detect/mqtt: add topic inspection limit

author Sascha Steinbiss <satta@debian.org>

Mon, 10 May 2021 12:54:47 +0000 (14:54 +0200)

committer Victor Julien <victor@inliniac.net>

Mon, 21 Jun 2021 19:32:04 +0000 (21:32 +0200)
author Sascha Steinbiss <satta@debian.org>
Mon, 10 May 2021 12:54:47 +0000 (14:54 +0200)
committer Victor Julien <victor@inliniac.net>
Mon, 21 Jun 2021 19:32:04 +0000 (21:32 +0200)
diff --git a/src/detect-mqtt-subscribe-topic.c b/src/detect-mqtt-subscribe-topic.c

index e8939ee4fca5f334c8712d126b3ba27dbf9cd165..390da5c2987b705b3584af05a51859eff6f892e2 100644 (file)
--- a/src/detect-mqtt-subscribe-topic.c
+++ b/src/detect-mqtt-subscribe-topic.c
@@ -58,6 +58,8 @@ static int DetectMQTTSubscribeTopicSetup(DetectEngineCtx *, Signature *, const c
  
  static int g_mqtt_subscribe_topic_buffer_id = 0;
  
+static uint32_t subscribe_topic_match_limit = 100;
+
  struct MQTTSubscribeTopicGetDataArgs {
      uint32_t local_id;
      void *txv;
@@ -100,7 +102,7 @@ static int DetectEngineInspectMQTTSubscribeTopic(
          transforms = engine->v2.transforms;
      }
  
-    while(1) {
+    while ((subscribe_topic_match_limit == 0) || local_id < subscribe_topic_match_limit) {
          struct MQTTSubscribeTopicGetDataArgs cbdata = { local_id, txv, };
          InspectionBuffer *buffer = MQTTSubscribeTopicGetData(det_ctx,
              transforms, f, &cbdata, engine->sm_list, false);
@@ -151,7 +153,7 @@ static void PrefilterTxMQTTSubscribeTopic(DetectEngineThreadCtx *det_ctx,
      const int list_id = ctx->list_id;
  
      uint32_t local_id = 0;
-    while(1) {
+    while ((subscribe_topic_match_limit == 0) || local_id < subscribe_topic_match_limit) {
          struct MQTTSubscribeTopicGetDataArgs cbdata = { local_id, txv };
          InspectionBuffer *buffer = MQTTSubscribeTopicGetData(det_ctx, ctx->transforms,
                  f, &cbdata, list_id, true);
@@ -201,6 +203,16 @@ void DetectMQTTSubscribeTopicRegister (void)
      sigmatch_table[DETECT_AL_MQTT_SUBSCRIBE_TOPIC].flags |= SIGMATCH_NOOPT;
      sigmatch_table[DETECT_AL_MQTT_SUBSCRIBE_TOPIC].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
+    intmax_t val = 0;
+    if (ConfGetInt("mqtt.subscribe-topic-match-limit", &val)) {
+        subscribe_topic_match_limit = val;
+    }
+    if (subscribe_topic_match_limit <= 0) {
+        SCLogDebug("Using unrestricted MQTT SUBSCRIBE topic matching");
+    } else {
+        SCLogDebug("Using MQTT SUBSCRIBE topic match-limit setting of: %u",
+                subscribe_topic_match_limit);
+    }
  
      DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOSERVER, 1,
              PrefilterMpmMQTTSubscribeTopicRegister, NULL,
diff --git a/src/detect-mqtt-unsubscribe-topic.c b/src/detect-mqtt-unsubscribe-topic.c

index 5409e5c6ba9404e1d72128ce4c7b136be986b3bf..24f0a3696a9b597b8ff23ffbea1a6de4e36fd27d 100644 (file)
--- a/src/detect-mqtt-unsubscribe-topic.c
+++ b/src/detect-mqtt-unsubscribe-topic.c
@@ -58,6 +58,8 @@ static int DetectMQTTUnsubscribeTopicSetup(DetectEngineCtx *, Signature *, const
  
  static int g_mqtt_unsubscribe_topic_buffer_id = 0;
  
+static uint32_t unsubscribe_topic_match_limit = 100;
+
  struct MQTTUnsubscribeTopicGetDataArgs {
      uint32_t local_id;
      void *txv;
@@ -100,7 +102,7 @@ static int DetectEngineInspectMQTTUnsubscribeTopic(
          transforms = engine->v2.transforms;
      }
  
-    while(1) {
+    while ((unsubscribe_topic_match_limit == 0) || local_id < unsubscribe_topic_match_limit) {
          struct MQTTUnsubscribeTopicGetDataArgs cbdata = { local_id, txv, };
          InspectionBuffer *buffer = MQTTUnsubscribeTopicGetData(det_ctx,
              transforms, f, &cbdata, engine->sm_list, false);
@@ -151,7 +153,7 @@ static void PrefilterTxMQTTUnsubscribeTopic(DetectEngineThreadCtx *det_ctx,
      const int list_id = ctx->list_id;
  
      uint32_t local_id = 0;
-    while(1) {
+    while ((unsubscribe_topic_match_limit == 0) || local_id < unsubscribe_topic_match_limit) {
          struct MQTTUnsubscribeTopicGetDataArgs cbdata = { local_id, txv };
          InspectionBuffer *buffer = MQTTUnsubscribeTopicGetData(det_ctx, ctx->transforms,
                  f, &cbdata, list_id, true);
@@ -201,6 +203,16 @@ void DetectMQTTUnsubscribeTopicRegister (void)
      sigmatch_table[DETECT_AL_MQTT_UNSUBSCRIBE_TOPIC].flags |= SIGMATCH_NOOPT;
      sigmatch_table[DETECT_AL_MQTT_UNSUBSCRIBE_TOPIC].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
+    intmax_t val = 0;
+    if (ConfGetInt("mqtt.unsubscribe-topic-match-limit", &val)) {
+        unsubscribe_topic_match_limit = val;
+    }
+    if (unsubscribe_topic_match_limit <= 0) {
+        SCLogDebug("Using unrestricted MQTT UNSUBSCRIBE topic matching");
+    } else {
+        SCLogDebug("Using MQTT UNSUBSCRIBE topic match-limit setting of: %i",
+                unsubscribe_topic_match_limit);
+    }
  
      DetectAppLayerMpmRegister2("mqtt.unsubscribe.topic", SIG_FLAG_TOSERVER, 1,
              PrefilterMpmMQTTUnsubscribeTopicRegister, NULL,
diff --git a/suricata.yaml.in b/suricata.yaml.in

index 1beae12d962ef8cc47150b9452987f9b2ed96964..2f1b44787c8634c6d9f9a69c5e1a1310cf02c807 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1115,6 +1115,11 @@ pcre:
    match-limit: 3500
    match-limit-recursion: 1500
  
+# MQTT topic detection depth
+#mqtt:
+#  subscribe-topic-match-limit: 100
+#  unsubscribe-topic-match-limit: 100
+
  ##
  ## Advanced Traffic Tracking and Reconstruction Settings
  ##
author	Sascha Steinbiss <satta@debian.org>
	Mon, 10 May 2021 12:54:47 +0000 (14:54 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 21 Jun 2021 19:32:04 +0000 (21:32 +0200)
src/detect-mqtt-subscribe-topic.c		patch \| blob \| blame \| history
src/detect-mqtt-unsubscribe-topic.c		patch \| blob \| blame \| history
suricata.yaml.in		patch \| blob \| blame \| history