From 2bb5bbc26759817f94bcd5607f26cdc2a6ea01ff Mon Sep 17 00:00:00 2001 From: Sascha Steinbiss Date: Sun, 22 Mar 2020 20:19:19 +0100 Subject: [PATCH] add MQTT tests --- tests/mqtt-binary-message/mqtt5_pub_jpeg.pcap | Bin 0 -> 37323 bytes tests/mqtt-binary-message/suricata.yaml | 16 +++ tests/mqtt-binary-message/test.rules | 1 + tests/mqtt-binary-message/test.yaml | 64 +++++++++ tests/mqtt-events-invalid-qos/input.pcap | Bin 0 -> 1343 bytes tests/mqtt-events-invalid-qos/test.rules | 14 ++ tests/mqtt-events-invalid-qos/test.yaml | 22 +++ tests/mqtt-events-missing-connect/input.pcap | Bin 0 -> 32240 bytes tests/mqtt-events-missing-connect/test.rules | 14 ++ tests/mqtt-events-missing-connect/test.yaml | 22 +++ .../mqtt-events-unassigned-msgtype/input.pcap | Bin 0 -> 1341 bytes .../mqtt-events-unassigned-msgtype/test.rules | 14 ++ .../mqtt-events-unassigned-msgtype/test.yaml | 22 +++ tests/mqtt-events-unintroduced/input.pcap | Bin 0 -> 827 bytes tests/mqtt-events-unintroduced/test.rules | 14 ++ tests/mqtt-events-unintroduced/test.yaml | 22 +++ tests/mqtt-limit-1/input.pcap | Bin 0 -> 205002 bytes tests/mqtt-limit-1/suricata.yaml | 16 +++ tests/mqtt-limit-1/test.yaml | 129 ++++++++++++++++++ tests/mqtt-limit-2/input.pcap | Bin 0 -> 205002 bytes tests/mqtt-limit-2/suricata.yaml | 16 +++ tests/mqtt-limit-2/test.yaml | 129 ++++++++++++++++++ tests/mqtt-limit-3/input.pcap | Bin 0 -> 205002 bytes tests/mqtt-limit-3/suricata.yaml | 16 +++ tests/mqtt-limit-3/test.yaml | 129 ++++++++++++++++++ tests/mqtt-pub-rules/mqtt5_pub_jpeg.pcap | Bin 0 -> 37323 bytes tests/mqtt-pub-rules/suricata.yaml | 16 +++ tests/mqtt-pub-rules/test.rules | 10 ++ tests/mqtt-pub-rules/test.yaml | 107 +++++++++++++++ tests/mqtt-sub-rules/mqtt5_sub_userpass.pcap | Bin 0 -> 1558 bytes tests/mqtt-sub-rules/suricata.yaml | 16 +++ tests/mqtt-sub-rules/test.rules | 10 ++ tests/mqtt-sub-rules/test.yaml | 109 +++++++++++++++ .../mqtt5_unsub_userpass.pcap | Bin 0 -> 1994 bytes tests/mqtt-unsub-rules/suricata.yaml | 16 +++ tests/mqtt-unsub-rules/test.rules | 24 ++++ tests/mqtt-unsub-rules/test.yaml | 115 ++++++++++++++++ tests/mqtt31-pub-qos1/input.pcap | Bin 0 -> 1451 bytes tests/mqtt31-pub-qos1/suricata.yaml | 15 ++ tests/mqtt31-pub-qos1/test.yaml | 71 ++++++++++ tests/mqtt31-pub-qos2/input.pcap | Bin 0 -> 1663 bytes tests/mqtt31-pub-qos2/suricata.yaml | 15 ++ tests/mqtt31-pub-qos2/test.yaml | 89 ++++++++++++ .../input.pcap | Bin 0 -> 1347 bytes .../suricata.yaml | 15 ++ .../test.yaml | 61 +++++++++ tests/mqtt31-pub-userpass/input.pcap | Bin 0 -> 1343 bytes tests/mqtt31-pub-userpass/suricata.yaml | 15 ++ tests/mqtt31-pub-userpass/test.yaml | 61 +++++++++ tests/mqtt31-sub-userpass/input.pcap | Bin 0 -> 1549 bytes tests/mqtt31-sub-userpass/suricata.yaml | 15 ++ tests/mqtt31-sub-userpass/test.yaml | 71 ++++++++++ tests/mqtt31-unsub-qos1/input.pcap | Bin 0 -> 1979 bytes tests/mqtt31-unsub-qos1/suricata.yaml | 15 ++ tests/mqtt31-unsub-qos1/test.yaml | 109 +++++++++++++++ tests/mqtt31-unsub-qos2/input.pcap | Bin 0 -> 1979 bytes tests/mqtt31-unsub-qos2/suricata.yaml | 15 ++ tests/mqtt31-unsub-qos2/test.yaml | 109 +++++++++++++++ tests/mqtt31-unsub-userpass/input.pcap | Bin 0 -> 1979 bytes tests/mqtt31-unsub-userpass/suricata.yaml | 15 ++ tests/mqtt31-unsub-userpass/test.yaml | 110 +++++++++++++++ tests/mqtt311-pub-qos1/input.pcap | Bin 0 -> 1449 bytes tests/mqtt311-pub-qos1/suricata.yaml | 15 ++ tests/mqtt311-pub-qos1/test.yaml | 71 ++++++++++ tests/mqtt311-pub-qos2/input.pcap | Bin 0 -> 1661 bytes tests/mqtt311-pub-qos2/suricata.yaml | 15 ++ tests/mqtt311-pub-qos2/test.yaml | 89 ++++++++++++ .../input.pcap | Bin 0 -> 1345 bytes .../suricata.yaml | 15 ++ .../test.yaml | 61 +++++++++ tests/mqtt311-pub-userpass/input.pcap | Bin 0 -> 1341 bytes tests/mqtt311-pub-userpass/suricata.yaml | 15 ++ tests/mqtt311-pub-userpass/test.yaml | 61 +++++++++ tests/mqtt311-sub-userpass/input.pcap | Bin 0 -> 1547 bytes tests/mqtt311-sub-userpass/suricata.yaml | 15 ++ tests/mqtt311-sub-userpass/test.yaml | 71 ++++++++++ tests/mqtt311-unsub-qos1/input.pcap | Bin 0 -> 1977 bytes tests/mqtt311-unsub-qos1/suricata.yaml | 15 ++ tests/mqtt311-unsub-qos1/test.yaml | 109 +++++++++++++++ tests/mqtt311-unsub-qos2/input.pcap | Bin 0 -> 1977 bytes tests/mqtt311-unsub-qos2/suricata.yaml | 15 ++ tests/mqtt311-unsub-qos2/test.yaml | 109 +++++++++++++++ tests/mqtt311-unsub-userpass/input.pcap | Bin 0 -> 1977 bytes tests/mqtt311-unsub-userpass/suricata.yaml | 15 ++ tests/mqtt311-unsub-userpass/test.yaml | 110 +++++++++++++++ tests/mqtt5-pub-mosquittoprops/input.pcap | Bin 0 -> 1713 bytes tests/mqtt5-pub-mosquittoprops/suricata.yaml | 15 ++ tests/mqtt5-pub-mosquittoprops/test.yaml | 98 +++++++++++++ tests/mqtt5-pub-qos1/input.pcap | Bin 0 -> 1459 bytes tests/mqtt5-pub-qos1/suricata.yaml | 15 ++ tests/mqtt5-pub-qos1/test.yaml | 76 +++++++++++ tests/mqtt5-pub-qos2/input.pcap | Bin 0 -> 1670 bytes tests/mqtt5-pub-qos2/suricata.yaml | 15 ++ tests/mqtt5-pub-qos2/test.yaml | 95 +++++++++++++ .../input.pcap | Bin 0 -> 1375 bytes .../suricata.yaml | 15 ++ .../test.yaml | 65 +++++++++ tests/mqtt5-pub-userpass/input.pcap | Bin 0 -> 1350 bytes tests/mqtt5-pub-userpass/suricata.yaml | 15 ++ tests/mqtt5-pub-userpass/test.yaml | 64 +++++++++ tests/mqtt5-sub-customauth/input.pcap | Bin 0 -> 1115 bytes tests/mqtt5-sub-customauth/suricata.yaml | 15 ++ tests/mqtt5-sub-customauth/test.yaml | 44 ++++++ tests/mqtt5-sub-mosquittoprops/input.pcap | Bin 0 -> 1744 bytes tests/mqtt5-sub-mosquittoprops/suricata.yaml | 15 ++ tests/mqtt5-sub-mosquittoprops/test.yaml | 91 ++++++++++++ tests/mqtt5-sub-userpass/input.pcap | Bin 0 -> 1558 bytes tests/mqtt5-sub-userpass/suricata.yaml | 15 ++ tests/mqtt5-sub-userpass/test.yaml | 74 ++++++++++ tests/mqtt5-unsub-qos1/input.pcap | Bin 0 -> 2194 bytes tests/mqtt5-unsub-qos1/suricata.yaml | 15 ++ tests/mqtt5-unsub-qos1/test.yaml | 117 ++++++++++++++++ tests/mqtt5-unsub-qos2/input.pcap | Bin 0 -> 1994 bytes tests/mqtt5-unsub-qos2/suricata.yaml | 15 ++ tests/mqtt5-unsub-qos2/test.yaml | 117 ++++++++++++++++ tests/mqtt5-unsub-userpass/input.pcap | Bin 0 -> 1994 bytes tests/mqtt5-unsub-userpass/suricata.yaml | 15 ++ tests/mqtt5-unsub-userpass/test.yaml | 117 ++++++++++++++++ 118 files changed, 3808 insertions(+) create mode 100644 tests/mqtt-binary-message/mqtt5_pub_jpeg.pcap create mode 100644 tests/mqtt-binary-message/suricata.yaml create mode 100644 tests/mqtt-binary-message/test.rules create mode 100644 tests/mqtt-binary-message/test.yaml create mode 100644 tests/mqtt-events-invalid-qos/input.pcap create mode 100644 tests/mqtt-events-invalid-qos/test.rules create mode 100644 tests/mqtt-events-invalid-qos/test.yaml create mode 100644 tests/mqtt-events-missing-connect/input.pcap create mode 100644 tests/mqtt-events-missing-connect/test.rules create mode 100644 tests/mqtt-events-missing-connect/test.yaml create mode 100644 tests/mqtt-events-unassigned-msgtype/input.pcap create mode 100644 tests/mqtt-events-unassigned-msgtype/test.rules create mode 100644 tests/mqtt-events-unassigned-msgtype/test.yaml create mode 100644 tests/mqtt-events-unintroduced/input.pcap create mode 100644 tests/mqtt-events-unintroduced/test.rules create mode 100644 tests/mqtt-events-unintroduced/test.yaml create mode 100644 tests/mqtt-limit-1/input.pcap create mode 100644 tests/mqtt-limit-1/suricata.yaml create mode 100644 tests/mqtt-limit-1/test.yaml create mode 100644 tests/mqtt-limit-2/input.pcap create mode 100644 tests/mqtt-limit-2/suricata.yaml create mode 100644 tests/mqtt-limit-2/test.yaml create