From: Haleema Khan <hsadia538@gmail.com>
Date: Fri, 13 Jan 2023 12:28:50 +0000 (+0500)
Subject: mqtt: test mqtt frames
X-Git-Tag: suricata-6.0.15~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5aa97fe4dcd1d79ea2b11771e7428b00bc690827;p=thirdparty%2Fsuricata-verify.git

mqtt: test mqtt frames
---

diff --git a/tests/mqtt-frames/README.md b/tests/mqtt-frames/README.md
new file mode 100644
index 000000000..4ebd816ed
--- /dev/null
+++ b/tests/mqtt-frames/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test MQTT frames[Pdu, Header, Data].
+
+PCAP
+====
+PCAP comes from the suricata verify test[mqtt5-pub-userpass]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5731
\ No newline at end of file
diff --git a/tests/mqtt-frames/test.rules b/tests/mqtt-frames/test.rules
new file mode 100644
index 000000000..f3b053b3d
--- /dev/null
+++ b/tests/mqtt-frames/test.rules
@@ -0,0 +1,11 @@
+alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 2f 00|"; startswith; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|61 73 73|"; endswith; sid:2;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 3"; flow:to_server; frame:header; content:"|10|"; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|20|"; sid:4;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;)
+alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|00 00 03 22|"; startswith; sid:7;)
+alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 06|"; sid:8;)
\ No newline at end of file
diff --git a/tests/mqtt-frames/test.yaml b/tests/mqtt-frames/test.yaml
new file mode 100644
index 000000000..85ad1e2c2
--- /dev/null
+++ b/tests/mqtt-frames/test.yaml
@@ -0,0 +1,54 @@
+pcap: ../mqtt5-pub-userpass/input.pcap
+
+requires:
+  min-version: 7
+
+args:
+ - -k none
+ 
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      frame.type: "pdu"
+      frame.length: 49
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.type: "pdu"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+      frame.type: "header"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      frame.type: "header"
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 5
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 7
+      frame.type: "data"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 8
+      frame.type: "data"
+      frame.complete: true
\ No newline at end of file