mqtt: check SUBACK

This requires SUBACK matching support.

diff --git a/tests/mqtt-sub-rules/test.rules b/tests/mqtt-sub-rules/test.rules
index 7639ec7ab83f13aca4bf8070fb628363c37de133..af559f0207eae2e650f504b3070383c6c8309ef1 100644 (file)
--- a/tests/mqtt-sub-rules/test.rules
+++ b/tests/mqtt-sub-rules/test.rules
@@ -7,4 +7,4 @@ alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:user
 alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;)
 alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;)
 alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBSCRIBE; mqtt.subscribe.topic; content:"topicY"; sid:15;)
-alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBACK; mqtt.reason_code:0; sid:16;)
+alert mqtt any any -> any any (msg:"MQTT SUBACK topicY reason code 0"; mqtt.type:SUBACK; mqtt.subscribe.topic; content:"topicY"; mqtt.reason_code:0; sid:16;)

diff --git a/tests/mqtt-sub-rules/test.yaml b/tests/mqtt-sub-rules/test.yaml
index 2b909e88507b5aa945d793165ce4df5a52411deb..68eb87d5e74feab7d8926384b31ac35930540d09 100644 (file)
--- a/tests/mqtt-sub-rules/test.yaml
+++ b/tests/mqtt-sub-rules/test.yaml
@@ -47,6 +47,16 @@ checks:
         mqtt.subscribe.dup: false
         mqtt.subscribe.topics: [{topic: topicX, qos: 0}, {topic: topicY, qos: 0} ]
 
+  - filter:
+      count: 1
+      match:
+        event_type: mqtt
+        mqtt.suback.qos: 0
+        mqtt.suback.retain: false
+        mqtt.suback.dup: false
+        mqtt.suback.message_id: 1
+        mqtt.suback.qos_granted: [ 0, 0 ]
+
   - filter:
       count: 1
       match:
@@ -109,3 +119,10 @@ checks:
       match:
         event_type: alert
         alert.signature: MQTT SUBSCRIBE topicY
+
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT SUBACK topicY reason code 0