mode 100644 tests/mqtt-limit-3/input.pcap create mode 100644 tests/mqtt-limit-3/suricata.yaml create mode 100644 tests/mqtt-limit-3/test.yaml create mode 100644 tests/mqtt-pub-rules/mqtt5_pub_jpeg.pcap create mode 100644 tests/mqtt-pub-rules/suricata.yaml create mode 100644 tests/mqtt-pub-rules/test.rules create mode 100644 tests/mqtt-pub-rules/test.yaml create mode 100644 tests/mqtt-sub-rules/mqtt5_sub_userpass.pcap create mode 100644 tests/mqtt-sub-rules/suricata.yaml create mode 100644 tests/mqtt-sub-rules/test.rules create mode 100644 tests/mqtt-sub-rules/test.yaml create mode 100644 tests/mqtt-unsub-rules/mqtt5_unsub_userpass.pcap create mode 100644 tests/mqtt-unsub-rules/suricata.yaml create mode 100644 tests/mqtt-unsub-rules/test.rules create mode 100644 tests/mqtt-unsub-rules/test.yaml create mode 100644 tests/mqtt31-pub-qos1/input.pcap create mode 100644 tests/mqtt31-pub-qos1/suricata.yaml create mode 100644 tests/mqtt31-pub-qos1/test.yaml create mode 100644 tests/mqtt31-pub-qos2/input.pcap create mode 100644 tests/mqtt31-pub-qos2/suricata.yaml create mode 100644 tests/mqtt31-pub-qos2/test.yaml create mode 100644 tests/mqtt31-pub-userpass-auto-clientid/input.pcap create mode 100644 tests/mqtt31-pub-userpass-auto-clientid/suricata.yaml create mode 100644 tests/mqtt31-pub-userpass-auto-clientid/test.yaml create mode 100644 tests/mqtt31-pub-userpass/input.pcap create mode 100644 tests/mqtt31-pub-userpass/suricata.yaml create mode 100644 tests/mqtt31-pub-userpass/test.yaml create mode 100644 tests/mqtt31-sub-userpass/input.pcap create mode 100644 tests/mqtt31-sub-userpass/suricata.yaml create mode 100644 tests/mqtt31-sub-userpass/test.yaml create mode 100644 tests/mqtt31-unsub-qos1/input.pcap create mode 100644 tests/mqtt31-unsub-qos1/suricata.yaml create mode 100644 tests/mqtt31-unsub-qos1/test.yaml create mode 100644 tests/mqtt31-unsub-qos2/input.pcap create mode 100644 tests/mqtt31-unsub-qos2/suricata.yaml create mode 100644 tests/mqtt31-unsub-qos2/test.yaml create mode 100644 tests/mqtt31-unsub-userpass/input.pcap create mode 100644 tests/mqtt31-unsub-userpass/suricata.yaml create mode 100644 tests/mqtt31-unsub-userpass/test.yaml create mode 100644 tests/mqtt311-pub-qos1/input.pcap create mode 100644 tests/mqtt311-pub-qos1/suricata.yaml create mode 100644 tests/mqtt311-pub-qos1/test.yaml create mode 100644 tests/mqtt311-pub-qos2/input.pcap create mode 100644 tests/mqtt311-pub-qos2/suricata.yaml create mode 100644 tests/mqtt311-pub-qos2/test.yaml create mode 100644 tests/mqtt311-pub-userpass-auto-clientid/input.pcap create mode 100644 tests/mqtt311-pub-userpass-auto-clientid/suricata.yaml create mode 100644 tests/mqtt311-pub-userpass-auto-clientid/test.yaml create mode 100644 tests/mqtt311-pub-userpass/input.pcap create mode 100644 tests/mqtt311-pub-userpass/suricata.yaml create mode 100644 tests/mqtt311-pub-userpass/test.yaml create mode 100644 tests/mqtt311-sub-userpass/input.pcap create mode 100644 tests/mqtt311-sub-userpass/suricata.yaml create mode 100644 tests/mqtt311-sub-userpass/test.yaml create mode 100644 tests/mqtt311-unsub-qos1/input.pcap create mode 100644 tests/mqtt311-unsub-qos1/suricata.yaml create mode 100644 tests/mqtt311-unsub-qos1/test.yaml create mode 100644 tests/mqtt311-unsub-qos2/input.pcap create mode 100644 tests/mqtt311-unsub-qos2/suricata.yaml create mode 100644 tests/mqtt311-unsub-qos2/test.yaml create mode 100644 tests/mqtt311-unsub-userpass/input.pcap create mode 100644 tests/mqtt311-unsub-userpass/suricata.yaml create mode 100644 tests/mqtt311-unsub-userpass/test.yaml create mode 100644 tests/mqtt5-pub-mosquittoprops/input.pcap create mode 100644 tests/mqtt5-pub-mosquittoprops/suricata.yaml create mode 100644 tests/mqtt5-pub-mosquittoprops/test.yaml create mode 100644 tests/mqtt5-pub-qos1/input.pcap create mode 100644 tests/mqtt5-pub-qos1/suricata.yaml create mode 100644 tests/mqtt5-pub-qos1/test.yaml create mode 100644 tests/mqtt5-pub-qos2/input.pcap create mode 100644 tests/mqtt5-pub-qos2/suricata.yaml create mode 100644 tests/mqtt5-pub-qos2/test.yaml create mode 100644 tests/mqtt5-pub-userpass-auto-clientid/input.pcap create mode 100644 tests/mqtt5-pub-userpass-auto-clientid/suricata.yaml create mode 100644 tests/mqtt5-pub-userpass-auto-clientid/test.yaml create mode 100644 tests/mqtt5-pub-userpass/input.pcap create mode 100644 tests/mqtt5-pub-userpass/suricata.yaml create mode 100644 tests/mqtt5-pub-userpass/test.yaml create mode 100644 tests/mqtt5-sub-customauth/input.pcap create mode 100644 tests/mqtt5-sub-customauth/suricata.yaml create mode 100644 tests/mqtt5-sub-customauth/test.yaml create mode 100644 tests/mqtt5-sub-mosquittoprops/input.pcap create mode 100644 tests/mqtt5-sub-mosquittoprops/suricata.yaml create mode 100644 tests/mqtt5-sub-mosquittoprops/test.yaml create mode 100644 tests/mqtt5-sub-userpass/input.pcap create mode 100644 tests/mqtt5-sub-userpass/suricata.yaml create mode 100644 tests/mqtt5-sub-userpass/test.yaml create mode 100644 tests/mqtt5-unsub-qos1/input.pcap create mode 100644 tests/mqtt5-unsub-qos1/suricata.yaml create mode 100644 tests/mqtt5-unsub-qos1/test.yaml create mode 100644 tests/mqtt5-unsub-qos2/input.pcap create mode 100644 tests/mqtt5-unsub-qos2/suricata.yaml create mode 100644 tests/mqtt5-unsub-qos2/test.yaml create mode 100644 tests/mqtt5-unsub-userpass/input.pcap create mode 100644 tests/mqtt5-unsub-userpass/suricata.yaml create mode 100644 tests/mqtt5-unsub-userpass/test.yaml diff --git a/tests/mqtt-binary-message/mqtt5_pub_jpeg.pcap b/tests/mqtt-binary-message/mqtt5_pub_jpeg.pcap new file mode 100644 index 0000000000000000000000000000000000000000..fd6e905092d5c1ca3446d49274572dbf622eacb0 GIT binary patch literal 37323 zc-ri{Wmp``)+pSAJHcIo26wjvf?IHh1Rop**SMeo0t62_IKdqfGz6D{U?D(o2<|f9 zK(?QAzI)#H+0XrRcky)hs#U9MSygrQTFhu$c?J@I0{mW301)C{3JWmbokRu95wJP% z=kk2!KFZir;1=5LzchgUS|5r>H`%Ilx_4E1hXij2cmV(j1>TN=gn{K_+*Nx`gp7=S z#qI1rb3-op@ZWGlHyMggFz&=aaMXH72(SGsx2x+{Zb(z8fIgy={=e6a{=e2u3&9cd z;SD4JxP?H1e&=+>g&M)d6G80x@3~0-54n&dxG4OY%MEG(MO{l*7qu0TM7{|SUpdeV zV&egzxIKVCu4JJ9&zfG@mHxlBD<(n?*Z-txID$(kf;jZwbJ6`Da=Fsf^v_)A`2m23 z0l*>z*dBO!x^nT!3JS=J^73-=ipmRc3CP~zpso(EBZkBP&_RR%@-;IAI}jy+`U_)A5Y=z61L)Q-GziT=d{=jX z7IAri_^;usDfRjV_}@&b3Y!a_R_*9{}EU z4X}QA-D3)P3gBR1U|?e4U}EABU}Iqukl^Fs;FFLO5s?rPkrUutmtP+LzJPGCv2pQm zZ{XqGAjZSPBfh%f5&!H$@ZSso{{RqR0A|2DWDo;@L;yl20KsPvs$#+0K{5y_Q9;+` z7nP9_%Aug5p<`fTVT1nKh_D&*uZ=eV5DEwx2?Yri9Ss8&8AkxoNPvuTlaLSfj@APr z2KPt&XvEPOWwMM+B-$S>1q3}F56Pi3$LMU&?N~vCNHfcyu-uK+wU%$q@)RZ;)|7t3#uTHhqRbSd9iz00*rBuZQNSTL%&*gHfmMQ)p2E4hsZXXmwF(Xl zI_lxS>g^)7#C2D_bTSDHzmt+Jza7%DPN8$ER9)1AOzC(eS@$8`s7@lRp!a|| z-R6u-ch=$@e^0e!HGX;KX^;3bXDIVjjs904c6GJBuLL49M=CPfX_dt9gi8l@epC_? zqE=N>oONW<;=f9q^2X)^KLz+^t|%V4V%OQaU%ukY4~mAVc3ifBGWFRp$|jC~QVR~i z2me*sj=7FVT;6#M^be){Me@$*uK}4GO;UbC`B8nJbFv^|CFJv#=2Ig2V{o9etTaFT z;!GyU_FO|`)8OF61?dsJ<1`#Vfdj){m${QhsnK^vVENUUTV+Es$KvY=peIS^syp>h zD9!oMGh#mOSCdHHWG5pIu5$jl48w%_8uvUU)}yv0J?84KO7u z@`3|s!KJ5afgAXBUB;@K+nIe#F$Ts3zY2~}kXZ&k^sgGh*8HAeBb{gUsWHDhaz7lK z-83|AToIY7`noBUcF9qEx)@hM8h+cW>Fldaw0Xgr~^6Zh+7NyP>bV~35Q$!YfaKMX3^-6yl5hOooq!--(I}$1&-EOw zMdUTn=A+%{(hWF}hS12|;jbF+J*j@&V7;%)X&}VhR6U~_HwYR1nrJIl0-e%pP$F}g zVG#>*xuCnKS>>!U(RP!(eU*j=IVz!*k^14M9zTbv^&qng9@^wYr3P4VUy1i8 zDl_YqDH(UU46g?9vQPLqm8VpUjy=o4TcieOq3Po{$wjkTSKz>hjXS5Y{XQ3tyT(wl z-JnC!+9ni7%FFERc0RcuP-cHP5O6L{e4)9n{zdG_QiP-$OZB$j`^wZ_n{>sIkgdWK zDWiQ)VXr&)ATwtA{w6Q!a)ct9b7y-GWZXSk4B^0H??6Pz$y!d$XvhwQ!MOs@g&w;o zghH+Eoz3}R;`1jXZ5^%khVCzSzbh{DE{vYm);Pd{0TVdzgGgp`1P)~Dzfe0Jd6DSo zzV)D^zO5?xC4^dY$jbTfYz7WsbaDs0^E?mEO51RXm_p_8om5qF^Ku49!vXR~uzJ7M zi7`tuviHF0S5M~1Q;F)!0Ml_kIa5 z%SSgWM|-F4?Pd-8rF87)D)j~ zkF1E1UvR9!fhmvFs+uoHRqs?