test/mqtt: Improve multi PDU parsing

Issue: 6592

diff --git a/tests/mqtt-frames-xpdu/README.md b/tests/mqtt-frames-xpdu/README.md
new file mode 100644 (file)
index 0000000..b97fe36
--- /dev/null
+++ b/tests/mqtt-frames-xpdu/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test MQTT frames[Pdu, Header, Data].
+
+PCAP
+====
+PCAP comes from the suricata verify test[mqtt5-unsub-userpass]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/6592

diff --git a/tests/mqtt-frames-xpdu/test.rules b/tests/mqtt-frames-xpdu/test.rules
new file mode 100644 (file)
index 0000000..720acd1
--- /dev/null
+++ b/tests/mqtt-frames-xpdu/test.rules
@@ -0,0 +1,4 @@
+alert mqtt any any -> any any (msg:"mqtt frame: pdu 1"; frame:pdu; content: "|a2 0b 00 02|"; startswith; bsize:13; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt frame: header"; frame:header; content: "|a2|"; startswith; bsize: 2; sid:2;)
+alert mqtt any any -> any any (msg:"mqtt Frame: data"; frame:data; content: "|00 02 00|"; startswith; bsize: 11; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt frame: pdu 2"; frame:pdu; content: "|a2 0b 00 03|"; startswith;  bsize:13; sid:4;)

diff --git a/tests/mqtt-frames-xpdu/test.yaml b/tests/mqtt-frames-xpdu/test.yaml
new file mode 100644 (file)
index 0000000..e77cd56
--- /dev/null
+++ b/tests/mqtt-frames-xpdu/test.yaml
@@ -0,0 +1,89 @@
+pcap: ../mqtt5-unsub-userpass/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+ - -k none
+ - --set outputs.1.eve-log.types.1.frame.enabled=yes
+
+checks:
+- filter:
+    count: 6
+    match:
+      event_type: alert
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      frame.type: pdu
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      frame.type: header
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      frame.type: data
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 1
+      frame.type: pdu
+      frame.id: 8
+      frame.length: 13
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 2
+      frame.type: header
+      frame.id: 9
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 3
+      frame.type: data
+      frame.id: 10
+      frame.length: 11
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 4
+      frame.type: pdu
+      frame.id: 11
+      frame.length: 13
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 12
+      frame.type: header
+      frame.id: 12
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 3
+      frame.type: data
+      frame.id: 13
+      frame.length: 11
+      frame.complete: true