From: Sascha Steinbiss <satta@debian.org>
Date: Sun, 20 Oct 2024 01:18:42 +0000 (+0200)
Subject: mqtt: check reason codes for CONNACK
X-Git-Tag: suricata-7.0.8~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cdaeb9f251ea32a443af0dbf05dcdb57cf9cc260;p=thirdparty%2Fsuricata-verify.git

mqtt: check reason codes for CONNACK
---

diff --git a/tests/mqtt-connect-rules/test.rules b/tests/mqtt-connect-rules/test.rules
index 4668f5cb6..36015db66 100644
--- a/tests/mqtt-connect-rules/test.rules
+++ b/tests/mqtt-connect-rules/test.rules
@@ -1,4 +1,6 @@
 alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string SUCCESS"; mqtt.connect.protocol_string; content:"MQTT"; sid:1;)
 alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string SUCCESS2"; mqtt.connect.protocol_string; content:"M"; sid:2;)
 alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string FAIL"; mqtt.connect.protocol_string; content:"Foobar"; sid:3;)
+alert mqtt any any -> any any (msg:"MQTT CONNACK reason code 0"; mqtt.type:CONNACK; mqtt.reason_code:0; sid:4;)
+alert mqtt any any -> any any (msg:"MQTT DISCONNECT reason code 0"; mqtt.type:DISCONNECT; mqtt.reason_code:0; sid:5;)
 
diff --git a/tests/mqtt-connect-rules/test.yaml b/tests/mqtt-connect-rules/test.yaml
index c72b79ae9..b097714f8 100644
--- a/tests/mqtt-connect-rules/test.yaml
+++ b/tests/mqtt-connect-rules/test.yaml
@@ -60,3 +60,15 @@ checks:
       match:
         event_type: alert
         alert.signature: MQTT CONNECT protocol string FAIL
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT CONNACK reason code 0
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT DISCONNECT reason code 0