&l=lm4oX?k~;#~BcPFLSpoN_7%r9Szp+8jVt)v^z> zC^{0^gniQ%UihXv#+Uje1q27OG&5n4%pl{Ao{ui(5B$6qyqp}XpI7YBZJug|jOahz zON_Jt5s+K8vH83Sc0K7uBflH8(R$H#-<$9xWU1kTL-YU#s{%JTy2i8IM`2vNB?sqX zV8+PIYF(&FM(WF(!5%sCaj|}P@bqSvYgNg4UziE>eg$-{f*{H(yr{u3l`5m(D{ZsE z>DH?6 z?71Z004F5k75Q1fWdh9gWEC+-+$P|FOZo*vJziYO#$~#O$y*NL$Eu)d6tUjZdjm73 zA+XETh*5}B7OQusUZaycIJM8!HFV8`qcGc3Vj@z>R!W$%Cp@(al8ji~;U1D{rn}+g z-(Sb`GUq*_P6Ycvs=5eHTkfKgH8&hq<8VTQYYY!1;lQ)|TX2BJ z;@INM=YkcQ1*_Mi(Ig%Le>ptMuf*i^iQ0X;wH$|H9I% zcPuRE$EK>#n{7S5l$-$rgEiQ~FV`$n+VFOD&xtG*@{b!a|VJoU#o|yIJLFa)pBx7<%bbEGZSVc7pm>O z&3oa!mc3&ptI5*IDW^U|w9tz@hpdtMJ^v$ptM}Z&tcJw3WKOJIQfX4qK@Mzz=67K<_pB0uUCqh zXw@yy^eJk)NgJnrz$_dE8 zaFy@!SW-%V3v697B@F-Mo8j!KFwgy!Lu`Kq+^jIZHMe6@p>B^aSvZLp&1|j?OW7Kd zK`muv(LuiZM$us0l6dj1+HK0Ax(>f_rG5W+6ZVoZ({+yOR?2T0TN+(eQ^5&){l#AC zX1kF*F!Ri%w_a7@?r^{Y;@-06Y>Gab1|2@tG^&uupIRB?o6%FW+F;%aauL7RLp@Ve zc$s86cI$h0xYFRO7W~Ck15Pz}>o@YT?@mKj2ILRSm-WW@x`*m;f@}k))`aSL}sb%~UoOlG1r`$fJIG_U7E8u(U41 zF@-x@E|>nx*d^E@3Xe@Oz9;gy*@bR9vxSe&w}ZWqaXVIS&F4Jd=ll*FD6||uo$-MV z^@Xf%*o3$rL|srCh+OiVW?jgFo%Zl|u5;h#=O_pa|`xh|1GsGOw`7r_G%zjIz zt>#-_BjS2N#d*)8lXu|xOG&K*{VKK{e^qWbn-^S20V6E*&alcypGz&rBVv;+v?>Nm*{bRrUNUFE z{F4iVXQo7|XNM4Wx#aTaF}O%Q6W}<^oqg}Gai(z+r6C0eT^`g2&~O*ZoZnC1$tGj>f`Gco9o?{LAJggfd(_{leBL z!lY%*;O2pR6X2Di=q2IomD_od)}mgVQKPvc70~3!Rk5EOL^r5sP<+0&72F&;bD$$= zxM#xh3S!b2H8Mimdg>E0^|DpmnkkYE8R{xzjhIw7@Nv|F^!7r$5Sw?$jF7e0c__Di zkimWP9!g&>ueZekA$_K2$+1JHuk4R(JR76H7t2=7MiNcp9P18S zHoVWw?iDHKM@Vl~S|F@j5aes8?lTr%VRmTXGTA&hq*T^i(s_Y?kr}m3XE(cX3T~8s zIYfPXwU9o2o%#Ou+sJ1dmvz>#gacL{_9ykps|AxY^W)9X_i!L-5%KN|YdP0Lxcyn_ zd1dkYHaHOBI2BZ~A0#vQ#qsD=x^`dY&bsp{U0-n7c~@?ENXLb5-)VoF*;W}Gu&bwB zlec8aKf1_7%)O^4NFKM3c|SY~qo-VFANd${+_AdVaoXdvT@hs6o=~`*9Efq+D1Xk;AQNQl%~!FEgTrP_!3e^ zcjg$9)96nd?*Fw?!fvAGOv)?`x`$XAO`0bAs-HPaiKRI{l^tB3t>F6fS1%gRo|7Ok zQzXjfgz%aXQ7nXeOgk>dk6#QQrkh>9w>oewloH>tZLZ%dPg^Sggf|hfuDiJj4ml1{ zo>jKIFg;CAJa|I5QP1z#Wh0#A{iRE?_BsE!#FtaVsYiS)&r7AO<-z_9ey20uQjsA@ z*;L)YndZ907k)UPc!@oH!Q9+|*!aStLuU)iB99D%hg^%61$nokPa?{Tj}i0m+^ju79qnS~ow%?xKM8 zZt3h}F?-Fs;d79(mV&UjD%H8A0OqU_NJP9axW}MiY?PCz`Qk;$m`$eRHMWo%JBY@87>n;U2o$ci}z%u-|5OSnYCQF>>C1>r5~AbnUg(R*dW7i0u9h z&)N%%8nkezosOexetf7)@z*S$N~6`FjOrkk{=O}n&;(d;-7{DHk7Xr7MpkW79D*`A z;6g{bea<79Q#i2gIGn$KLF%uyx=Fz=LvB00;00Y z>L@=m1?bdQF*XEnjbpyX-B{T%-Q)R4o{+`xF%XJ&x z?=euBhrf)7`%5MQ0BEo46o0NG?_Jk1e~+bJVOeinSFnBytzL6MKKLc#$75@YXmLW^ z(SGUl6O)mc^c#l%`fhv`ar^}%bbaUg9dkYA@ipuQ0PufXkXNpn|NgdXTVVWR(Vx-M z+dr>g+Gu~X)6Y8Pb>vU;H|c+>V0IN{MF6+}1n>ep05D($JODfqmj&PixB_;F>t6%Z ze+gP&jqqE1_CH3o{~+pBaq)6;0)EaMG)q@67i);7rGwS)?b=qJe7`E7i-opJtf#B<&-za>wC(JFX}?wu4dMj0vVrJ3sX?yB{}Uh7>ox>Hcr}-=E6R8O zFgCiKhpU&{pHOJ79$-7Li;atyGopqguXEK&^BQ+$$*YWnqK%7<#{*9r>uc%#+-!a! z#`;Nog}G``cDAGczo0*|mxq(CyrJ%&jsItiI>gTAPZ+cZPM*3C?EZwqv$8?-v+?y* zhA8Q(t693bI$bqj{EGe)F{Zt%hyNWXu-&hg!vCqf(y!<%>ss5`KJaq7%86lm+jw~X z8*=?$(SIh#wzQLTb#nFigK-Idc92#4t>H=x4Of?|C#I*Xo2Hj1#O9BN!*W6x@?Wqx zmad)%gZ>L18{uO6zmi|Cty@3)T}@}1ZQyr2@o#Go>AHSJ0TA*3Vxo753*j!%HvlNP zf1Qya|0e_SPX^+j48%Vfh<`E=|70Nk$w2&*f%qo_@lOWgpA5u58Hj%}5dUN#{>ec6 zlY#gr1MyD=;{U}A#C7!S=5=&P?0Oe<79Q`^djo<;F$1zlvle4&|t*M}_CV$NqM@bFr;)-+w0GwSs zJ+u{N=?#sH>CyWUeJ}wufDZs3SV7#>brf{31HAHb^biEmpTpvZV?RTrBV0=N=;?v~ zSs}1;^YBCrbM-?C0c#tG6#{;WfSr6i-LCLg@ke4y$151=D)LC|fe;V@lV8DhKVi;m znxF7h#(>z`*~J>>Zz?Of2J#Boie-9z&>gIPHU8TQe z#YWF3CMHU+WaHyx17Vw5N6LGZ1O-@3?85JH!k| z_^o>25BiW^%@=!5Pd9NM9v>ecZm^9N_mx3^EB{A=|DybXANSR8znO>r?$78t{gvIU zT%BCKJm?{A53FqHx&Atd|JNP=y&Rm{Hnuh%HZF)B`iNNucCkaa+r=8}33hd%2fO?y zC;l(H{iXbz*H_y`_9Z}U!42FPAO?^(djS+8YyjCb?aJ%F`ArQ|AGlh126W3m=ly?5 zbssmtxIp^<>3wdo|Hocun=1qF+c&(0*t^dfD7OUL;wlkHXskE0Gfa< zU<8;0R*0?28SnsnfI#38@EiyOUITGJ5|9pL1NlG+P!7}pjlf5s6X*d30T?g^d;=DN zbzmDf1kOMp5IP7KLC`cM44^jhZgN#7;L3SV)kQXQr^aKNd8Dq zks^`aB4r{KAyp%NMCw6;A$>zyM>;?Tkg<_Tk#8b%A&Vl*A!{NVBikZ-AO|CdBF7_V zB9|c7BX=Q>Ab&&NKt4f1Lm@(;N8v(|Kv6=`L$N|}M+rs=M@d4-L#ak-M;SqxL)k{T zM8!p=M&&>iM^#2OM72ZpL4A%IkD7~Gh1!7%LtR8YL_ycakFefi zm0)#XO=In0V`DR5i(zYFgRviCzr}u!{Rw*x`viv&haE=_#}vm4ClUvW^8sf9XAc(_ zmj(AWt}(7BZX|9#ZX51b++#cKl@%{1R@hk8L z@HcK?-e9>QcjLj0;2X&|>TZnRI3OS*;3Lo^a3%;RC?M!2SRq6wWFeF%v?hE?m_^t| zxIlzV#7HDZWJUCZD4VE*XptC=n3Y(W*nv2VxR|(~c$1DkDKaSw zsWPb(X%uNW=@{uL84cMTG8?j2WF=(7WJlywv}Jt5*vh!gM8~Ag6v$M_G|7y~EXr)poWR`0e8j@aV!-l(rG{mN zm7GyvZ1kwvN^J)vJJ8$u?w-=vnR6;a3FCAbAUNgIfgh< zImI|#I5RoNxp27daCvhTa?Np*a;tGa=C0xX!NbI3%oEMi#dFCk#OuVH%{#?M$fv^h zn6I91m!F;Aia(iuQ~*~%K_En+R$xbvL(oPrP4J5lk&wF33!zq_3tddO)q_4`knMQnVT{XWHM#uZ!_MuzMXq}`3~D1hdV`ge#r95ddODE9?6Nz1<8H5 zi+oq{Zs^^9c|v(T`6T(T3JeN%3WW;Wib9G3iXW6vl~k3YmBy86l&zHWmA6$yRDx96 zRdG~xRFhQa)!5ZM)auod)K%1D)u%O>HC!}mGyzRz%~;Kud#v}|?=@(lY2DLG)>_i$ z(+hP`lX;T`zQqHJiuVI_8VY1a1waOLCGQA z;mA?b5$XtcGH@z&#&EvxT<1dQ;^@-uO6%(DI^@RT_T258ySRIt`?iOwM=k^eF@w~4 z5+e>%y0`vHQL9TlQD*&j~;YunK4myczf?a4zUh zP)0B)*fO{^gfZl4$l^oAhk1{%9yvbhd(8Vd=JEa$gD3S*X`ViOy6{Z#S>bcM=N`|; zUr4-2e~I!E{IdU*z^lYpm!a07pTl^=;=|6vt-?P?@I}0hfJfR!_D2avrM*Ub?ecmo zS|&O#h9Jg2W+7HRw)zeIo6tA=aTami@q+Q`30MhU3E$qTy{%1TN_?Goo@Ac{OO{P8 zO`%SCm2#A7ojRO$JFO(0COs_u^d0!!mkh;>>P(i*_$;(6@2sV4{p_wB(VYBT%G|Kr z3#be9Tb_1ad%j41egSnsR3TEKSK(@rY0+Tu-QwC3u9A#W($cW^z!R8 zTPs8>N-CKvQ>uunLaRa5e%0GG_BG#XjcSMLRO(vmCF-jhxEr92Hye|iNSdOWv6`PY z!(04Y4nDYj*!XDoaiP_sb*jyaFS%>Z|G(?ynvY8K@l;8>}Ca9BLkx8U8qOccgPvd9(+n0UH|A8~ZYDI{xj8 z^_P_ir-_|O@5!^NhtsIjp))sT;=fXV&75VME&V3^t!eJ=T<^Tj{M3Tg!uof}_w&W4 zOSnt%%XG{6EBq^ss|u@wYbI-p>u&338_zchHdB7w`cb)cd#iWbaC>pbV+Xz)zDKbK z-51<%J-B!9_0ak7>?rh@;yCX_^rY+5;B@)S=N$d~?FHLK{iW*VG~5{uhfg6sJuuL& z3gV7|gMp5LgNKEIfrWPi7Z(o~_r`yfaz_jT!oK`XxXRlT{7>`t zATuPxKjiJ(0qUzHJQDIB&oyZ1s2Ct*l&fEEYux}q$Vf;?n0Pp-2+Z{_Ew5Ad1cW!y ziHI5a`0u!v3kl0=X+N;^fIN=L$gChCWfTzfd=y>QIy6isryKi`Nykd>Nmg6s+}-(Y z#E_I%>3?L<9~mNsMnk$1<}Lw%1VTbW#Xv_xV6KHiup>YrM7_zU1X(R_ps6GXyt zX}M4z)__K99x~F&Vi-yPET{8Vk?Mo5RZ zqNJuXzOSzL-9jrM>9Ra_;6#-aosfKwI#_80S=kE~27mDjyT_^#oz5O(Y6n}N;K1k} z#Rg(0ubn2vPEJr|GQ2q;U(W8HwCr}0O|H`9ADz3_&^NgoTW0K@qkG9HCd4HP!*N)wW?;_+e~Q%Mvu_tMmC=4v!}58}X7t!re#Fv8Yjt0FvA~e@->P3RI^2vwVgYgC>yDoVLPxfJC!v&>NUOW*koH_mq?XTpsH)8#DeLm z?8Y@COl590g}&NI%*e^_sP}y-4hgI18Hnih7#aa< zguhu}_6l|i6D4oJovW!w8)FL4iSDQChoBvWtOmcn zySF`nulO4HTgp9RB#tQS!E&LLa*g($#+S<>kE>YE7*yl9aKzRsg$z=2&+D5|FLR~N^SSI!d=7P4*mb&Fd)!8S)ifL3X@8z^yYdup}Bbl(KmBn z?I|_lM3D5XF?sjmdlp7VmfX#T&ILO}M(b3L<=W4RzUMlu=PbK7F37r`$-1yEnG7wtKJn1;MluAn~=C;3Ztg|x)pp~U; z=0f93GT9BOaya`H_?iy1huhw|U{kX%FLF7(+O4qpklH4&;VHC(T%GVgn`djz8oy; zj%nv)J!bbl!_g{Os@w`x?MqAYPcay*;xhI;g;Jd@Ty#%rlR+^LZCpKD$`}C}O!B`^ zTNDXvHWIGUXb*Wc%V{8|S4(Up`J)f-Ncy z0OS~P#8)*@apamv)qdfpqPP|pXN!;7#BaV)R5$cS^X$FzV3jZ(r%Dp`bAOX|INo05 zXl0d*t5aw3q5Q*buNRVkpZLhwVe~WP!Bus(MGi_|y~SuQafX&lU$JK7KMP4DnmVew z*JVtxs{7>fR@Hoz=VE*|bG`DLx0oLu&iAJPfS7(A0d-zp ztiF2j^f1edC8-+f0^YcS3?ehm;gKf4J&#}%zY+*_l*9L>0RZ!2~9QsyUUh%RNeVXmqOzz(2=g`L+(X%O$iDhi& zDZ|PdDdxpHORCGrBxol)&NZ0bjx*eWAzBPoaGL+@cOE4nv+=bwt z8D$(t9J3CMrdB$V&^cCPzhpvy>0#(98;jah=VJ}U&PD^)C25$^_I?3ZVCrg5gSov$ zq}6w^s)9RkfCfs3Q?dP7eVe9_{g#c)9yIlf@LAhfiOFl&25@yUEo-Q3zL+<5ESoxf0B>yvW zU*0+MnEwYycwW#)`Oqn|Id%2Lzb)c&fiu%6deVaTtrqQCr3>|Ctw{?=GG)#uRE z7K{OnB5D%K3%a?aRUOv@xhf)@)o#_eoZNB=6agPpLW?Zm%?IlD|P33Pb=mMjFmNr zjL%5!AB9}>NlRAE<=1}ZImr;HFNyJ|Ok`t!Th>Ro($umj@!9UZ^H*c46i;r`RY#h4 zOFYQd<{VQ)?tM%0^>b_3y?J2<)M3h64BqxH3p#v4w4PP9IMxld)TJ>W4(^w}=+KE1 zlPvDk3UVP@3(@I;1C&o;^2N5{O|=J^s{jpn;BWIF8~OxR1BQVt) zQYUY<#P{-wSK6PJ9S--CWA@e4;>nuh)Xn?!E?3CKMWcFO^e4jsr~WC6(?%Yj%()Fu^w1C<`3EVA2L}q6r_ubLl!y)fJr+d=$j>%iKOQF4 zSDL1Lf-&yQG`Uvhh^?FJadN$O^sX0oKr1=*DT>lWlg0;k_(S|{O9Ewc(+b?-fNoXG zq{&d_?hs@>`Q$EuX?qL+m~s<4kspbpT}!;QvXCkH@2ZOX&l>dyJU~FeQkpiEM$p!tgA*_=+>TJb-c~i3EhqMGI?s1O=c@& zn8$XBa=hJrRBO$@X~I&c`A^1c4G$Qw5|WC`@99WJMPw%j5H?