From: Sascha Steinbiss Date: Fri, 21 Aug 2020 09:09:34 +0000 (+0200) Subject: add MQTT ping test X-Git-Tag: suricata-6.0.4~244 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8319bfdbe2d8568c5995de879939d7cb904fbd86;p=thirdparty%2Fsuricata-verify.git add MQTT ping test See https://github.com/OISF/suricata/pull/5307 for details. --- diff --git a/tests/mqtt-ping/input.pcap b/tests/mqtt-ping/input.pcap new file mode 100644 index 000000000..42c9ff14c Binary files /dev/null and b/tests/mqtt-ping/input.pcap differ diff --git a/tests/mqtt-ping/suricata.yaml b/tests/mqtt-ping/suricata.yaml new file mode 100644 index 000000000..bc1803a8e --- /dev/null +++ b/tests/mqtt-ping/suricata.yaml @@ -0,0 +1,19 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - anomaly + +app-layer: + protocols: + mqtt: + enabled: yes + +stream: + midstream: true diff --git a/tests/mqtt-ping/test.rules b/tests/mqtt-ping/test.rules new file mode 100644 index 000000000..45017bf62 --- /dev/null +++ b/tests/mqtt-ping/test.rules @@ -0,0 +1,14 @@ +# MQTT app-layer event rules. +# +# This SIDs fall in the 2226000+ range. See: +# http://doc.emergingthreats.net/bin/view/Main/SidAllocation + +alert mqtt any any -> any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;) \ No newline at end of file diff --git a/tests/mqtt-ping/test.yaml b/tests/mqtt-ping/test.yaml new file mode 100644 index 000000000..28bf8e41a --- /dev/null +++ b/tests/mqtt-ping/test.yaml @@ -0,0 +1,28 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: mqtt + has-key: mqtt.pingreq + + - filter: + count: 1 + match: + event_type: mqtt + has-key: mqtt.pingresp + + - filter: + count: 2 + match: + event_type: anomaly + anomaly.event: unintroduced_message