--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+ - alert
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+alert mqtt any any -> any any (msg:"MQTT PUBLISH JPEG message"; mqtt.type:PUBLISH; mqtt.publish.message; content:"|FF D8 FF E0|"; startswith; fast_pattern;)
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: ""
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT PUBLISH JPEG message
--- /dev/null
+# MQTT app-layer event rules.
+#
+# This SIDs fall in the 2226000+ range. See:
+# http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+
+alert mqtt any any -> any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;)
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 2226006
+
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: invalid_qos_level
--- /dev/null
+# MQTT app-layer event rules.
+#
+# This SIDs fall in the 2226000+ range. See:
+# http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+
+alert mqtt any any -> any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;)
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 2226000
+
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: missing_connect
--- /dev/null
+# MQTT app-layer event rules.
+#
+# This SIDs fall in the 2226000+ range. See:
+# http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+
+alert mqtt any any -> any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;)
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 2226008
+
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: unassigned_msg_type
--- /dev/null
+# MQTT app-layer event rules.
+#
+# This SIDs fall in the 2226000+ range. See:
+# http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+
+alert mqtt any any -> any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;)
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 2226005
+
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: unintroduced_message
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
+ max-msg-length: 50000
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: false
+ mqtt.connect.flags.password: false
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "P1"
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 100011
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 100009
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.message: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
+ mqtt.puback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.message: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+ mqtt.puback.message_id: 4
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 4
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
+ max-msg-length: 500
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: false
+ mqtt.connect.flags.password: false
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "P1"
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 100011
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 100009
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 1010
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.message: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+ mqtt.puback.message_id: 4
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 4
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
+ max-msg-length: 50
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: false
+ mqtt.connect.flags.password: false
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "P1"
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 100011
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 100009
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.truncated: true
+ mqtt.publish.skipped_length: 1010
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.skipped_length: 109
+ mqtt.publish.truncated: true
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 4
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+ - alert
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+alert mqtt any any -> any any (msg:"MQTT Test CONNACK"; mqtt.type:CONNACK; sid:1;)
+alert mqtt any any -> any any (msg:"MQTT Test DISCONNECT"; mqtt.type:DISCONNECT; sid:3;)
+alert mqtt any any -> any any (msg:"MQTT Test flags"; mqtt.flags: !retain,!dup; sid:4;)
+alert mqtt any any -> any any (msg:"MQTT QOS 0 (val0)"; mqtt.qos:0; sid:6;)
+alert mqtt any any -> any any (msg:"MQTT proto version 5 CONNECT"; mqtt.protocol_version:5; mqtt.type:CONNECT; sid:12;)
+alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:username,password,clean_session; sid:13;)
+alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;)
+alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;)
+alert mqtt any any -> any any (msg:"MQTT PUBLISH topicX"; mqtt.type:PUBLISH; mqtt.publish.topic; content:"topicX"; sid:16;)
+alert mqtt any any -> any any (msg:"MQTT PUBLISH JPEG message"; mqtt.type:PUBLISH; mqtt.publish.message; content:"|FF D8 FF E0|"; startswith; fast_pattern; sid:18;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: ""
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT PUBLISH JPEG message
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT Test CONNACK
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT Test DISCONNECT
+
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature: MQTT Test flags
+
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature: "MQTT QOS 0 (val0)"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT proto version 5 CONNECT
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT flags
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT username
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT password
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT PUBLISH topicX
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+ - alert
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+alert mqtt any any -> any any (msg:"MQTT Test CONNACK"; mqtt.type:CONNACK; sid:1;)
+alert mqtt any any -> any any (msg:"MQTT Test DISCONNECT"; mqtt.type:DISCONNECT; sid:3;)
+alert mqtt any any -> any any (msg:"MQTT Test flags"; mqtt.flags: !retain,!dup; sid:4;)
+alert mqtt any any -> any any (msg:"MQTT QOS 1 (val0)"; mqtt.qos:0; sid:6;)
+alert mqtt any any -> any any (msg:"MQTT proto version 5 CONNECT"; mqtt.protocol_version:5; mqtt.type:CONNECT; sid:12;)
+alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:username,password,clean_session; sid:13;)
+alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;)
+alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;)
+alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBSCRIBE; mqtt.subscribe.topic; content:"topicY"; sid:15;)
+alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBACK; mqtt.reason_code:0; sid:16;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "myvoiceismypassport"
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [{topic: topicX, qos: 0}, {topic: topicY, qos: 0} ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT Test CONNACK
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT Test DISCONNECT
+
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature: MQTT Test flags
+
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature: "MQTT QOS 1 (val0)"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT proto version 5 CONNECT
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT flags
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT username
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT password
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT SUBSCRIBE topicY
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+ - alert
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+#1
+alert mqtt any any -> any any (msg:"MQTT Test CONNACK"; mqtt.type:CONNACK; sid:1;)
+#1
+alert mqtt any any -> any any (msg:"MQTT Test DISCONNECT"; mqtt.type:DISCONNECT; sid:3;)
+#4
+alert mqtt any any -> any any (msg:"MQTT Test flags"; mqtt.flags: !retain,!dup; sid:4;)
+#4
+alert mqtt any any -> any any (msg:"MQTT QOS 1 (val0)"; mqtt.qos:0; sid:6;)
+#1
+alert mqtt any any -> any any (msg:"MQTT proto version 5 CONNECT"; mqtt.protocol_version:5; mqtt.type:CONNECT; sid:12;)
+#1
+alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:username,password,clean_session; sid:13;)
+#1
+alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;)
+#1
+alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;)
+#1
+alert mqtt any any -> any any (msg:"MQTT UNSUBSCRIBE topicX"; mqtt.type:UNSUBSCRIBE; mqtt.unsubscribe.topic; content:"topicX"; sid:16;)
+#1
+alert mqtt any any -> any any (msg:"MQTT UNSUBSCRIBE topicY"; mqtt.type:UNSUBSCRIBE; mqtt.unsubscribe.topic; content:"topicY"; sid:17;)
+#1
+alert mqtt any any -> any any (msg:"MQTT UNSUBACK reason 17"; mqtt.type:UNSUBACK; mqtt.reason_code:17; sid:18;)
+#1
+alert mqtt any any -> any any (msg:"MQTT UNSUBACK reason 0"; mqtt.type:UNSUBACK; mqtt.reason_code:0; sid:21;)
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "myvoiceismypassport"
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT Test CONNACK
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT Test DISCONNECT
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT proto version 5 CONNECT
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT flags
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT username
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT CONNECT password
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT UNSUBSCRIBE topicX
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT UNSUBSCRIBE topicY
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT UNSUBACK reason 17
+ mqtt.unsuback.message_id: 3
+ mqtt.unsuback.reason_codes: [ 17 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: MQTT UNSUBACK reason 0
+ mqtt.unsuback.message_id: 2
+ mqtt.unsuback.reason_codes: [ 0 ]
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+ mqtt.publish.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 2
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+ mqtt.publish.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubrec.qos: 0
+ mqtt.pubrec.retain: false
+ mqtt.pubrec.dup: false
+ mqtt.pubrec.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubrel.qos: 1
+ mqtt.pubrel.retain: false
+ mqtt.pubrel.dup: false
+ mqtt.pubrel.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubcomp.qos: 0
+ mqtt.pubcomp.retain: false
+ mqtt.pubcomp.dup: false
+ mqtt.pubcomp.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "mosq-dRkAMvJQvimi16jz72"
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [0, 0]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 1} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 1 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 2} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 2 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQIsdp
+ mqtt.connect.protocol_version: 3
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 0} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 0 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+ mqtt.publish.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 2
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+ mqtt.publish.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubrec.qos: 0
+ mqtt.pubrec.retain: false
+ mqtt.pubrec.dup: false
+ mqtt.pubrec.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubrel.qos: 1
+ mqtt.pubrel.retain: false
+ mqtt.pubrel.dup: false
+ mqtt.pubrel.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubcomp.qos: 0
+ mqtt.pubcomp.retain: false
+ mqtt.pubcomp.dup: false
+ mqtt.pubcomp.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "mosq-aGMiV6nelbCb00tvAY"
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [0, 0]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 1} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 1 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 2} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 2 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 4
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 0} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 0 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: true
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.will.topic: willtopic
+ mqtt.connect.will.message: willmessage
+ mqtt.connect.will.properties.content_type: mywilltype
+ mqtt.connect.will.properties.correlation_data: "1234567"
+ mqtt.connect.will.properties.message_expiry_interval: 133
+ mqtt.connect.will.properties.payload_format_indicator: 144
+ mqtt.connect.will.properties.response_topic: response_topic1
+ mqtt.connect.will.properties.userprop5: userval5
+ mqtt.connect.will.properties.will_delay_interval: 200
+ mqtt.connect.properties.maximum_packet_size: 11111
+ mqtt.connect.properties.receive_maximum: 222
+ mqtt.connect.properties.session_expiry_interval: 555
+ mqtt.connect.properties.topic_alias_maximum: 666
+ mqtt.connect.properties.userprop1: userval1
+ mqtt.connect.properties.userprop2: userval2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+ mqtt.publish.message_id: 1