^6Z`6P8q0s-)u+i(V z^x0a;q(6E2%!L z9H^>zb6#=oi$hpXKR;DeYx?ZX2MwF>l{fhOY=Nw=qC@jTSq4~Ek6qW{2d2%BzJSXZ zmpA#$7cMOU5s@q?v z=Q?gVO?imT^xu8J0(9ISd?fw43b|E!qc0!zD+rk`b{DHn7v>Y(C@Pb_6~E50dh2UZ zO_>KQ-$r*M^_vfukh^cauY+GsiDnjUoy>||+Z@!~&nln$O${McwRlE0B%?;a>vK|d z@4lt{@`6ks1I(}$4rmv~X$*cX~GkXg$IFAS4&(kqOWoKnpw;jgxU$K-N<3i?dU?#CtQ^VnX6=5lF`-2u+Y?-y8k@lGKyhba0c;WvW85;xXI za@Zr?V=J`Bzx7Gll0ME6kA57USyH}sLMl!ksAHk$T+wZyuy5TLfH-LYZ-hBZST2^ko%Fboh4a2K)}Frn!6oRIWSlWo?aelKjL$H+#BBx)dtyib~*;}jHcGf;MJ74E9G=?Bzy41$G%YC^ddPi$imGb-Xe86PW zVU-^Koy9sY@zPJ-gWBz~Vp6@yM&kCuo6&}fmfr}y&n}fY!fX=Ds;5$r#we1%3681Kb+E0E7S&y=wBgpo z)Ht*8YgwAOj7{&-lxFarpmn&kIKj$$Sr;A9EL<~KH>f4ztuZ~MSNKNV{OpW}H)=k` zfH`2+wMNQF0jA&0;l)|lQ+m;yNGw=ZZ*z4LT=NYMxK}+J>dq0r@E;WpR0uAm zuqcT0v{Ui+5GKtG&=_`)^4i@!=o`m+1_$c5Mz@jf?g%Yyu~&rje&)+iVIP7L*D|uw zGBmf>mCuPE{}|D9RT`MsY3exO)izN0{Ji(DGe$^|HuOMYsm^xX?e)mG<5~{>*v-|- zZaK1-PZ#2giYE14)|Y$>Uu50t5fWX~=;M%y_Pp8sv3s0)MN}uY%PUVs)!9tL&)Hq7 zdmyu3y5f6w78z?fTMP1<0hqhSm9Vm~!=Og5|Gj?G>&>Xiw=buo>s2$8rY6OM1?TbC zzn>+ZsmZ!Ij^Rno@8H&a?lYUs?vHq|lAXYcYxb$<9NbPf-hCu+m?$ap%4N?SOkY$O z_+IUzxYt93b2>EQn}hdV-Ob!Y@Y>BhR~&7j)r7}+&;sB3oqSA{qDgIaC~KLNUH4qR zs4}~|I@Hdlw&COMIOAlL!_qhdJCC1cR;gGkSNIkg_FYexcX5nHru(tNSrrPI?C#M4 z)~X9>jFqZoN&mi=Q3fZzI$KL85)Pt#F(Wsp@NbFm)!Hu(G+#w2WE|Z))=EEKeu+4-xgI8- zQvbH9aWH6q4n%vsCuV;9IKG}US)EIH5~H9RPR zf`(3Or%r6Fi}6&$q^XZ5&EkQejrISQHkBaMJ;% z^iuH94)jKd1?%*{q$Q}wU!QTyZioLUYv?R5@Ye6XjO8TqDXROZ|9LeYoDrZ`;;mHA zt%0kQ8msap?i*!9$)=EaN&cK^-Iu(rkESm6=Xw?@xlnCwZD*tEv8uu)#|7T~3tE>O z;ilR?%B=bEO2F#N+W-i^%g0B1n139(JibswCBHSArKs_UWFn#cAj~ANFjjJc>M$On z*aTY!lRt?WCYfVg_ELkMpGcm$c%EB`-lM{p3NMTl!`emeZ+9ynlPGWrdhjrA8QiK~JV2A-Y$#>>c z!BU;{q60DMtB%^G9+K(Bq7i>ZywsA}pem9&&MyeZ!srallQojlFzU4!dX(~w2tD`& zt?%xTMJ&~Bec*!dkZ>X_(4dKIRJCxM-whNg&DregExe6R>-hq2zLd{rIEWOV zr9YJTNo`@T*?zkGlkSSlXT|8lrLAn=A0<*e034sSEq#@m3m_A&5-we95yjH8{X^nHRec&5NpTOia0% zeDebD#pi}hwNJL6LgX@bOIG6c6TYl%o7<;8K2w+G>5e-FzV|;xu8wCJ&_Th|Q|Mu2 z)YBkV6r(EKVvTk3Qz$kYFyf%;&K;|hGG^(gLpQFE&5rGHoSAZ2Ky^}Q=VFg2ni4WC zeU#WZmmHTUJQ2;3`)!6`ImUOT{>y`KAvTSa6n6QJl3bf-N*ZDr%*;*5GxqhmM(bHc zkMy)e%DX-tdQ^q5&7ptNxEGURmSQ&YjhXy2H@|_pQIpa6n$|yJu)4zQ3ar__%S~lBEC4O&1OXbssqh)6#0S73{*&{H(sljP2RqO16i&_UxCX1u$T>BC4GN74uq-a8khcF`JixNiB`NK71@5%hsH!#eU z9~z_`AG6>9BvX|s`gP}twP_+HM@m!n-98nEWi#f_&Hk&Rw*G}Wm7}Ab7ZKd6YKk{y z1@qS+OC>9cu4l^RSdztd+Ww<{)7FQyw?TagfW+#pHODmyRb|RTno%=zkjDWhzz_nHbUmYQ0zO>b1mkxkN?O#B}A86ZazK7F|X*cy+E zIsf1*GQ*0F35RVQNIP=fc6-695BU~pwMuwaMz;Le zva|uK9|7gpn4~0GKi;^s{n&h{clYTIC83}X25d$G1e_9ul;Eds7P z-&ZOhk$$Cb8=9R$W=b7o!dhmi%G=nFCQ5kw5f0$xx0J>Xx~?g8t(>bnsjcZecK5Dm z)c^D)>uKjbs4QX_3hnY}6{<5g>S0{K8#N zTf=y)@;u^HXmw0|#HV_y5CA>=4C1Z0pT}MOg=1F#IF+Bhkg~IYMMHnPlyB>jMhCIq zzndNX`aHa&pD*QpF;mjAqLq+MWLu{Ox5kdQf7+<8u;f~t-D`~`(wlVe=j@Aw2uBsQ zSI6|39L9yH;#G6fGH+W9?b|8hQhJeOC$Be;DR$~TQyEU78BuMpM0JcR5T0tk$BJ?z zH&_5>HZ;T;$Bv_{RbN^)yqv^TNM+DOX&~1ZcSd~LUv^ju$dQb@Dcu{pZI{?3$c#7a z*xvYP9H%&mMWvrJLJ=wuEAW0(!xR8+t(uqjFcr2jrX1`g2z*=AVb(P#Hci+N74_aK zK1fy3*T4PVTRO|ie$5dkt!*TnZ9Zc7vM#8^-GY>*3#JxSpBXE4&cC|&t%=AYdz@HM zB`T*&^X$N@}sDo}k8jMDfWIgdVtMp;!O4qHE3h@GS!o1NvvB+Z|_saVlXS}+Y( zVOaZbc6xHYberN6k6nQW%|ohFQHlBw@g!IAXgbU-x3W(;Y1LDS+0fk$-ZrdChoQ&X z$zvPi=U6Y*bIji0m4hNr>*P^F}j4?()MYEBXs` z`HU+2`P+8w(On!g#6^mo`}$2KW1(TKp}K~T$G4@19Tb);OSEqnPD?zJgnf-aeXaib z+g)Ra8k)U!!~0f}0{Jdp!l`HJLT@X*3@9gf3c!Uv#r97g;@Q{w7r%E& zj$oEH+Kg3zX&lDbt#M5iv;3%rY1@<-ri>j=Aif&&oe4P&j46n;t9_eX?{eGl*xTo8 zm6DySvwqCfc;l>_J+589;1NES6vwYSnm^0$%^^5m|2-#SlAua(IkwJ{+qjX{n~^{( z2Y0PJH9uCkBl^|1?iS7Vm<`X-DQ^58b1jw-$I;|xZERMgw7DHDIkT~6R8{M>bE)>u z?&?0aES|c$W2g43Y(^Qx%CS0e0WNxrkUACbIpLMkg1qlBVCt05i=XPPO|$%=4D6?& zVh~6IH;G#jJj|Q=xfwkq*ktmiUj?R9 zxawJuC7tc%sRLD7*c=urm z(#m!TCIPjSzC~(<>N9&feg@vV5)m9eG?Ds39zi-WXnWi>XI$*Vj^#Ak^_ig&WIE)l zDXB-?VgBs0FO!T*0(G-sC|PHT28ud8FEmS>TQYY6+6FV0tvczrh&mzS?}toNN2Dxx73DL|&bq~LKu`bW5&L#kSaJASO+Qm!U?!s$L4C9k zgHKded4`H0SmBMgyvb>cUoR}5J@(CFwFVs6#v>8X{jp1j=#^^-mX zkQ~bv6?De6*>~P{Yf0+qmnvtU7reJoSZ?_MGmY_XWnNp~`KOV=r-W0#ns}si%9>OTY=zsy2o~_4@87dMx=f zw$Lybdy|VTw`s>8bL^OoL44m@mm=O)=d|wuVH{>YpIl>!VjF%qz-_nKTbMnooyPDW zs<;r>+CZ4Kdz59I{V?0oHHgJi$**gERopQ2b&$4m0RLEIEWVa*7Uq%Bj`3T5VUx;g zheLgZ&?R@RFc#@ zLefsY>eZSM)DLLYt(g|y;opJ-3m$NQPhw`mo^LZiYr{jVL~ZgrVpsW)=jF?3>Mpp) zrEQ!;GZ0eVA42jx4s+3e{*=f665*^Vp^r437p{E^UBj|>72R7*_I!8tUypZQ#MdnL zeCm6Cu-{aB5@!!A^uL~))?4B})y(|(ePT%VwGWA3Saa;kdp}{%dsXjF^^WC^2=_}B z5-5U4YImpWQw_dbuduC2)^J1hPAJ5&Ow(meDY$8F?Z~sIU?92Ci^k^tzRlkIeeWG? z0jDpvzzBoi91t9i#|k_Zu$IXfJTdT8PW&xG)Esk0V~*WN^xgst?Kt6Y0jLuP(~^JN zX5aj}_pbBUOFwhrJB<-6RY^y4%NDVgtidG>lz@~k4QgB85x$!$@Ge(=EZMpsbyHol z*JV{W9ZTvIzXKS~e=#CxF^W216NJK0?U$ z83I!cjuWC8Rhol@rayPlWHKKK&KWWeY`G_Y*(}SUaU2TP8?K^G&CT*@35!Z`eNa#s z=%XUcSx6;ZH}6topIK0~snNrE)GiJ4DXP%@ktAYW*c30~Zk`IgS*jfzmYt(tWNsup z@*`%lmLh}p|7-5NgWAfrbg%Aq#Nal`m}r}5a+5Rewh;tl;3b zr+gXIU4yJf4qL*~J5aS2=!|qYUaR{}mG74mo6lm;iWKgxcw2?1i{Qr9lU0#>Z514&WZKe8`g&N^%j=jbr7F7XX$PBS{eiBbDiIh1M5* z?3YSg!{27@$;{H-G|Z0N=ZZdjx@_(9=T15RUs!K41xb;K3RZ?NV=<{M=YSRSfu}^3zL2D&@Po^FZ&3SG zeEO=HhUs`L`Ds3OX1vfLHH|0jBnGR@ zAW(tjQ`hh9J%(wI2Z9U zP5DV0$C|y^H?cvIF!x=k>&T!<-b%Dk5GHh^YwPjPDmJ3(M>RQb2DX4_7i7QW9+gVp z2;$b;&kgnV;*@)A8=%m4hRH-h`j>yVOxu~3)HBHJHf=qP4bhM??%RSSe`8gEr?G{z z&E1ZSe$FUt;!w7(9pPsqR)V#6i_AJulm1M910B^y``9x8ZLh-mOS7q6;{%e(sy08X zk6PD9DQtwy@+C!-an>3eEdegdX>HNm`)Mx1xfv$98SUQ0WkRW;ljuo}#S+dbzsTcV znTqA!0^M*Y)$3;KQNR~vrBDGM!i$>moNjx6O|{@3os&P;^wV8SLT>g_0=%@p#kYDx z<`<5U;f&G!03YB7gJ1lGCQF?PN#}s&DH24FKC2RZaf^5KP*9!o!%+(m9!e%pKdBO;+ z8lq^Y%lrM?MKK59I{&itydH*ud(3Py&P$|Wzr7E$K51J{xwY|YaA387X}`h&lqK#-2i z;;c0zzJoH{Ax}Q!Vj6%Y~Elv@ma1-d?)hj-OOLqBJwRGVJ(BAQ-hF#lzSkUb^OM zA`9+lH`s&c(X+Sf_*i3X76_;)}$iTSWlDN5Eo@(#E2wkzc%opr4Y&3d=k6RG~bMPQVsaCIkNV6t6X^! zKjE!%BDI@9^r$x=?6BA=X35s>ZY3@CALB+3#l$+= z@-|`X!`SJ5Gsh=xr}xTR*^&u`DPMk^FXL}S=#HSc^G8aeQSXHZa=8>#^gKYT)KJS# z7z>^e#Xhp9=y08eEsK349t-4lhz`(*G2+iJO22OUBpcM6IHGvvg8|*gA&KW$Akq6Y zE8n3?bX6+8(`b_i%y1Sf)*pkv(ldrYSa88a^z!HQ46lM#3`W!n&H-N5t1fwky{ho2 z-yJf)!V~Mwqe&t!1CeZ{lG4@ZfPt8LT+N}6_ZGqCLFt5e{8ipB_iT1m56dZVeX)QQ ztymfTKv%OyC(A~sseous+6&{XCQVi3bEW~bx?ssZm=Wn9_z3{$xOeL@TC&g7;#&zF zQk5?#1O~}?Pj}M&8x@N0lub(|o&)Y1wIj^Vc)lexL-CQBL$RnNqmQ*O;kTZNj0DUY zkgM9CK2h*9^B&fU>BZ5{xS-6l@V2vg<9f9*VmP~0=sRJ{I@Oc?cm$38XDx%>9sw=q zkgH|o>Rs5gREg3y6} zTWrpwuLSt-Kp@mQ^|wyyaJDS-Gu*Q9F?RIZj*8rAtbse{LuRw|^{mQud{%K!L^hm_ zb`FS;X43I;nMsdrXuiho_vx^uuA>ID;$`M&c%W9)gQ7&&F_0}Ymk0sCLU(5MkCnAv zUSFpxoAVtqu1`B*PQ&u&0lxDBpZ}SHVp5JNh__Vwk|_9w{9Mb>z>jquJteLmOuW1d4 zxxg*xHuY(;A>pI_gFc;D>DG)d-{}0AfOTwy>x%OWh)}dng*1ETTjRTU#T?VT=m5~B znOf1JCH$k9RWsYW@Vt4GbvQab4(x(Wmk!jEfyhIp)YuJIEBYx?L|+LV=}>Imrsd5_ z!DA|RQ%|3U{Wj=~dV}-X^g2QF1Ei9EYs!3n<)&=2SZnC)iwx>CtYr##4)DVc?RESX zNMa@@6}r@**a$Mt+(%NdQncp@r%i)>xacZ*o;I4`TNvLt#UD+r^0Kju3Y%^CiPN`; z67+q38wY`(E|{bpG7b*)@M>K*)n`rY4tkoG>oMxdJVjW;d4N&1rOjcY`@{ zqk3yqwRlc}@ZEs7zVl8M=}*0+|5i`kSReD_ zk4lR7ybGZp`2Dl^7uTxyWh$nmV4P@-DKYrgVbqF>?(gs}cXZ3L4X`CmU;T!#kKX7| z6ZFC8X9!S}GdG1pV9xtKko<|H(Sdk?Bl&paQ>$tyql8#hGV!Q9cm(C^%x;1gb$0(q zEboGgxQZ?mupf;eg(6%lgkV6)^3lp23HZrdG^$Q4iqi?@-xF$3`PJUY-=sxwsYk)j z;o;TQFYQZ^B(Qu}X1U7h7ZtN@O@J`LO5v%*Uk?ZiDRW;jiY_6z#hOltqHbF${V4V{ zU($BN$mxyJwK0blrEz_A;#IxQ2!C&S`us4ST5P!9LECU9TS^?9@?J2Va1&)xx4x22 z?X{Jg+8}SNWx73HS`5qqhV&Si3Lq^61`(eJl?$L@)f0AitPYU?r~o(GqUgvGYNk- z3xDwMOow9ism(9%j_gx43gPwpHA-FR;PlSdrv+Z|vZHw#7?vr4na=WX>$rep89}md z4htnnX6A*5n;;gouHu8SZXh$fBUZ5ndEmQ4@I2Q~QAKL37#GeJ zcw3w_MGrVuC9?z|gD0GpbR-eGYlH7uhwti92b8@s%670!c_z>tI}Tc4FNPtqx>2T*OZ-*3nTh3kaUV>@Br~8jL-Y9^@r3w`yG0{E5WHu0@+9L$XmQd ze`+j|QC)5r!@C1?PDe`h1LoqAJIsHlDW%_n$>|tS1LVxWK|*b?qwm)6tQ`k`sYE_3 zeCZqW>r$nJC2*-y%kN~zl6c(-w=MGb!E#$H&f~0=2ll-;f7fEfJgD%R)GSIfWwyV)F(E=G7 zw<4QVlNe~6L{zCjG~UeM5)Sn8vZz7T@~zA;*?^oMoz70k6p>?T!jD;FCPKeD1?A zp=khQO7Gc>WdUww)CE)y@%{tIZ?