Running database "initial"
## Generated at 2019/12/23 05:23:44 +0000
## Software version on which this output was taken: GigaVUE-OS 5.7.01 142718 2019-09-23 23:20:06
##
## Port level configurations
##
port 1/1/g1 type network
port 1/1/g2 type network
port 1/1/g3 type network
port 1/1/g4 type network
port 1/1/x1 type hybrid
port 1/1/x1 params admin enable
port 1/1/x2 type network
port 1/1/x2 params admin enable
port 1/1/x3 type tool
port 1/1/x3 params admin enable
port 1/1/x4 type network
port 1/1/x4 params admin enable
port 1/1/x5 type network
port 1/1/x6 type tool
port 1/1/x6 params admin enable
port 1/1/x7 type tool
port 1/1/x7 params admin enable
port 1/1/x8 type tool
port 1/1/x8 params admin enable
port 1/1/x9 type network
port 1/1/x10 type tool
port 1/1/x10 params admin enable
port 1/1/x11 type network
port 1/1/x12 type tool
port 1/1/x12 params admin enable
port 1/2/x1 type network
port 1/2/x2 type network
port 1/2/x3 type network
port 1/2/x4 type network
port 1/2/x5 type inline-net
port 1/2/x5 params admin enable speed 1000
port 1/2/x6 type inline-net
port 1/2/x6 params admin enable speed 1000
port 1/2/x7 type inline-net
port 1/2/x8 type inline-net
port 1/3/g1 type network
port 1/3/g1 params taptx passive
port 1/3/g2 type network
port 1/3/g2 params taptx passive
port 1/3/g3 type network
port 1/3/g3 params taptx passive
port 1/3/g4 type network
port 1/3/g4 params taptx passive
port 1/3/g5 type network
port 1/3/g5 params taptx passive
port 1/3/g6 type network
port 1/3/g6 params taptx passive
port 1/3/g7 type network
port 1/3/g7 params taptx passive
port 1/3/g8 type network
port 1/3/g8 params taptx passive

##
## Gigastream hash configurations
##
gigastream advanced-hash slot 1/cc1 default

##
## Gigastream configurations
##
gigastream alias T-LB-1
  port-list 1/1/x6,1/1/x8 params hash advanced
  exit
gigastream alias T-LB-2
  port-list 1/1/x10,1/1/x12 params hash advanced
  exit

##
## SAPF configurations
##
apps asf alias youtube-asf
  bi-directional enable
  buffer enable
  buffer-count-before-match 6
  packet-count disable
  protocol tcp-udp
  sess-field add ipv4-5tuple outer
  timeout 15
  exit

##
## Gsgroup configurations
##
gsgroup alias GS1 port-list 1/1/e1

##
## Gs params configurations
##
gsparams gsgroup GS1
  cpu utilization type total rising 80
  dedup-action drop
  dedup-ip-tclass include
  dedup-ip-tos include
  dedup-tcp-seq include
  dedup-timer 50000
  dedup-vlan ignore
  diameter-packet timeout 2
  diameter-s6a-session limit 10000
  diameter-s6a-session timeout 30
  eng-watchdog-timer 60
  erspan3-timestamp format none
  flow-mask disable
  flow-sampling-rate 5
  flow-sampling-timeout 1
  flow-sampling-type device-ip
  generic-session-timeout 5
  gtp-control-sample enable
  gtp-flow timeout 48
  gtp-persistence disable
  gtp-persistence file-age-timeout 30
  gtp-persistence interval 10
  gtp-persistence restart-age-time 30
  gtp-randomsample disable
  gtp-randomsample interval 12
  ip-frag forward enable
  ip-frag frag-timeout 10
  ip-frag head-session-timeout 30
  lb failover disable
  lb failover-thres lt-bw 80
  lb failover-thres lt-pkt-rate 1000
  lb replicate-gtp-c disable
  lb use-link-spd-wt disable
  node-role disable
  resource buffer-asf 2
  resource cpu overload-threshold 90
  resource hsm-ssl buffer disable
  resource hsm-ssl packet-buffer 1000
  resource inline-ssl standalone enable
  resource metadata disable
  resource packet-buffer overload-threshold 80
  resource xpkt-pmatch num-flows 0
  session logging level none
  sip-media timeout 30
  sip-nat disable
  sip-session timeout 30
  sip-tcp-idle-timeout 20
  ssl-decrypt decrypt-fail-action drop
  ssl-decrypt enable
  ssl-decrypt hsm-pkcs11 dynamic-object enable
  ssl-decrypt hsm-pkcs11 load-sharing enable
  ssl-decrypt hsm-timeout 1000
  ssl-decrypt key-cache-timeout 10800
  ssl-decrypt non-ssl-traffic drop
  ssl-decrypt pending-session-timeout 60
  ssl-decrypt session-timeout 300
  ssl-decrypt tcp-syn-timeout 20
  ssl-decrypt ticket-cache-timeout 10800
  tunnel-health-check action pass
  tunnel-health-check disable
  tunnel-health-check dstport 54321
  tunnel-health-check interval 600
  tunnel-health-check protocol icmp
  tunnel-health-check rcvport 54321
  tunnel-health-check retries 5
  tunnel-health-check roundtriptime 1
  tunnel-health-check srcport 54321
  xpkt-pmatch disable
  exit