+ mqtt.publish.properties.content_type: mytype
+ mqtt.publish.properties.correlation_data: "12345"
+ mqtt.publish.properties.message_expiry_interval: 77
+ mqtt.publish.properties.payload_format_indicator: 88
+ mqtt.publish.properties.response_topic: response_topic1
+ mqtt.publish.properties.topic_alias: 5
+ mqtt.publish.properties.userprop3: userval3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 1
+ mqtt.puback.reason_code: 16
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
+ mqtt.disconnect.properties.session_expiry_interval: 122
+ mqtt.disconnect.properties.userprop4: userval4
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 1
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+ mqtt.publish.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.puback.qos: 0
+ mqtt.puback.retain: false
+ mqtt.puback.dup: false
+ mqtt.puback.message_id: 1
+ # "no subscriber"
+ mqtt.puback.reason_code: 16
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 2
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+ mqtt.publish.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubrel.qos: 1
+ mqtt.pubrel.retain: false
+ mqtt.pubrel.dup: false
+ mqtt.pubrel.message_id: 1
+ mqtt.pubrel.reason_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubrec.qos: 0
+ mqtt.pubrec.retain: false
+ mqtt.pubrec.dup: false
+ mqtt.pubrec.message_id: 1
+ mqtt.pubrec.reason_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.pubcomp.qos: 0
+ mqtt.pubcomp.retain: false
+ mqtt.pubcomp.dup: false
+ mqtt.pubcomp.message_id: 1
+ mqtt.pubcomp.reason_code: 0
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: ""
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+ mqtt.connack.properties.assigned_client_identifier: auto-6F78CADB-9176-19F4-B5F5-101745377C35
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.publish.qos: 0
+ mqtt.publish.retain: false
+ mqtt.publish.dup: false
+ mqtt.publish.topic: topicX
+ mqtt.publish.message: baabaablacksheep
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: false
+ mqtt.connect.flags.password: false
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: "myvoiceismypassport"
+ mqtt.connect.properties.receive_maximum: 20
+ mqtt.connect.properties.authentication_method: foo
+ mqtt.connect.properties.authentication_data: "1234"
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 140
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: true
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.will.topic: willtopic
+ mqtt.connect.will.message: willmessage
+ mqtt.connect.will.properties.content_type: mywilltype
+ mqtt.connect.will.properties.correlation_data: "1234567"
+ mqtt.connect.will.properties.message_expiry_interval: 133
+ mqtt.connect.will.properties.payload_format_indicator: 144
+ mqtt.connect.will.properties.response_topic: response_topic1
+ mqtt.connect.will.properties.userprop5: userval5
+ mqtt.connect.will.properties.will_delay_interval: 200
+ mqtt.connect.properties.maximum_packet_size: 11111
+ mqtt.connect.properties.receive_maximum: 222
+ mqtt.connect.properties.session_expiry_interval: 555
+ mqtt.connect.properties.topic_alias_maximum: 666
+ mqtt.connect.properties.userprop1: userval1
+ mqtt.connect.properties.userprop2: userval2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [0, 0]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ # "Disconnect with Will Message"
+ mqtt.disconnect.reason_code: 4
+ mqtt.disconnect.properties.session_expiry_interval: 122
+ mqtt.disconnect.properties.userprop4: userval4
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 3
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [0, 0]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 1} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 1 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+ mqtt.unsuback.reason_codes: [ 0 ]
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+ # "No subscription"
+ mqtt.unsuback.reason_codes: [ 17 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 2} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 2 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+ mqtt.unsuback.reason_codes: [ 0 ]
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+ # "No subscription"
+ mqtt.unsuback.reason_codes: [ 17 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - mqtt
+
+app-layer:
+ protocols:
+ mqtt:
+ enabled: yes
\ No newline at end of file
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/mqtt/parser.rs
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 5
+ match:
+ dest_port: 1883
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connect.qos: 0
+ mqtt.connect.retain: false
+ mqtt.connect.dup: false
+ mqtt.connect.protocol_string: MQTT
+ mqtt.connect.protocol_version: 5
+ mqtt.connect.flags.username: true
+ mqtt.connect.flags.password: true
+ mqtt.connect.flags.will: false
+ mqtt.connect.flags.will_retain: false
+ mqtt.connect.flags.clean_session: true
+ mqtt.connect.client_id: myvoiceismypassport
+ mqtt.connect.username: user
+ mqtt.connect.password: pass
+ mqtt.connect.properties.receive_maximum: 20
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.connack.qos: 0
+ mqtt.connack.retain: false
+ mqtt.connack.dup: false
+ mqtt.connack.session_present: false
+ mqtt.connack.return_code: 0
+ mqtt.connack.properties.topic_alias_maximum: 10
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.subscribe.qos: 1
+ mqtt.subscribe.retain: false
+ mqtt.subscribe.dup: false
+ mqtt.subscribe.topics: [ {topic: topicX, qos: 0} ]
+ mqtt.subscribe.message_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.suback.qos: 0
+ mqtt.suback.retain: false
+ mqtt.suback.dup: false
+ mqtt.suback.message_id: 1
+ mqtt.suback.qos_granted: [ 0 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicX ]
+ mqtt.unsubscribe.message_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsubscribe.qos: 1
+ mqtt.unsubscribe.retain: false
+ mqtt.unsubscribe.dup: false
+ mqtt.unsubscribe.topics: [ topicY ]
+ mqtt.unsubscribe.message_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 2
+ mqtt.unsuback.reason_codes: [ 0 ]
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.unsuback.qos: 0
+ mqtt.unsuback.retain: false
+ mqtt.unsuback.dup: false
+ mqtt.unsuback.message_id: 3
+ # "No subscription"
+ mqtt.unsuback.reason_codes: [ 17 ]
+
+ - filter:
+ count: 1
+ match:
+ event_type: mqtt
+ mqtt.disconnect.qos: 0
+ mqtt.disconnect.retain: false
+ mqtt.disconnect.dup: false
+ mqtt.disconnect.reason_code: 0
projects / thirdparty / suricata-verify.git / commitdiff