%6w**W-d9Q)K`yNgD`9+$I2q0j8|^4#{g1ud2e z5rm~kKSRTkIPY;f@Q8lrUXcSd2n~B?O}NgpP=;F+Q@}RStrOl+?OmrcT={j8wPDB8 z0c!Dy3m!W6gu|pRrErWi$M+ZhdSQ?}c0m@} z$F43~AkpXMRV{BYxvx!>v%6|ge|TkAcEu5lH#8>+9iA$Th zH(I@#s%$&}RuJZ{j%c+lgAJn0e)iPk-L1d3H|~r98M3C-wm&Ylti_mQ`Z=Z07D#|h zK$9C^hM#X$=ZV$3Ysr;K<<7@31*uuBig`(eVx8vj8Jl}J0k^VJ_fjpNa8^jnseMdi zletB5l9~#kTs4c_MJ)Lyv}cpMz-fCBw!%RTZwH3|*f5al|Q$=s)aHxiqyW7Z{ z|FbyX=N-)q-68fEkC zG80j~-Kbh^?!r7End&Fmqvjrk+druMncXQRGsj2vQ5^h(T@;%OAlX{Ov@=pv3hL)4 z;hO;I;~8x0uFM=(;Ujni5$CPW0d2KPU!_V1V-Ax)$U^YSHo)}_8Cb3%+7Ny)R?=D; zsc2R)wMHCHuA<6NpVla9blr@xt{Gi)T-(uM|MfDNl1!shi%#{DMGM~-XMgaH_k}0P zc>A#PP}ju}51&7i<+gIeyZcoo5o-nuZ_$l3iZ*wGI#SwDwbhrbP-aRH^m5KQz;$K# zluNLZaQRv5CMW@}BSGiwK{H36jMjbCL(`P0^D~NX+4su=Pf$8FUU>2+*Ev<=nMVU( zIk$fWz%$y~-P~|%>~J$FM6NJ#r&LG_;$U0ut|^$kKVOXho}I^RwN$67FqLPYe;B)t zrWd)gmLcfSMW}t)b&;-5k7@<&R=MBd<_c5iu@-FHmh%hC0=_hSTLN`ZCV6Y{wWT3g zGPF;o3_WrjA=T-*6!6mz;HW%*aB-A*UAYcHgMHZ9b!8bhq#9@?;?C@cQF~_ST)>cg zVjSY1w~`dhDbTFciD27j?Yp*MVLmK}7@$OwYBhu&=$}3OZtH;er}`$%-uLO~+TZ&O z!3gG6!Hrx?%`R)_PcCG5*5~~ewYgVKFATW>y7qoZM4H-p3el8g)uITEv?o`{+dFIU0@A&f%X!rF-gkTPyH%SH*BF# zBq-k8b;obHuR^)eZ$BH+tRdPSViy~e3;5MvNB+95dl!e%lLm@0MGHAl{hMVhxm-yx zuSEaTrgFlBXG#~I*<}%t)5Tg{E~3U^QEJ4Y?SoQ~$6T77-Pf?HPQ$##UupAD9}}dc z5K99SFLS=@d36N}1OjJlS>n@}D|Cmq1SX?;(o?eUwG6MRc%;Cwqn&SwRz}wY>-(UT zqLyiw>Il7?6|5R#RnZze=YR}hqV0*&^Vou1vGM{#h7FaBP`!gPGi{MulnhE%(xG(% zS>kD#BWgW1s%cS5_wmZMki10|Dn_ohV5;I!lsh{wD0P{lyUaV`y_hQN&8wZI&Ulkl z*XQ5jSrd;p4qnr-g4j8fWTT}E#m!?45}EnqO+pKGoURNTuzEw+ZgPB$l9N-fWie6B zxZEy>6vAh_A{!{sD2=f@t$X@Un>paxg&s*MK>KH4kBm@vsiBwVP8W*H;aYm%?YKO> z1~HGgq73X|4t^rILuw`x$x{#n!9>x@hV9+($Y)k$nt3!lu}qEI)}i*Xp71h%-vb)? z(G=8tU%SCKNO+j3c+hGj5gi{xzUtw>EwrF?qhr)f3B>zp97GMTniEQ67}MV6tzdu- zEjt-|K?@>Ct5Db=YO*I*1MTf?{5oUBpdZ5_+9pmw+fK9^IwV{b>UZ;RXD)sw)*myb zy?A1x0e))BWam}+(IeLVC~Qm%i_9&IDmA+Hn|wVQafLJ(I^`Uvv3sYw^V=l@d=+BF z3A4%)Ts~+*7%Ro5sa!X!X50$yGbP59Vq& zXouGYk|qSoqvLSJcsj4g7zPRvB$;H9wXA=@0>%^rv&)EQWU7e(5O6T-l>EFP{p6pB|HGZtRYGmt+2QAd&-`tG9)fpVr?Pi2#aY{g~pH6??qU6||V0BMzUcZJ#rIr(j4 zqW%G@Q(1HYomwI_-Tysvx}{7+NVeV1EJ*uvJoEl`t_zn)l~ihuMU}kY(-D(q3&V9~ z`1cH|Ry9(X6ebe*Xw524ba}>uv$iwQ1$V})HX=Mv@A=&)HM+)5Y3b&MlcgWqY<~Tj zt{+w}bJC8qsdHyejy165K%YTI3g#Z?%FfNM7BEP%CJ7r?hjz93@9m9SPNAE?wL$@t zPMucH>9q1?w`%^CmzR6zH#^ta4(z2~*(mB0XdioLi%3;Dh(ga`guQF9hu151aY)rc zV#SNtRlD+x6XsujP%r*Lrdf@LRtBv2qNi7MC&DpAmt47rvPkimB0?mcpBzbtp96}F z&jIwWg+OgIsHiF}+B{muLpB`@cY>H}2@0%1I8Y%=TGv&61 zy4i*m7;j|4cb;+`^(H^#w!Dwlya!-{JR7CO29Ya|l7dH)%0@FGqDI}IZV>SySkgH$7PDvQ5`H07*Xw zY&##)Ri^aM`h?B_NmHu{#ZDtkX7ZsIegVS}i9Ij`@cL->p=cu9-@EQtAMV;`+DySl7ta=xK!{*fU=2%juHM(kW7deaLp3>O z!H*HlH}Iz^!jAegQ?c^;SyMn z**fH9#4So;@v5P<k92W94T88?J>|)GkH$xG-qp*wMRw!}c^2H#hUs6s@KY zBvkQ8O>}voxF|X)4R^d4Y#)W~Tr7zRh5MzHw0!(+r}vM-FMP&28Scg2URkXnC#N^J z1vG|UWhR?7zKA0N4X=CR?Wej-dpzO>T+zfTk@vV$Z%L6c8zB?M<#^jI1$wHro=dCChsX>MlfFwd4(H@jvxeFjeXt z6WIjb?gZte(^#J%pBEnpH1$>YgCfN((8jhDCvofa3B#D|)US((ZLY!YdtY)>ID(x@ zX%tW!6oPds=c@nuSg+c-q0lm{Or%y)NQ{<#lID8SlD)QXN7dbq*x#Bxi*^JUNMx`6 zZFV(s;?eD2MxhvC;7-;T7M<9gs(`+`wU;ihz`D(yw2~)CZ8>S6Hy=Wad(PE zY9Bd)@6E%@)@?5$kU|elJxxc(Hui@}%C5p8-|0lL9^F()mr|b-D3P1Sp2nMBosz|n zXrV>`07dEhnzzsRZiGz4%xYB#rG9eA)Q9mbC)WpduadRaehZj1e`Dns*D3x^FV+xT z#WOWspYb@D?Za*lH~=0tt0=}PuJ23gn)>g1U%xmgHcz=N{ZG9wz2s2qXZ%9pHjwcr z*R`Nzh`cQu#L|oK;>d>?){lmX=KD`;Zvdl#FfAkD^?N<3cWdu{x&7`SR@D^K+B9c_oPh=_I-i;)9FOcGV_^60++=v1>DX*{qXgJQp zs{e!ER@$n+LaYBDgIwJCJyBSs15(tolp1W?J8==f%n11F_}9-H+V2;JUtgQJ^y~ld zKBgZAQZ8FTu>@-BS`=Nr10FBRCmwJ}twduM2|dA0cG%EWx;J1)nM0qS!L#TB^l@+EPP? zJ{`TByWeR7UvCiUPJCx;UVz7%j~}XVMK4N$J&3UNySP-nYO~2zL?($~u+w#*u`<8U zEgB=rm8&Exx7%qg@B&w~r zW-PR?`GG!eIbqWrmjx_ned08cnOR8jjwLoJdQ3+9ookkvaD#j9>QvfI>DIQ+yV&I2nv^`Q6e*(@>!`Xl zZF;o2dO09=LJWwl)UNY`z_!%`tQP*Gu3cxV>1X{*;+S#Pb8{E)B; z4>sz4y@t0U{o)RFA*q(=Vu#XthXOvdbDdaoE1J@cT&orQ>UW?TYTa6~SxRij=;#2f zJDER)K`}4KwR-Q8)io23GmvXOv_}vZ15&?9;@fm86iiz)1J#se2~g$St?GfpWr1b7bORrn|M~QFtiA~vXp7%`_ek{OqP5zcaW$yn5UN|=gh$2bfVE0 zJ!TS>1RHES2N0u|MkvGSqr`7q!8vK9=O`SpL3;kTW!#GEZ46idZ3{KLxaj#q4!Wh- z-=M_#C0O;55kq31&iqqRm;vI<{D|*P9^$ zQKS{nokEmmUuwj3V7#w#I7l9W@D23IkGcQN;>8f6MEW?f5)V8FFpk{PKe^Q(SptRg z<1|SX>u*woMwtyp!-hwTECdKQUf>zNcOrk@Pjl>RUxVbjZmg+A9D^6IAd9j zzBdz<(A3t>;}Yw@m8L)d>qbU(gu+#nT(vV{?}w&_NJ`AAL$1`A=oPR9;D_W-AsubH z?K%R+-9h5kBf>64H7IrlCEhi6*pn2if@l$_gh73 zu_}UvlmNxGC(XUZf^>oZ(X4;5s+YeRIuNA*uVE5ap@+YBSB z*drYM{Yj?N5STz9x3LiqVp+#nELiyUveVc-a)81-6l0}OdiC>R>qN`ei_YMs*>dqj z4+WUp6LDAUY|x1bRA)e4C{%Ci&_OUiuViz>&{pSp`BT0&B8RAb?d+8lZXeifCV>It z-5sLs)Xj(MpxLy{%V#nZbCY89nkPF5KP`~lIUq`5XgTnHvZRf6j~H~QZjoa$U4GT9 zcqmrP$817`Bm61CvPGN7%oUZy57*L~f0)2D`}@B;$u5xYrB2beDQ~8?qYx~Tq*LuL zy43L?uDt^)+-2$DogZqMY$Lu&ac-_7zF(tdx0H0=V(G4u+t>_?RodWmdqSJ~%H=uf z;%!v@a}>LZ-zauV?kA^}p6b=7!NVC)#D1Bg%8}t)pN8G)jYxlj;?R=odTjp?d2DIf zt6cHIc(aaJO6A5$Ru7LGg?`-)?RcUu`dMeK)n&4}6H)2jsrK5EMOt{``r!!oAGU%5 zj+-$tj)g}p#H%-#Jr*tH?Rzlq*Cnc`+Dk58eSWhA;KD&#fV;DV#3Z~BnS${}(PG0c zR7<`)t(``LPvc}q`)cb?aS={n?MYK8VVHV{ytYs^W_cC7*kpk@tO`%c)_v-4kj+ta0PKz z$Fy!SWlA{ljJRS*(-sA>nNL!oc_Xe)6i1JLsQ@Ofy&3rk_g|O9yCU8C=UkRbQsP2W zv>W){oRS<*|5SJ*#+m8YYI$n&h9U1|j-uhZuc^K8Rc9;C!+=KZj6=r1CqaQEGV!)0 zcFM+IEQFDG@XvZdx2k>m!kKyD5i|VeD?=Lsd>~3H2vJZ#T?504p&n1D9Dxw*7LHN`lNeFU}lG-p}d!CRs}V%4$LsGYNpav$Jf#XB-7l-zT9| zdNsfz;l~PfEQsXb+nQz}oW}kUb?J{ji>uRA-lq=A1cP7cFB5BSL*IUf4{n(_!qH@` z1T!awR9HWjUUD!z;q{|LMx_@I;J_57J_jLRRd(47`h%Xx7a#qi7 zjBLHJJhTli?U@MQ;%2gDlq1$Afj==D02cU-W z_ZynS^nlA8O)}c4Dz;C@8>2Ysb{XOi3f9)Uou;1un8 zmo*GAei?#QZn##R1JcH)tB%se3sy8i!s)?jD@<4*!DFSZFmEBU{)4{kXjkH4U7e-p zFoH%7EoBL5Id`x`MnDQ%&&&4I$NZH2Wx%(1v1I zP#lT_5FI{S)?L&TM*hW3Z5e}W+u8K3+LC3vD&eUF#fveKG~QD1xFr{-*E_zy?>{b> zYqbfuQ*5(D7o%MXyC-zDR)_$s)arWp*b=OkHAsR$f6-x(4$~2D+)u3gdl5+V#6Xw| zc-v=JsCfSckJ!mX^ltx@i@P2+x9yAO00y4uVeCJ-(Wjg~Rz$uBwj;FWn*;7Bk$*2b za6?axtqv&U_575Y#VrsdCE3JU?)mAO1LmlSC~8z=MU-Tbahj07{cQ#9EALzR4o3Zs zZYkAwqpr%sF`!yMp#TTF-z5H?+AseMXZ&B`grwR;=lmoys#-m>264f`$ONndUjt)~ z;3niVDne0d0zGaQJmEV*oF8}F+XeGf)A}`byyw@`6?=jgOzY!$DpjnGPX^&9+$X@D|Jfj1wi-zJ(;RG)j>Mkd_`wZu?>`!ZKUK!Q ztNi(nQFFk5WkUe`|F<^eNbGML0ucL;Dl>pTb!Pti(fp}%=l@zq;x8TM?>hg*XyhmV a7h@**->Ilf{x6M1^1G7e^BezJ<^KSnqz2Xi literal 0 Hc-jL100001 diff --git a/tests/mqtt-binary-message/suricata.yaml b/tests/mqtt-binary-message/suricata.yaml new file mode 100644 index 000000000..6fb68aab1 --- /dev/null +++ b/tests/mqtt-binary-message/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt-binary-message/test.rules b/tests/mqtt-binary-message/test.rules new file mode 100644 index 000000000..e271d2b60 --- /dev/null +++ b/tests/mqtt-binary-message/test.rules @@ -0,0 +1 @@ +alert mqtt any any -> any any (msg:"MQTT PUBLISH JPEG message"; mqtt.type:PUBLISH; mqtt.publish.message; content:"|FF D8 FF E0|"; startswith; fast_pattern;) \ No newline at end of file diff --git a/tests/mqtt-binary-message/test.yaml b/tests/mqtt-binary-message/test.yaml new file mode 100644 index 000000000..6ff46a0af --- /dev/null +++ b/tests/mqtt-binary-message/test.yaml @@ -0,0 +1,64 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "" + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT PUBLISH JPEG message diff --git a/tests/mqtt-events-invalid-qos/input.pcap b/tests/mqtt-events-invalid-qos/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e76de751e324c8adddfd90e7d88e69d1da24f9f6 GIT binary patch literal 1343 zc-p&ic+)~A1{MYcU}0bcl3m7Cabgdc8RCHKI0jVEb~k}*!Dt}}r) zzFQ#le+Rm4APlq37ie1;P*WIozbO#yw|77rXEg{gF)(NV1sM@Gfoxe1w51uSxEZ@G zz9iZr0kkC))fNG51{UAIkPwzb3^okHxs_%4naQb{#krLQiN(bQ`9&oRETzS%MGPz; zKFCSCaeEvT%nC#Y^Q<4|^rUfm{2?