From: Sascha Steinbiss Date: Sun, 20 Oct 2024 01:20:05 +0000 (+0200) Subject: mqtt: check SUBACK X-Git-Tag: suricata-7.0.8~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96fe47fac1a284b435d7a1830801469de84a35ac;p=thirdparty%2Fsuricata-verify.git mqtt: check SUBACK This requires SUBACK matching support. --- diff --git a/tests/mqtt-sub-rules/test.rules b/tests/mqtt-sub-rules/test.rules index 7639ec7ab..af559f020 100644 --- a/tests/mqtt-sub-rules/test.rules +++ b/tests/mqtt-sub-rules/test.rules @@ -7,4 +7,4 @@ alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:user alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;) alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;) alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBSCRIBE; mqtt.subscribe.topic; content:"topicY"; sid:15;) -alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBACK; mqtt.reason_code:0; sid:16;) +alert mqtt any any -> any any (msg:"MQTT SUBACK topicY reason code 0"; mqtt.type:SUBACK; mqtt.subscribe.topic; content:"topicY"; mqtt.reason_code:0; sid:16;) diff --git a/tests/mqtt-sub-rules/test.yaml b/tests/mqtt-sub-rules/test.yaml index 2b909e885..68eb87d5e 100644 --- a/tests/mqtt-sub-rules/test.yaml +++ b/tests/mqtt-sub-rules/test.yaml @@ -47,6 +47,16 @@ checks: mqtt.subscribe.dup: false mqtt.subscribe.topics: [{topic: topicX, qos: 0}, {topic: topicY, qos: 0} ] + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [ 0, 0 ] + - filter: count: 1 match: @@ -109,3 +119,10 @@ checks: match: event_type: alert alert.signature: MQTT SUBSCRIBE topicY + + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature: MQTT SUBACK topicY reason code 0