--- /dev/null
+Description
+===========
+Test MQTT frames[Pdu, Header, Data].
+
+PCAP
+====
+PCAP comes from the suricata verify test[mqtt5-unsub-userpass]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/6592
--- /dev/null
+alert mqtt any any -> any any (msg:"mqtt frame: pdu 1"; frame:pdu; content: "|a2 0b 00 02|"; startswith; bsize:13; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt frame: header"; frame:header; content: "|a2|"; startswith; bsize: 2; sid:2;)
+alert mqtt any any -> any any (msg:"mqtt Frame: data"; frame:data; content: "|00 02 00|"; startswith; bsize: 11; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt frame: pdu 2"; frame:pdu; content: "|a2 0b 00 03|"; startswith; bsize:13; sid:4;)
--- /dev/null
+pcap: ../mqtt5-unsub-userpass/input.pcap
+
+requires:
+ min-version: 8
+
+args:
+ - -k none
+ - --set outputs.1.eve-log.types.1.frame.enabled=yes
+
+checks:
+- filter:
+ count: 6
+ match:
+ event_type: alert
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ frame.type: pdu
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ frame.type: header
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ frame.type: data
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 12
+ alert.signature_id: 1
+ frame.type: pdu
+ frame.id: 8
+ frame.length: 13
+ frame.complete: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 12
+ alert.signature_id: 2
+ frame.type: header
+ frame.id: 9
+ frame.length: 2
+ frame.complete: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 12
+ alert.signature_id: 3
+ frame.type: data
+ frame.id: 10
+ frame.length: 11
+ frame.complete: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 12
+ alert.signature_id: 4
+ frame.type: pdu
+ frame.id: 11
+ frame.length: 13
+ frame.complete: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ pcap_cnt: 12
+ frame.type: header
+ frame.id: 12
+ frame.length: 2
+ frame.complete: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 12
+ alert.signature_id: 3
+ frame.type: data
+ frame.id: 13
+ frame.length: 11
+ frame.complete: true