From: Sascha Steinbiss <satta@debian.org>
Date: Sun, 20 Oct 2024 01:19:19 +0000 (+0200)
Subject: mqtt: check for CONNACK reason code 134
X-Git-Tag: suricata-7.0.8~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ca26ec2a930d0685d02538fd4542c7ff28330de;p=thirdparty%2Fsuricata-verify.git

mqtt: check for CONNACK reason code 134

See https://redmine.openinfosecfoundation.org/issues/7323 and
https://forum.suricata.io/t/question-about-mqtt-detection/4890/3
---

diff --git a/tests/mqtt-connect-rules-2/mqtt5_pub_jpeg_connack134.pcap b/tests/mqtt-connect-rules-2/mqtt5_pub_jpeg_connack134.pcap
new file mode 100644
index 000000000..a5fafb6d2
Binary files /dev/null and b/tests/mqtt-connect-rules-2/mqtt5_pub_jpeg_connack134.pcap differ
diff --git a/tests/mqtt-connect-rules-2/suricata.yaml b/tests/mqtt-connect-rules-2/suricata.yaml
new file mode 100644
index 000000000..6fb68aab1
--- /dev/null
+++ b/tests/mqtt-connect-rules-2/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mqtt
+        - alert
+
+app-layer:
+  protocols:
+    mqtt:
+      enabled: yes
\ No newline at end of file
diff --git a/tests/mqtt-connect-rules-2/test.rules b/tests/mqtt-connect-rules-2/test.rules
new file mode 100644
index 000000000..7f3655ef9
--- /dev/null
+++ b/tests/mqtt-connect-rules-2/test.rules
@@ -0,0 +1,4 @@
+alert mqtt any any -> any any (msg:"MQTT CONNACK reason code 134"; mqtt.type:CONNACK; mqtt.reason_code:134; sid:1;)
+alert mqtt any any -> any any (msg:"MQTT CONNACK reason code 0"; mqtt.type:CONNACK; mqtt.reason_code:0; sid:2;)
+
+
diff --git a/tests/mqtt-connect-rules-2/test.yaml b/tests/mqtt-connect-rules-2/test.yaml
new file mode 100644
index 000000000..34b3cc021
--- /dev/null
+++ b/tests/mqtt-connect-rules-2/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT CONNACK reason code 134
+
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature: MQTT CONNACK reason code 0