From cede6f4a1dd9505c2b4a6b44c40f5789602dd53f Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Wed, 24 Jan 2024 09:43:25 -0500
Subject: [PATCH] test/mqtt: Improve multi PDU parsing

Issue: 6592
---
 tests/mqtt-frames-xpdu/README.md  | 11 ++++
 tests/mqtt-frames-xpdu/test.rules |  4 ++
 tests/mqtt-frames-xpdu/test.yaml  | 89 +++++++++++++++++++++++++++++++
 3 files changed, 104 insertions(+)
 create mode 100644 tests/mqtt-frames-xpdu/README.md
 create mode 100644 tests/mqtt-frames-xpdu/test.rules
 create mode 100644 tests/mqtt-frames-xpdu/test.yaml

diff --git a/tests/mqtt-frames-xpdu/README.md b/tests/mqtt-frames-xpdu/README.md
new file mode 100644
index 000000000..b97fe36fd
--- /dev/null
+++ b/tests/mqtt-frames-xpdu/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test MQTT frames[Pdu, Header, Data].
+
+PCAP
+====
+PCAP comes from the suricata verify test[mqtt5-unsub-userpass]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/6592
diff --git a/tests/mqtt-frames-xpdu/test.rules b/tests/mqtt-frames-xpdu/test.rules
new file mode 100644
index 000000000..720acd1da
--- /dev/null
+++ b/tests/mqtt-frames-xpdu/test.rules
@@ -0,0 +1,4 @@
+alert mqtt any any -> any any (msg:"mqtt frame: pdu 1"; frame:pdu; content: "|a2 0b 00 02|"; startswith; bsize:13; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt frame: header"; frame:header; content: "|a2|"; startswith; bsize: 2; sid:2;)
+alert mqtt any any -> any any (msg:"mqtt Frame: data"; frame:data; content: "|00 02 00|"; startswith; bsize: 11; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt frame: pdu 2"; frame:pdu; content: "|a2 0b 00 03|"; startswith;  bsize:13; sid:4;)
diff --git a/tests/mqtt-frames-xpdu/test.yaml b/tests/mqtt-frames-xpdu/test.yaml
new file mode 100644
index 000000000..e77cd56a0
--- /dev/null
+++ b/tests/mqtt-frames-xpdu/test.yaml
@@ -0,0 +1,89 @@
+pcap: ../mqtt5-unsub-userpass/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+ - -k none
+ - --set outputs.1.eve-log.types.1.frame.enabled=yes
+
+checks:
+- filter:
+    count: 6
+    match:
+      event_type: alert
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      frame.type: pdu
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      frame.type: header
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      frame.type: data
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 1
+      frame.type: pdu
+      frame.id: 8
+      frame.length: 13
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 2
+      frame.type: header
+      frame.id: 9
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 3
+      frame.type: data
+      frame.id: 10
+      frame.length: 11
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 4
+      frame.type: pdu
+      frame.id: 11
+      frame.length: 13
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 12
+      frame.type: header
+      frame.id: 12
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 12
+      alert.signature_id: 3
+      frame.type: data
+      frame.id: 13
+      frame.length: 11
+      frame.complete: true
-- 
2.47.2