<#6i{&#c3V_Pv<2jG9aLKsm>`LC??dWDq@Fa; zwt2Yxqx^`Op$MqB2)ivdB-#S any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;) \ No newline at end of file diff --git a/tests/mqtt-events-invalid-qos/test.yaml b/tests/mqtt-events-invalid-qos/test.yaml new file mode 100644 index 000000000..44b3eac7a --- /dev/null +++ b/tests/mqtt-events-invalid-qos/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2226006 + + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: invalid_qos_level diff --git a/tests/mqtt-events-missing-connect/input.pcap b/tests/mqtt-events-missing-connect/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..404abcee19ce81368920e899a23571b7d57da5d6 GIT binary patch literal 32240 zc-ri|1yt2r+daBTY3Y^*>F#c%ySux)LqO^7?(Rkjm5^?b5=4+j8bRXjjpv;2)uZ0? zj(f&8#=ZB?7z;L=&79AA=KQVwThCr=O~0wn0|!6?{^tu400#V?58k7vgz^xO2Yj3d z`2Gt9AO-*=xIGXA2txO1`vU-ApjM1}1txEBxNO~jG!TFd4!C^=d=d->E?$IuB3}3_ z1{MSaKAC(>=rkBugKB+rG&`K!1mLG-rf=t6u4hq;27_b8n-{EHg z8@a*U2ORNzz(>4)1+4b>fT{inn8N)?uVg!@itM2YpSVW3p|$18CSSxDA(Bq9;)`p& z&S6&&zdw+_7WneopYi9r!QS&r{lIVa7k~2K`7Qt8e~jQigx%mi8)aJ^9BPm@*;<2I z`oX@#_-su^I^O>EyZwO&U!9nj^D0ceKl6js?I{8U zb4?8RP50d3?&WFuL7sQk{l}0$bPp8FClDeSD*zw`_}2c0$V({>0 zs2}u-T=2WOTSfo?9P(}s68s)@_g-lThzB5K_}?M}03c-E_CJxE$rF0!aZ7B0=x=jT z?}mOv2DLwt(OG|&1xk_onEii<`7IFL?uRVgqk<4uxd8w@z_<3FU!lteh{~M+N@&3! z{s8vl?>hqzv>`CqGXBU+58zw;J)ro53(&*dmv31L6EdOzm-|^US_|a$ZY?E%pk};5F#JXFH-?ZJkdW+{3l>K zDu0y<3m^;VZ9?nkEM)&B3otzZ+V5G2fKP##Y~;`}f50y#tQFTKJ+dIezu{|Cjw-qqQZ!N}Fd$oc*|6Bvk{ znGXQa27GHj@g?~`_T>&Rf}VSJy6@P-VhA)L{R|YV-he^7%d={NLvz2ps?pc=(+fhECuhZaV&dNsG@w z{)Jy?0e(-##Q$3@vhTGZ`9TY(-)h0e|647d+-u?W6D^#7rG+a$;HUS!e`vw|kF{6; z=H&D~AHv_~gBANH*98DVUR)f+U(Ek6joGKb7*2l}v+wy8zyS~-rZWD2X$&|8vVHl< z7!b~i2|)hOo|@U)GXo&y|5iW0Kwz*V{Gy+bAg1@fw_VP??TCM{o%3&PxBh$E zN#5Je^Cz}*`IYUie;;J-eUL;y1nKhIAn$%3q|{Gus6j!x{whcWfnRC{atzr&bqqTK zP`B%!X=e0?H+cpAC3jo{*^qz6$X!AHn0cf-4*EFSpyHj>e?VVrq}zIaP!SKpDdYjk}LD;^?(XD^I~izH}1zmQXZ9u1onwzf3jRj4pY3#HFI{2a~RO>4%B%#(fR;28u~ZIKx& zSWC)l+w5STPdSg`w`@ipn0<9Qe?D2^kQo&dnLZcOv)>ObHcL{;!EQD3mw4vXWUHT@gjt-5@ISu z42BMt434g*uBOfc4u!Da$<*A`gU`&+#@Q6~ z8cRDv7fX9PJ{KofQ=%s-Dhdot^h}6wPwbstxQUEx>=>DxZ5bIEndoiJZC&V{P3>Hq z3~lU8UFc0rxtZA5IhYaQMC|SCOpQS(+(g!g9CX%)H zvb3==WMHFbB%;({V&Wl^v9xpbAoAd3*Jo#?A`)_NurXCPHIlY;VPIq7pl4wxqLhB3 zA}d2nWMgSGXDxMAHZ5Cm2V*N6J484SIyZ~^ zP9wqz85^5A03T5^P$R-AnVOk8nL2S3S-7}3a5FIclbkU8i9si3XKZg`X=lz&WbS3@ zKucs|YGz~TV*1zLWen}iU4cq*6Peo4sVdW&+VME@G17C*gDW^WMUpB^J(W@IFimqvsGy2K5XUlDtEBYRIoI1^xg zxQSF;O=*dkxQJv8J%O)eW+Y-_=VoN&X5k=`kX1p1Gq$&L0p^{~^t=52&+|5>cIGY? z+(fLLY>fZ&tc#}u5ZVyvHA~}rTQFET+XFM_X6WPzeEwb%+CP5&1x-r?bP@160V-i= zY+*_Vw7ZLwy$v^!ojsi~=owJv2_s;>B?V$XOFCh#JwD(LewUhpyhyJjJ@stqMcPIb z9;9k(MQU*#QmWr@*zM|VN+o7<}q zjPg${(|uO%u3fpM6HJ-syUv;Xq@ndS&fi$D-3VO38k~5NzOAoUd&+Qk<$cJfS+(_I z#v;D(<8~zdEuTiTa{FgZq@%GZwSWU-n+wOr>=^y75i9}of%PbAMOSa3PK^a-9C^PK z_(0-oDyfN?60j!kn{+v>6T#jnQ?Ivod+>;z4rU=t2E)y*6V#7NZkr{UGj5+G7qpPk zrS!cUSJ3oke#$VJt8!&2NJqWWeW`GBv=W!gj!;-L@agsmS_}A72B{}YH=UP8=+|`f zww_dXCiz{IE3vwyIu#G^lCy&E5MT8-CY_QH?xxJUoDq0%4iDLOUOarx;%?fRIzC5s zcFZh$chYtHHK+S_lMv7ieM*^Pzx#QB*ITnIo8$9mE?M(wYKVg|G~FD9&mP(2R8irZ z8%9}joAzTXs5=ZQUyPWg)y4$+mEB!Av&n~C*i7Qv!!9TSUQ1?&8Qje@~Bf|LK)}!K@vZqzx?@* zNWtMp1yg?SouSW(UR`)^5>VKN1=jX+-|GA2wTQ~%-!#e1YGUbs?LX)9?o3$U_282( z+v`eAxr^{WPj``lGdy`SWx)4%VmniO2W{NnJLgW8BWzFa^lmu5?T(}9LR8n7>wS6I zD;K#7nW>fP?SUGXMyXp|*~jy(LnC)z zHNiOtU4n1KI!ouv@}0MfJ%44%;WK#=K#&LNd8xn_Bi$n|s4$ zJORv^@&J16nmTzAcH%-=$I@B6Mht^6P11x1N|1)Y-jBt|!X|TiTX%%s`nkfR+Z9JOzK$gX zIuhqshI~0wJOrFkm+eG+pF$Tb*zoQg#y+0R_~_I6zp!%NG2O8|l!7FJs>hF$BWhw9 zrIt^(xWHJZz398J@RsKG`$~IZ%#_i2JIa6K$sIh(+l)_BtRI zHv^R=h9U+MLQ2dbP13vBL`hZyHU(gM5Iv@)n-m}Wtgu3eMYIol79oKZMrm^4tA+4L z6O_Ij%$pRW^}O^YIdV# zC!DA;reb)Zq|<_=#^ZdP;Na7yr2ZD{c6ANp1x5WOX`S`+%sHJMB?A51yWVmrPOqYD zdtJ(aH-uJZ&r3IIG5K>{K5{p!mpxOZc9)B{D^oEBldVyVnJNuOKrGH|a>Gc{+VE^E zr?2{u+^(%U2&v4>KC*wdeO6qW>?)hXoJ)-Cx?)oAjf>$Gl|EI9fK4(rLQz)2g+y(8 zR^f@b)5>_DUJ|s0VYLXCgqNs0Rr)sRb?L;4^)z+Vpb+B+y_K_1rMmT()>p&_YBlF( z{<~U9N7dUZrbrq$DJo@St5|!{Q)M9;HN`3zsr6bjfYKxz{4`~xVd6*YrFc3;Lp?Xg zOX8JhNqxeiqs3b4x>hFq8kR4nx5|ldE7`K+m@8tAju%f%I>B;CBPQY@_{aod-T92& zW3rxYy$-ct({v04yCF?Ntfe4PrWgZzB^-zvmAGI50WEY%Fk!q6NS4_wz8VIP%4&aa zaX!xCJ2G^XFXK$lr9P6^Gop6H=S*yr5!UTy$+_Otk!*`&Ol6NP;0M%bd7hTgIM zp7?t1NbmT*lEP>O7#YU_gSa3|v(`BAGm~=0)LiG?LK(_^s~Pb0W9S6* z(ae|BSsnp$nrui176E`<Og(AeColF%aTzvQvb-I~Bs9o`4toL|Pn%UpC z3(;btI~LE*RDfMe{oJ0YwO$6D*aaI`s1J3tDMprl3ceIZWssVPasWaNLt?1WNe>}J zoH2oyWwovfT0~q1Y7HMzzaaH&(k`7#mtNAcCLXc4C1?8sC!fXM1NMS}w4F03cA*<88iJAT+ZF+QKO4DnSbrkv{1vfGF_Wz?J%OolxY_O#Cpn-^?I zPZW7S(}Ztc)alo>@<@+qyt--bS(+6zZk0LfvvO`NoNcV;H^zy0KNynkfw3R$tmBM+&W1wTE@RF(Fn3M9VzuIz1 zw3Jd2K$%C!oNf}DhaC^g%tVpeqA(IGqf8OZsOCsxib!*O{iIQb*_Ot=S)wQ3gLaVP zsfmJfC|6q8`?mcp3Yqp>r(7TI*w%ra3`B>hSFl)((l z>wP5wu3#~zvc|A9M{glo?N_s9sxZd$YLz3VuVl%!h}A8b4vAAYa$4Cxs0tRfvKCr3 zF1{m%gs%n<4G|s+a2!yIdkq(r3~!mrTA$S0#Uqm4=D5a`m)MScOkiv&Z=Scum4Qfx zC?1VJ+AT=2gqr7!sUj2$%S!1YB3}&O%C1iIq54q_9y)2nrWS;t z9VVz0%y95px$%aT^Nj(zmS#m`oWa1Abhha*j@0W(>HGf=m71(YE5gombGF+=R0zq$Cw?DPmQEwC!|$44M%MVqy7)uQ6MCcd0ii_nV4l3KDhrEG)DvCIW_$zrc*D zBq}jCGN(56PCSWYqKuk&jxX{R-trclsE8TA$l+2WA0`qW6Mj7uLBVXC$JlEC-)T{i`?jVkSi&V5x^|b({5!$(Q!AjSj3EPa2Na=K3F)SQIixz*@Gtz2$ zDGA!ix-eCZ))$fe((@q)nT)zf%|caBSW=R%1pK%~Y0UJuTxPg-94JmHW3zBGu`%Kn z(K!Zsuw{JEAwa+bQg)sq2nQcr@>%~8QF&Ihgg^kXmS)ZMfR zL;;|n3NG}nlsJmwgHn)GJ+Y?49f>PCO|aY7V}(hblp_oNmZ$kMA!=TB@^zYu8GOAd z4O&n2XIwu(f2P+RRsWO=$G<*0veNp(Wpg)O4W5+2fn?YbV7k-2zG($8#d}i&D~PBO zs*?ki!^bDEt?7S9($O%R)mWG{8BIFozVAyjp>Kiut{@0=t?7a$JDxwIQqIygRvl87 zhMMDjzXt|wt4rIeHDBQo(ouLG<)!v=kyXN2YcM=VBrUUA;&VLT6f;bS&*6(gLx-7E z`f2$T{{Cg|7~wn>C92Gd{Io$Y5+jxHDj->V)hVH$eWj{lsw2wmu(8#_v97Z5atdCj zf4Pqv$LVd`R-L1Yep5-03Gv~JMy9jSL0^zY%t@$OjP~N85*eXW=nT0HWa7w=366Op5a*a$g4Dg9G2s`vWuO+D&XvC7(5i+qYpv55d!26fxGgw*;v{8b!i!&OH8O07p7 zwqN2MpK5V-dF@VQUN)~UIL>rqX=-c_?Ys)HWH=<3&;DS<)@go)jhxwrP(Tcq_sEJ| z!9lWJ_6ZEIx3Eb#u1}Z=uht-|D5OUnEYkqI7Xu! z0i{)|xDu6;>%RFE!94!*smEJ9OfNctc}O*aal{-9*46=}=y z&KP6lQ50Lg;eriVxV}k)5L3O=Vl;bMlc#vOrp?9&gKR#`5D2Sk%sI5`0X}C%Knq;c z4mhs-yy-2nMdCOZdv<+>jupMlwCwx?O|^zN?E+4RjpKbi4Y0XUYA4r_YnZy^CnsNN+l z!}^L2eHaw0az{>0E`0mN^#KXe;Le~;2on_k%NH(}wB?*N58P79XPDk0RT^dH#w?#Z zz1M<{_?r3{9x_o_=%e!-_&^}}S?L~j{~=f53-Yh>uV&|X;9vt=FkT#cT2r@Ze5RQQ zw%OD@`I5>zO1yL{`7B0V1X_ym0cV+DaJ{mq$)E!d5jM4gB_dIz$wA@!L6weT4jv?D zq{U}TlJMl2OpzInQUqwAWBPPHe5!Di3p+-!47UvI)0p5Cq!Z+(7|&|OSCTQ&O4ccq(n?&SeE&`i*C;R{1-gL= zr59{~TV)2!K5$m?RJG@c$x~y`MlF6WestJp#Ce5pp)=r2cD51v{+U2`E%kXO)oa$RutS?d22tRJLe7K|6JJ6!*vw5mV>?TPZzIg6^7B(oS z_DqUserTb&0LhXO$+EE;b13T0zoh~1oYg^e|Qe$kU$V30yHGR80a_SpLtGoLlcCkD)Cc9(8n=Se<5ap z5dR<6w>kg2`Zfy-^Z#yn+gC~3?kOYk%ZM(^9S(N&GV1m2(0o+oc?wmGjf194K%U^; z@bGA*`QajlrZcoku6knLs?5v+G{)m8&$qD;v{QUB6oeWLG~kMG;*>^YG({L~Hx(Vl zMuROxL-JMDAi7N73b}f2)fwnG7bPYujSg$ci&m!@Jit9OKYY)+D*d4NHVi+H{a^C)cMMzX~gMmdaZ+F>lav^hY=`YsCxqj(t+k;+fQM`Zg8V@cLmlkIEm|I z^Ih13@MIla6()*z_RCy1Q?0q}P5a6Y89DLL+WcTXy%R#M8t3zbI8s;4M7kSJY-TVv z9q_(gLYp3M!g82MwG66T50+gOwKD?iI*(e+_eX_9mwP{~qQ3?=FS^R}X!cq)-4%;Dv|@^LN+4z-(xN zTqB?G{XoT0=bR8_1{$cKZvJx3Cy;agcLypa4zB;@58{?JH0>8Tk#A{&vmc3}lZOvZ z6l7JOa+!CG;I{=|PyL8D>R`tCv8zjyyhbHI zo+M>1IlrbgP^eAWR} z(=5Y5A2^jYPsFT}mxGlJi1I}m8oQ$Wq8U=p)!w_O*YI1HDyfMrExd{DzXpsdI+B|t zVpxNf=sKqLI4rcQNJ0lAv&i6MDnJLh68Kh$A)2(jLRG@V;6#u)!ngPIV<0(Gf_wDT zUTu^us3?3=usS5NqHvlCeCKjz6VF7WR8^OVUXhBruo)bulU6L#CO#F9oH71Hm71u$ zyu9~9%-rbBNxs?%JMMc1#(Ftwl+R3)hkk)^Rjbxu#92-C#Mc>}w( zdk8ulH-wu+6Xul^W9&@v?4_H$0>aH4v zygoj+3mflEfe(fiaY*Nv0Wg}toHSDF6?4T2xnL=1D$yacM&qUf!n04G2b$oK{WRYOg767h zmR}Hk7i8soc&=`vH_gN|Ue$AidrwVVQd4w}%(1m!ot5c_hH05~1xBTBJ43tjPuw}3 zp}gASAGLm@Vo~9R{yaiQh=9$wJ3|bHG8Uk1ki8@Dfp5x!9}%~MUQDhy+)+*9OjS^7j2Wc=QUw zb@A5@?#kkgdlnIEr;a*^9dq*MKe}nXBSyG*qWoxX%Y`RT?*>1G(-8S;c$Xo9Wfp(@ zWlX`#P;yi>;W9Mj{)gIYkxZXL*=-xu7`z&SM<_R9QMmJKhvK^nB9%}>4>HHmQNH$^ z>8u3Ct$V9S$N5OP{DvM@ixMnDQibL_$SI{DM z_StvqW-K6Z#<%bBfe#dTFCp8@*(~4DeZluy1E2?`oCjebubMBq8@W3%{y3ZG)80_D zoYkg0_IN;OFltI2lY6)j#0u=lnM=HH&68EZWN4(NyxnJVoTTiVSdP9NTmBqh4heer zIDFss8}x9l7NL0Y;h*ml5ly@M$nc5_i3Q z`MqOA1b<5{bxni-i?mes?