From: Haleema Khan Date: Fri, 3 Feb 2023 14:29:03 +0000 (+0500) Subject: mqtt: test mqtt frames for truncated messages X-Git-Tag: suricata-6.0.15~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f0efacd7908c5992958210d6c624c756edbbdc3;p=thirdparty%2Fsuricata-verify.git mqtt: test mqtt frames for truncated messages --- diff --git a/tests/mqtt-frames-truncated/README.md b/tests/mqtt-frames-truncated/README.md new file mode 100644 index 000000000..453e33df7 --- /dev/null +++ b/tests/mqtt-frames-truncated/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test MQTT frames[Pdu, Header, Data] for truncated messages where msg_len > max_msg_size. + +PCAP +==== +PCAP was shared by Sascha Steinbiss and was generated by setting up a Mosquitto server and recording communication between `mosquitto_sub` client and `local_broker` via a script. + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5731 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/input.pcap b/tests/mqtt-frames-truncated/input.pcap new file mode 100644 index 000000000..1ac1c2ac4 Binary files /dev/null and b/tests/mqtt-frames-truncated/input.pcap differ diff --git a/tests/mqtt-frames-truncated/suricata.yaml b/tests/mqtt-frames-truncated/suricata.yaml new file mode 100644 index 000000000..5d5fbdbe7 --- /dev/null +++ b/tests/mqtt-frames-truncated/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + - frame + +app-layer: + protocols: + mqtt: + enabled: yes + max-msg-length: 60 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/test.rules b/tests/mqtt-frames-truncated/test.rules new file mode 100644 index 000000000..e3d5eda6c --- /dev/null +++ b/tests/mqtt-frames-truncated/test.rules @@ -0,0 +1,17 @@ +alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 1c|"; startswith; sid:1;) +alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|14|"; endswith; sid:2;) + +alert mqtt any any -> any any (msg:"mqtt Frame 3"; frame:header; content:"|10|"; sid:3;) +alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|10 1c|"; sid:4;) + +alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) +alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) + +# pre-boundary test for truncated data +alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|0a|"; sid:7;) + +# At boundary test for truncated data +alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 04 4d 51 54 54 05|"; sid:8;) + +# post-boundary test for truncated data +alert mqtt any any -> any any (msg:"mqtt Frame 9"; frame:data; content:"|c1 90 34|"; sid:9;) diff --git a/tests/mqtt-frames-truncated/test.yaml b/tests/mqtt-frames-truncated/test.yaml new file mode 100644 index 000000000..9c2048713 --- /dev/null +++ b/tests/mqtt-frames-truncated/test.yaml @@ -0,0 +1,51 @@ +requires: + min-version: 7 + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + frame.type: "pdu" +- filter: + count: 1 + match: + alert.signature_id: 2 + frame.type: "pdu" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 3 + frame.type: "header" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 4 + frame.type: "header" + frame.length: 2 + frame.complete: true +- filter: + count: 0 + match: + alert.signature_id: 5 +- filter: + count: 0 + match: + alert.signature_id: 6 +- filter: + count: 1 + match: + alert.signature_id: 7 +- filter: + count: 1 + match: + alert.signature_id: 8 +- filter: + count: 0 + match: + alert.signature_id: 9 \ No newline at end of file