From 96fe47fac1a284b435d7a1830801469de84a35ac Mon Sep 17 00:00:00 2001 From: Sascha Steinbiss Date: Sun, 20 Oct 2024 03:20:05 +0200 Subject: [PATCH] mqtt: check SUBACK This requires SUBACK matching support. --- tests/mqtt-sub-rules/test.rules | 2 +- tests/mqtt-sub-rules/test.yaml | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/tests/mqtt-sub-rules/test.rules b/tests/mqtt-sub-rules/test.rules index 7639ec7ab..af559f020 100644 --- a/tests/mqtt-sub-rules/test.rules +++ b/tests/mqtt-sub-rules/test.rules @@ -7,4 +7,4 @@ alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:user alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;) alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;) alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBSCRIBE; mqtt.subscribe.topic; content:"topicY"; sid:15;) -alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBACK; mqtt.reason_code:0; sid:16;) +alert mqtt any any -> any any (msg:"MQTT SUBACK topicY reason code 0"; mqtt.type:SUBACK; mqtt.subscribe.topic; content:"topicY"; mqtt.reason_code:0; sid:16;) diff --git a/tests/mqtt-sub-rules/test.yaml b/tests/mqtt-sub-rules/test.yaml index 2b909e885..68eb87d5e 100644 --- a/tests/mqtt-sub-rules/test.yaml +++ b/tests/mqtt-sub-rules/test.yaml @@ -47,6 +47,16 @@ checks: mqtt.subscribe.dup: false mqtt.subscribe.topics: [{topic: topicX, qos: 0}, {topic: topicY, qos: 0} ] + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [ 0, 0 ] + - filter: count: 1 match: @@ -109,3 +119,10 @@ checks: match: event_type: alert alert.signature: MQTT SUBSCRIBE topicY + + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature: MQTT SUBACK topicY reason code 0 -- 2.47.2