$r{tR9s7mBSoWc`A7t^DsRNJbH#yTxVff%ZtDAEIFW5$ zbB6GjF=PnBMk=K}uBj|zet1?Ij}cx731;zuJBJlcE%_i|l3!}^O59<(CY`uEk4Tdj zfy;{SpyEx?17q1Vjj?+Txo9}V);!XBdZja6XZ?rZ5iE_z$9n64LC9jKIePq2>BH%LlafRasb%SI!!3e!1#Iu5U==7N!7XpnhYGo)J zLWx7PO6jAzubfTtHZrGFF^j_GVB`$5B+LR=)1!OSvljz>QyIxiH&c@bq#JkE3b&UJ zm9S4erm?==TjG*I{ccjeaz80w`~KcC%8d9@AS3`8TH!w?NT9ofPbHwOl0v^-n3{jT zFqPnkg{f|TUzo}keZMdj1eqlC+l8qz_e(C_ezGvt{rgo)AV{`o5aJ9FQ3LR;{bcDL z$$zYr*{&VRb84YOZ-YNjZgDU(lEfK`M=Rx_;C4%30KrGV2|IYriK>{EX-rrfs zXh1BQ|5jh{fJ}tnFL(ULQVL`VMSBP!22OlH?MJO4(A*F}TECh7=`u~A3ScmQYRxAE zTBeBw0Rg`72RkL0E^e83J5)uvla?WvCjFg2H&b?^oP|k6L&upP^}7`0(0!}hpoDZ} zk4AEbm!yR@qH)f{*R*{w1%x|UN+uExdp-O+%>D7%q0G7`5RDgsOUuuF2<%y!B4~R` zZmU3Ra3pIw+T{+IIGsccWQU#N;2xYj8SZw+J%nL)C$AR1RlU^-0k3=vox{=&Fb zqrC{`>g)e}+V#fm^#PGo?)aN(>uYm$oB7kT)7*wmNhmz>9Kv-C`30mW>GZDlW{!_# zD|x^)mgkjQ$TFX|;G9p#z6vhSQjb(3@kq@681}3ou%WzxdkuHCKNnDxGDtgizP7#b z{4?__B|j1LsLDe=gE+!lq?yRIYCKYQeL_6t{GMSeC%x*0M9DDw*Do=;+UdPZ0`2Dz z1~&Yd90e6Vk{daG65h`mS1o<;>`3GC!ryZHGK>CHt1Ux@i}_^ca(^~B6;Z|0@z8js zp!@UW%f4eqc32nG8N;@j4w3DaNazYeGGr>-SEYeu)CgkE{z^T0v2TbD5*8O==Me~o z{OC3>VCbl(wzIp1x^2lTNhNyp=Yuqs(B_5eykOdw;tO~Kho`X}6-52JY7#NRu#;LY zV{}DTcjJZ19y9sGA5d{@xbK>)?dz7wojJGp7nw{05#+3mt7{=c&;iTxl-$?%T`}OE2R`Ld?E#D80d{&@~2839_2nGm*2HdwF z5uu$a-hvPxzW6C3@DhZy_zN)ugb2I@p}GH9;a+>5iYPkoi=)%z_Q1r#!V=8-fO}o~ zlq&@c|K;&1ihSL%v`^?>jC_RM%9+JYV`-GYEv?!(y7I7~MWlel^H>LqlUqxfQ~B(Y z6sgi2XO<<6@NKD2_|Hw#61YFYQP#&iKO&k9d4CGM>py>qEDfE}Wq5)tA+4}3GEjyQ zE{0Jti%JKO#Y@O$$z&{ss_VaVUpoaBZY* zZy_14LWNP}J!eQHqj10q#9=bX*+=Djm<}r9QMpd7J?545IDLU8%W|r z#}WqQco4||pH~A4hdx@*@+;g5*FG@Ky~FkvFz6F7!eqxQQJ&RAWqqsZE|T?(n!X`x zx<>!i8#kuLDT_!963l_cA+c^Wm$qTg-eJgI(jH<@?%%C$HE7VtQ+1z7pt2^@*aU&8Zjj{3b zyhfE!2iDirEm(%`u00wm6kei?6xOb7!XrgLc-%Oa>!|9;_%7oU&cf?f+{{n091LYlvF zn_4Ta63&wjospic`_T)sNxcAtm+bX$;i~a^m}qVCx4VPBe#IBf{?d^*7d(RYE|3Iu z^H6?Qq|}9Ve4evZDa>A5OGhh|Ta7kRW9*%C=EWsYPoODsE6FZAU5aVh-9rPhc`Cf; z{JkF;e&SR=8`mE_30vTc8cwlQW!L5;64jDfh5!*Vmnwe2MCEq29 zjAQ-i>SBvxJYOPZ1OH{v`Q0dv&&r&qU!YL-9L+$xQv73-`?^n|!Wj#F}H6JBsX6|Uwj9M`5ffk+9kR<4$%eK{{@ zjc-ayw#@1*DB*}CUih*tkx6q^r&cHfrTJ}m{z-Xl5Fq@PKJL{m_D$^C+=sW#TyO1} zb*n^5cQd%lv*(e?z(`;8*yt)cOgNWa6e#M@!DslgO`O1dYQRZZVD%lAnis-J1MsR) z<>rUjmJrnL+K42hzTVgsFstNf>5!yQf!4aQ$0c|+^_ji{`eQa6&RmnSbIo3l>uz8< z_Sg6T_!U^eOqT^18qVIi*a5+L)T-9?mJgX=mo-FoAM~qW2!f(fsYMV_#|Hx@UI=nK zc}4^$DN{c73ZP|Lnr>!%PzzQ&0`rCHO&6F{g~QXgy|!Zet4&oJ)HY8}S4F^QMXB&* z&PUERt)UwsV$M12iJSIU8~b?NM8~YVhdMvfUk}+hAgtm&A5L4zf?VF0tvl?HY0A)R z{F<*<`c9x70)B??1xhL;=nbh6_=fbGtviVKTX!12zb8CxvF^Vt3qS_D_>Z?Z&>K=l zIS^3}_qUsBR_{ydvp=2oU_&eX&!!qNG|;r?|7@!HKOZ{&QF*TbnoCFVcPG?T*WJ&l zVg5AN)Lu#NDk&oN&(FRQWB&7m7Z9?s;(v4YO-b+69(wST9UwZ+-_O1gV+OT9k*ySe zcNbY*e;@P1A7aJQ!a-(p<*eT;JVF}nN^;{XuV<5#_|R{G@`JkSH^|Ktpw&cFxS1H1z+KR@w@W$Zuw z(D-XMSX7LEcH&QGpjX9ZBaqSc?Rg?f+mX5F`r-5nJ__$9I5I!TDdN;=AKJSjIuA`1uh&%wQmPZq;8N8v~M@{2xo+ z28SXIE@Qm}bxm5kK+vz|WiDz@>f?`ve@O>`lR-S$ya2i;llVFhK&X&1cTY1{cx$%`?MB&Es9SlNe z?4loTmD$Hl`-aOg%j4rgSBv%+B>Ge~agq9db3@1?MV(isJ2TGQX=C6sv(Tz; zD{2;pP_L*MDffz7Czv0V%-b>yxEzyeM(QOr>fs8jsR@PpKUEDqH0(x%TM`sGdHgjR zY9K#eQ+D=3BE1y_+lNW1V*hi-h{UTE5~-%aqWZ^ZH)0#1Hh3SjJHEEqkk_vu`^ex8 z$gKOGv1ZY(>=+p|JZre+_ZC!o(#f3BbvQ?RcFHRGZC@++?Ixix4EAAx&dch~#|_t} zH(okjUHzt3zy`71gwu?5k6rjrX4=4u_uOCG)L~d1C3C#_W6F`sl~ke4Jt3sJ{!6xn;QCV%tugd3E*d*(n<|iT+t8>=q8i9p zB`Ye$9_1SAR3g1yu1D;p_H~k(t?o-QKqKf4w5Y6@XT<3xFn~m!dnTS2{4OQ(T|%9x zcz;Yx0KHB1Fh!01_L$?m^-1?1?(gtR^QEz3bA*{LX)uAE*5*WbOAN1xLDM! zUIDwM3OZ_`zi&!LfnLH$R|(;o-I)Q*Q+X(_fS+H zom{(BM8-nJCaU3RLRjKxng!c3j%rn&xb`W*v(L0|36q)`WrXxq!qKVW%D+wB`08=A ze`MO+m%SNI9t9rC+u7K>t^R#ju0o5VufLrd`Jy?jdN zOT_+~N`C!@x+eVFOomQA@`lZpMT6wz*Hv{%ckirpxx69R5g3G^VV>}y3rk_a<(w8e zF5up!P=qQ?S2BwTR?*=cvp~?89=B=+!U7_}HX~QNgfvBMI~p(iWH8~?7KTh@w@1wV zIQ1TCxjRjR1+ZU77V;;0PM`+qX9Wj&%2PgN?3x{ZeIWUT;o!s23NJX;$-K#c>_{iJ zC;8El?b&N~BecpSwXFAZoCab?8Y<{9_8)CJ)(#N(YzyDIktR1oYDGj>g3tRY6U}tQ z&SER&Ud&^*V(c$%(Xo<%w zV2gapSi#_Z0sfR;(uAIQr%|*x8B;Cib{Q&pP!yUNcA^ZpqGYx{! z-n}|B?Ia=kH3i%#3rJXY>L_?aCR(&yBb{0uB1EXM2}t?4FATR`Xp~yQ@M>&%OeC04 zCaRr}D4wRX$PDTr?@D91_ zsHwV_n*)i4f7Z2$e$RkTtlUI(Yl)H;QrHjf&0)b}HWy4ij*)MsiSp@X6`tE<+vr|9 zUSSejd$aI!UJXglj15R8THGdLdo*^jIvdEE0IedR#SE_z>j@OZtjQPZ!HjX^yDv++`C=*=aGf19AfSf!5pG@vmw!fCX}_6;48udsGWquqliy9q*h zFJVYps@hmdYyolAQE?s)O6%arD_DMvW|FMWcFEGc*Ee|~J3>}m=1yJJU=S&`s!by% z%sE)L9-55vGQT-De?np5*9Tbv6<-(hILHK1y1e7M(FM}0h^XAtm?avjt8AzLaG&Wa zxrpWqo9s2)SMYaB9oCqDCw*W#EKe5O%(S%&C*NTX^QADbSBMSi3Ck2=&a>3VTI;OOK(EJO95d0WPPD5Qq>LRG;(H>)g#- zZS2b|*Ml z%W&I~lb9BcMKJQ|I)oiLQ%5`=^}2IlVv<%l)1MqPF3bl4-V1o&T4V}q(?5z<&c~a3 zL#Rtt>)f}jfxK&oG;!^y4M%X@_c^qR+PrFdHAXXuIL1PTvKGHhq+X|x09C6?FK7v+ z@EFtd0Seb-O-z7gu!#))0eaQ@aeA3=`&D&LZ_zSQw{ONOx16UTE4kUDqgFJ1y8R?7 zofMfHn0v&Lg9ud;gJxoE(#piCNXHUU@FPS|tKOP5V6mUqJ{N(NqFn4-t!S4onm?(W zR*SsmBs@!~#QRi3?6%bClw~=y3{_i zMXNYHp;?r-W2sR>tQ}TJ)}1DA6J<4D zw^$R@4j_5IW_A?Y#}K}v+)88#p6`sA`eOsDH``7%5#A~jEdCxw2gydev_UO{eB`fq9SFbX|5u4Fe*`zP0qx0tJhWp^ng~p32jN)%;HHJYp!Zy7RQn& zrFk1&k(&VU9VYtb&SqcthQ)=!eSOYqYP7Pl|nC zizJr1lPm`*n%49cbB{-vR31E3mu*bUABQ;^KAz%4Q2(hXlkXlxiAOx~_1 zALALTAIJ@=wB>0poV~(Hb7M++@zev37Vg2M4sG^hodoYs`RH4b`K#OQDdHcQGKK`8 zaGP4e*$EoLbkGjo#x6flXKz5sVxzpqnK4)I_I`}k)+&69z?2-mi6O2VGBCNjQT#+Y zf}<)$=*zI(T>UZP8ZN7|T7+Bsyp>bDZOZCI&1RN?Jw$YUdX7B&ieRqd`6sD18d08^ zuSamzLKoTZb%S4XTIuvWr&?WIZW?;5*lWsH+c8}k9r7YbHInqSZbdCRi@dt^m1n&p zvjcJqsuY_0aI;+D^_S-3aJ~yF(tOWA_@OhxpsX5?L@mYAcVZn98lj8rs99BBFS~rQ zAzB5vZB`A~NTXJu+Bzw|Ps%X~@I{K{Mbu(Qs9wqL|KK z@duXC>bKWZX=)+8Mcwe^h*+&27xKuCdbvPfyw!w3RcPUR1pVa8qvz%^R-g$I1SCg6ktjJzlAKYHAV?h2jEH2K9F(9$S>E=W8FBci+S;kzs;&J8 zo^$WHr%&Iy@AIo;8g;E-02lX}Io~5v!DpR398{Yj>!ih$%lzc9QrxMNztU{JRSN#` z=Fv=fq;(fmebM~^8%d<=?JNP@ys3<+#nNxl&EmeD6$S(3As<9@R%H`vZ53-&HQTJl ztE3$T4w!X&Cgdy_NsH%~l1dpO2IYdjh{)#n5d=C8(Agd3GWz@d(%^mQy&@4Zt9$2j z^%nJ0=&jdaYRjm0li|84#~c!c8G}|PeeWww)lD@th(5m$m4;v$(eNu(7;Vb*qLD&1 zDl{;9B7`@HJIx20HyfWfy&J2wwIaMB;}+4f6JFb&kZ@C)7HWAv$uhmsry$BlB*==H zs=VD&v^%8K>k9Za(Xrb%=igwwR`lEWpOYvv8{ug>X$h+~E;iX_o}+mrOOVT(CYLsC zjQTFx9lzWB>Llv(YUA?ti>i^YChXqxJix}Ia)MKA$d$v6fL<_v-ABO zdH{AVM>>t-NJ&qB4UTeT+|wZOrNLMIlOvTq0^axj$C3W`ebSwQoy(CLp(m_!ZWg{J=+rCQH#)>hTjB`K@}^HgvMRsL3?%Kh65kc)=i*0zpB5TZx)yPA}Ft&#$k#z8G_N%FL zvA(=GD)DH2MKsQeq;0}xX!{E$R>IOI z0FeUqHnoR&9z;5Wa=aXz?r~3UG45$`o%FbjKOs^%CZOj22a*2wL!>~}NabRk*Z1zC z`kvY8E~UkVh>2l2{k2X`1*jZAu`CY@jrQbsO?wuWN`N#$VX0wfDxUN`z>)l;;=i}= z@d}CD_|IXf^53ykMPH)tSgIN&2GrTjIuOmT6e5!b->15&ed1Q{PeNJR6kgZ{nj9XHRZECWc43!^LG2b$|%~&vn zYa}YJC7X0%;A_qtps3X37#3)3f-pfoXvUJIO-{n$xer`hC#NXP!knZ*f&d~c-(IEa zsC^wP*|jfLX{ypC-x4PP_l6RWX@svyO2?#~8s;dxG(cSzo46wMYHAEs|AuVQ-P@*S zpO)u7G6>hRam_(qWIxRbB~yi#NK7(xL+D5FX7FP(As#Hz$U=2yCw7W^vCRs73;Dh; zmJ6sQSq&)eq+YB7)eL;{_J0ysBvan1(0V{5r|k#E3UD6oO4{qTV&HNw)^TKwc&(|o zka|xd)!3MXuwTXc$`eb*EKa9aa`Fbx#Mcv~BU`**KOv}`24T5)?oYQO#|K8&2KL%V z^3bQa()x2=???2>YBTuW(LiSuEePPqU~9jXS7T|`su{PWUruo~^&xncITo$*0P72D zpCBa4!8{Tzagg0LB@SwceBg_?5bv&*v4-6BV6I_@`x&a`@sCjXDB`pxty z=)3J}_bxqF5hAJERr;0&ZlS+a}Y`b8LK!?)PqaI;fV4gF)K ze^_v^=WV1{h~Za_oZQ1`oJyzMrSsZ$-N4It4so4d++8+rpD(z|)67>y`eaq z$J5+#ze_u&dc>HMEEb)h7SpJy=2TT`lQ^(R!V5%$i$<5%U{;iojKL`A3h_Hg5baLl z%D(u#C+^{AiF^1RDLBI<{%B@xkWU+A)D-Lk;t3rYwGZcz}gwTqBNmp)shF#c8J5^JokB?Jw~`@zBtf* zBh2jKf`8;&H@o^Zqu#Qm^n#kJ8*T*h$*qbjt!9bfHpJn5H60OXLu~@KsyI69dP9pe zebJIL{1ve$A`s z@X{jF>_JP?RARr16`Geolqxs*4bHcU`tLjFHk-X%yG#vjV@yPfOvM7tvmqs+VBzJk{ri({WsSnM}(LMf4%tq!pg6H zE}1%u@>orrzOcryFzy*)`H~W+|8Vv204@tfCyIl#=T2=UM%l7_?-c@-U>r(@evlhMGZlNNHDMv~TbeEW4<8j#_fUvB9&x`>5~L`-ReHW2IW9 z!y*Jh;LYW5d=R0FK@tlgBx;LOd)AP^?{?g@QfU%y5FxPODcWoU3;fNti61w z$qx1D+ZV84rCC66i}u_(tR$!u$ed2W4)q@?h&!$L;~Z9w^nH0uF+u&+3rXIQljTh+ z>p=q6%g-gm`5>ER_kR`SW0}BHAI+~q-=LylvbOb*E$@oeM7pKajS?Wg z%!EU}B64Br9#5ZL@Qc&Oyo%Qa+p*St>q9=bX$!1>_xy}>p)#_2Mn(e8%1AMA!