## Gsop configurations
gsop alias youtube-gsop apf set asf set port-list GS1

## Vport configurations
vport alias vp1 gsgroup GS1
vport alias vp1 failover-action vport-bypass
vport alias vp1 outer-traffic-path to-inline-tool
vport alias vp1 inner-traffic-path to-inline-tool
vport alias vp1 deferred-binding disable
vport alias vp1 asf profile youtube-asf
vport alias vp1 mmon disable

## Inline-network configurations
inline-network alias default_inline_net_1_2_1
  pair net-a 1/2/x5 and net-b 1/2/x6
  physical-bypass disable
  traffic-path bypass
  exit

##
## Traffic map connection configurations

# 인라인네트워크에서 특정 포트로 미러패킷을 전달(전체 패킷-rx) #
map-passall alias N1-map-source-packet-rx
  roles replace admin to owner_roles
  to 1/1/x1
  from 1/2/x5
  exit
# 인라인네트워크에서 특정 포트로 미러패킷을 전달(전체 패킷-tx) #
map-passall alias N1-map-source-packet-tx
  roles replace admin to owner_roles
  to 1/1/x1
  from 1/2/x6
  exit

# 인라인네트워크에서 받은 미러패킷을 버철포트로 전달 #
map alias All-traffic
  type firstLevel byRule
  roles replace admin to owner_roles
  comment " "
  rule add pass macsrc 00:00:00:00:00:00 00:00:00:00:00:00 bidir
  to vp1
  from 1/1/x1
  exit

# 유투브사이트에서 비디오 플레이 될때 탐지함. #
map alias traffic-sapf-youtube
  type secondLevel byRule
  roles replace admin to owner_roles
  use gsop youtube-gsop
  gsrule add pass pmatch RegEx youtube|ytimg|yt3.ggpht|tubeMogul|tmogul|googlevideo|tmogulyoutu 0..1460
  to 1/1/x3
  from vp1
  exit

# PC에서 시만텍서버와 클라이언트 또는 패턴 업데이트 될때 탐지함. #
map alias traffic-sapf-symatec
  type secondLevel byRule
  roles replace admin to owner_roles
  use gsop youtube-gsop
  gsrule add pass pmatch RegEx symantec|syma|sep|livet|symant 0..1460
  to 1/1/x3
  from vp1
  exit

# 번외 - 특정 헥사 코드값 만을 탐지 #
map alias traffic-sapf-hex
  type secondLevel byRule
  roles replace admin to owner_roles
  comment hex-.ama
  use gsop youtube-gsop
  gsrule add pass pmatch protocol ipv4 pos 1 RegEx [\\x2e\\x61\\x6d\\x61] 0..80
  to 1/1/x7
  from vp1
  exit

# The RegEx expression identifies the 
SSL handshake type Client Hello patterns and All Buffered packets(TCP) # 
# pos -> number presenting the occurrence(발생 될 숫자 지정) # 

# HTTPS사이트에 접근하면 탐지 #
map alias traffic-sapf-https
  type secondLevel byRule
  roles replace admin to owner_roles
  use gsop youtube-gsop
  gsrule add pass pmatch protocol tcp pos 1 RegEx \\x16\\x03.{3}\\x01 0..6
  to 1/1/x7
  from vp1
  exit

# 특정 지정한 패킷(HTTPS,youtube,symatec 등) 외 탐지 #
map-scollector alias traffice-non-asf
  roles replace admin to owner_roles
  from vp1
  collector T-LB-1
  exit