From: Sascha Steinbiss Date: Tue, 8 Mar 2022 22:18:36 +0000 (+0100) Subject: mqtt: raise event on parse error X-Git-Tag: suricata-6.0.5~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F7270%2Fhead;p=thirdparty%2Fsuricata.git mqtt: raise event on parse error --- diff --git a/rules/mqtt-events.rules b/rules/mqtt-events.rules index 347f10db57..105225cb92 100644 --- a/rules/mqtt-events.rules +++ b/rules/mqtt-events.rules @@ -13,3 +13,4 @@ alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CO alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2229006; rev:1;) alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2229007; rev:1;) alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2229008; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT malformed traffic"; app-layer-event:mqtt.malformed_traffic; classtype:protocol-command-decode; sid:2229010; rev:1;) diff --git a/rust/src/mqtt/mqtt.rs b/rust/src/mqtt/mqtt.rs index 65e0e87359..737ec6beaf 100644 --- a/rust/src/mqtt/mqtt.rs +++ b/rust/src/mqtt/mqtt.rs @@ -51,6 +51,7 @@ pub enum MQTTEvent { InvalidQosLevel, MissingMsgId, UnassignedMsgtype, + MalformedTraffic, } #[derive(Debug)] @@ -70,7 +71,13 @@ pub struct MQTTTransaction { impl MQTTTransaction { pub fn new(msg: MQTTMessage) -> MQTTTransaction { - let mut m = MQTTTransaction { + let mut m = MQTTTransaction::new_empty(); + m.msg.push(msg); + return m; + } + + pub fn new_empty() -> MQTTTransaction { + return MQTTTransaction { tx_id: 0, pkt_id: None, complete: false, @@ -82,8 +89,6 @@ impl MQTTTransaction { events: std::ptr::null_mut(), tx_data: applayer::AppLayerTxData::new(), }; - m.msg.push(msg); - return m; } pub fn free(&mut self) { @@ -454,6 +459,7 @@ impl MQTTState { return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32); } Err(_) => { + self.set_event_notx(MQTTEvent::MalformedTraffic, false); return AppLayerResult::err(); } } @@ -511,6 +517,7 @@ impl MQTTState { return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32); } Err(_) => { + self.set_event_notx(MQTTEvent::MalformedTraffic, true); return AppLayerResult::err(); } } @@ -544,6 +551,20 @@ impl MQTTState { return None; } + + fn set_event_notx(&mut self, event: MQTTEvent, toclient: bool) { + let mut tx = MQTTTransaction::new_empty(); + self.tx_id += 1; + tx.tx_id = self.tx_id; + if toclient { + tx.toclient = true; + } else { + tx.toserver = true; + } + tx.complete = true; + MQTTState::set_event(&mut tx, event); + self.transactions.push(tx); + } } // C exports. @@ -717,6 +738,7 @@ pub extern "C" fn rs_mqtt_state_get_event_info_by_id(event_id: std::os::raw::c_i MQTTEvent::InvalidQosLevel => { "invalid_qos_level\0" }, MQTTEvent::MissingMsgId => { "missing_msg_id\0" }, MQTTEvent::UnassignedMsgtype => { "unassigned_msg_type\0" }, + MQTTEvent::MalformedTraffic => { "malformed_traffic\0" }, }; unsafe{ *event_name = estr.as_ptr() as *const std::os::raw::c_char; @@ -748,6 +770,7 @@ pub extern "C" fn rs_mqtt_state_get_event_info(event_name: *const std::os::raw:: "invalid_qos_level" => MQTTEvent::InvalidQosLevel as i32, "missing_msg_id" => MQTTEvent::MissingMsgId as i32, "unassigned_msg_type" => MQTTEvent::UnassignedMsgtype as i32, + "malformed_traffic" => MQTTEvent::MalformedTraffic as i32, _ => -1, // unknown event } },