=*lZ zS{q8yn6(?F*n6fTkP-Di6t{lQ2+RM$Ze@jJ*GkRd@4FQpdcNKaYh`(Re<}^e2bC%r z((bipQD?#6K?_wE_={z@s!o1dUX>GPH!q^w5BmvW=b(Zs86 z(T}x}jY8MVa8*Oeri@Rq1Gi|)YrO{=XMAv&KaKTdPSgIugX8UUf2HWdR4{-EUG+!Ns=0qZ8yKWW`Oh2h`K1gx7=Xh0mO(cfedO+&>w1;~Go14QvQ`kU<8 zuTLVS|24|ZOdv|=-?f+YlSoac?XG`D>9aletgBIHO>pK}pJFYPaeqJS?Q<1 any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;) \ No newline at end of file diff --git a/tests/mqtt-events-missing-connect/test.yaml b/tests/mqtt-events-missing-connect/test.yaml new file mode 100644 index 000000000..97bdb0e71 --- /dev/null +++ b/tests/mqtt-events-missing-connect/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2226000 + + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: missing_connect diff --git a/tests/mqtt-events-unassigned-msgtype/input.pcap b/tests/mqtt-events-unassigned-msgtype/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..49c1ebe37d014b7220596d71b3735a0138ef4e07 GIT binary patch literal 1341 zc-p&ic+)~A1{MYcU}0bck{!lXaT>173~@kq90Mw7yPLqh<2i!{n**8zBRYSY6?^oP zu=52V&H|?YM;Htk7?@c8A7NqQ;3~eG-40g7%*+n5%?OWemAS;&#vVP*s_eiQ6`+lU z3xxjfK(`HqVYXQTZ3_cx3d8O<1)}{{2((ePL4b*YK?5krh_DG{OE}P$W}xC`?6&xl zXp02UmQYk%1hg4gd;>#5SPn7RFbL;XmgQ$Ar)C!CRu&`{7Z>Cgl`ycB7N-_5uz>g= zCq?7&I53zMhz@2|ptI)T^7s{?Em1(lQP^!!A<-6)$93SgbbxG8V1gvlJJgEEc|hAV z(fk9lsRLw-x*IbCC>0lAx5bJ?TR{GCLbZiKf`P3hzaTR?A}KKugmMy-vx_rQQwu=$ z+XC&602&j4-F_va?cV{mUlM4)7OMRZz@ZuCMy1rD3AAfBuFx!?t}TMtZ7IiX3-2Ch O5>m!)piNrX`~m any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;) \ No newline at end of file diff --git a/tests/mqtt-events-unassigned-msgtype/test.yaml b/tests/mqtt-events-unassigned-msgtype/test.yaml new file mode 100644 index 000000000..d87414136 --- /dev/null +++ b/tests/mqtt-events-unassigned-msgtype/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2226008 + + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: unassigned_msg_type diff --git a/tests/mqtt-events-unintroduced/input.pcap b/tests/mqtt-events-unintroduced/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..01147de9b6f313b0cb5cb7cb8c4d8dd201e51c96 GIT binary patch literal 827 zc-p&ic+)~A1{MYcU}0bclKI9}alx)U3~@kq90Mw7yPLrM>o|i3n**8zBRYS|9rkFY z{2*=+X93gyBMb%%3`{KlkFYRta24O>(E}@DW@ZQ3mWA6kt_mY!Y-5j}a%YMCg9xCF zJPU;W??AT=gkiQd0Bs8cY6`>dHwB{o#sjo5vO$1}fk6W($cV5BWXoZoEv-Pst=Mhx zC(#xOpe^C3wg~7lu=xgh7N-<2A7Zd!5YDYE%g; any any (msg:"SURICATA MQTT CONNECT not seen before CONNACK"; app-layer-event:mqtt.missing_connect; classtype:protocol-command-decode; sid:2226000; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT PUBLISH not seen before PUBACK/PUBREL/PUBREC/PUBCOMP"; app-layer-event:mqtt.missing_publish; classtype:protocol-command-decode; sid:2226001; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT SUBSCRIBE not seen before SUBACK"; app-layer-event:mqtt.missing_subscribe; classtype:protocol-command-decode; sid:2226002; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT UNSUBSCRIBE not seen before UNSUBACK"; app-layer-event:mqtt.missing_unsubscribe; classtype:protocol-command-decode; sid:2226003; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT duplicate CONNECT"; app-layer-event:mqtt.double_connect; classtype:protocol-command-decode; sid:2226004; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT message seen before CONNECT/CONNACK completion"; app-layer-event:mqtt.unintroduced_message; classtype:protocol-command-decode; sid:2226005; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-event:mqtt.invalid_qos_level; classtype:protocol-command-decode; sid:2226006; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2226007; rev:1;) +alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2226008; rev:1;) \ No newline at end of file diff --git a/tests/mqtt-events-unintroduced/test.yaml b/tests/mqtt-events-unintroduced/test.yaml new file mode 100644 index 000000000..c5ed38a5e --- /dev/null +++ b/tests/mqtt-events-unintroduced/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2226005 + + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: unintroduced_message diff --git a/tests/mqtt-limit-1/input.pcap b/tests/mqtt-limit-1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cf8fe04737662e8b724f30065532ca94d4f74414 GIT binary patch literal 205002 zc-rmOL1>%T0l@L6&#GjpplN0pvx}XOfmbrfa@s)$Gkh2Wmjr^RSs*(bqz4}YQ_D(E zA3f+$2+W7TC=8lI*i9L`c%z379Ab}+u+c&fo7$ejZd+#<>qYK+GF~m&N#$Y2w*G$b zLcXU@{CV#a-}8Grzr2@)V)#rk6ym>+8vE@x|5gd@`2Tho)$MQ8iYsBUv^4fXVf?z+ zDYpjg>a}$7R(9|(TnQm79y}~&)78fEgZ<%6Q&Z(syZ4M*r#nfl-0F4a`;UvUc>S%J zgI|r;(m1N!kG0kKrPb5dwlMM9uE*kYc|8kZF-{gfE2YYlSh*E%zIA%#${8zjvGT3a zO1&0}E7xz_C}yD%vTNT=)xSJrZE+_TCf>>CV)^FN*0%U@C9K7p*G{ioI%6fR?eb`4 zAv^pXUjF!;p4H7*t2}KzKm2ZH-Tp?c z(+vxyrLhkR1tzn`%xOH^5=7|WXCJJN0oo1N*;z| zyi#1rC#du~5P?l?1syum8C3Xsr0>Ptf#m#$$AbC_^sJkn|a!Lewr$I7><+c$tT~nnWJ6H z$0}Fu-zkNuTeolfnF0U+00000000000000000000000000000000000@CCNl*l*uE zsD#xJhU2(yf1_4h2@9pAu@4I4*S$`;HCW%8o&Vs)nY>!gRHaozq#t+)~vN=suO6vnT6opNiizBN1l!Q+{{9$pTMak4O7 zZ7gr^rjaTih3dIhvT$1EAXV}(9OIQvH=m$VZuL5;kV>hNk5&9;000000000000000 z000000000000000000000001>+1zXFx3fYu9F)Rv9M|n{)H>bLZ%a#~^Pw<)U2gR{ z^B=xAGg#l6&F8XE`eU3dOjjGr+q-GlX8``|kHZV`I9!dV+G;p?92Qr?!sj1{y-vB6 zj>7p5Z@it?vk(?XkHg=`%37#~?-avuoU9aQ&RB_uZt<%}mED(8NZl>4dYoWOIACQ*x>-sr8qIcr5 zUKxEvX-V%tA0JUMmENtN(<6E%)^E^%T0l@L6&#GjpplN0pvx}XOfmbrfa@s)$Gkh2Wmjr^RSs*(bqz4}YQ_D(E zA3f+$2+W7TC=8lI*i9L`c%z379Ab}+u+c&fo7$ejZd+#<>qYK+GF~m&N#$Y2w*G$b zLcXU@{CV#a-}8Grzr2@)V)#rk6ym>+8vE@x|5gd@`2Tho)$MQ8iYsBUv^4fXVf?z+ zDYpjg>a}$7R(9|(TnQm79y}~&)78fEgZ<%6Q&Z(syZ4M*r#nfl-0F4a`;UvUc>S%J zgI|r;(m1N!kG0kKrPb5dwlMM9uE*kYc|8kZF-{gfE2YYlSh*E%zIA%#${8zjvGT3a zO1&0}E7xz_C}yD%vTNT=)xSJrZE+_TCf>>CV)^FN*0%U@C9K7p*G{ioI%6fR?eb`4 zAv^pXUjF!;p4H7*t2}KzKm2ZH-Tp?c z(+vxyrLhkR1tzn`%xOH^5=7|WXCJJN0oo1N*;z| zyi#1rC#du~5P?l?1syum8C3Xsr0>Ptf#m#$$AbC_^sJkn|a!Lewr$I7><+c$tT~nnWJ6H z$0}Fu-zkNuTeolfnF0U+00000000000000000000000000000000000@CCNl*l*uE zsD#xJhU2(yf1_4h2@9pAu@4I4*S$`;HCW%8o&Vs)nY>!gRHaozq#t+)~vN=suO6vnT6opNiizBN1l!Q+{{9$pTMak4O7 zZ7gr^rjaTih3dIhvT$1EAXV}(9OIQvH=m$VZuL5;kV>hNk5&9;000000000000000 z000000000000000000000001>+1zXFx3fYu9F)Rv9M|n{)H>bLZ%a#~^Pw<)U2gR{ z^B=xAGg#l6&F8XE`eU3dOjjGr+q-GlX8``|kHZV`I9!dV+G;p?92Qr?!sj1{y-vB6 zj>7p5Z@it?vk(?XkHg=`%37#~?-avuoU9aQ&RB_uZt<%}mED(8NZl>4dYoWOIACQ*x>-sr8qIcr5 zUKxEvX-V%tA0JUMmENtN(<6E%)^E^%T0l@L6&#GjpplN0pvx}XOfmbrfa@s)$Gkh2Wmjr^RSs*(bqz4}YQ_D(E zA3f+$2+W7TC=8lI*i9L`c%z379Ab}+u+c&fo7$ejZd+#<>qYK+GF~m&N#$Y2w*G$b zLcXU@{CV#a-}8Grzr2@)V)#rk6ym>+8vE@x|5gd@`2Tho)$MQ8iYsBUv^4fXVf?z+ zDYpjg>a}$7R(9|(TnQm79y}~&)78fEgZ<%6Q&Z(syZ4M*r#nfl-0F4a`;UvUc>S%J zgI|r;(m1N!kG0kKrPb5dwlMM9uE*kYc|8kZF-{gfE2YYlSh*E%zIA%#${8zjvGT3a zO1&0}E7xz_C}yD%vTNT=)xSJrZE+_TCf>>CV)^FN*0%U@C9K7p*G{ioI%6fR?eb`4 zAv^pXUjF!;p4H7*t2}KzKm2ZH-Tp?c z(+vxyrLhkR1tzn`%xOH^5=7|WXCJJN0oo1N*;z| zyi#1rC#du~5P?l?1syum8C3Xsr0>Ptf#m#$$AbC_^sJkn|a!Lewr$I7><+c$tT~nnWJ6H z$0}Fu-zkNuTeolfnF0U+00000000000000000000000000000000000@CCNl*l*uE zsD#xJhU2(yf1_4h2@9pAu@4I4*S$`;HCW%8o&Vs)nY>!gRHaozq#t+)~vN=suO6vnT6opNiizBN1l!Q+{{9$pTMak4O7 zZ7gr^rjaTih3dIhvT$1EAXV}(9OIQvH=m$VZuL5;kV>hNk5&9;000000000000000 z000000000000000000000001>+1zXFx3fYu9F)Rv9M|n{)H>bLZ%a#~^Pw<)U2gR{ z^B=xAGg#l6&F8XE`eU3dOjjGr+q-GlX8``|kHZV`I9!dV+G;p?92Qr?!sj1{y-vB6 zj>7p5Z@it?vk(?XkHg=`%37#~?-avuoU9aQ&RB_uZt<%}mED(8NZl>4dYoWOIACQ*x>-sr8qIcr5 zUKxEvX-V%tA0JUMmENtN(<6E%)^E^H`%Ilx_4E1hXij2cmV(j1>TN=gn{K_+*Nx`gp7=S z#qI1rb3-op@ZWGlHyMggFz&=aaMXH72(SGsx2x+{Zb(z8fIgy={=e6a{=e2u3&9cd z;SD4JxP?H1e&=+>g&M)d6G80x@3~0-54n&dxG4OY%MEG(MO{l*7qu0TM7{|SUpdeV zV&egzxIKVCu4JJ9&zfG@mHxlBD<(n?*Z-txID$(kf;jZwbJ6`Da=Fsf^v_)A`2m23 z0l*>z*dBO!x^nT!3JS=J^73-=ipmRc3CP~zpso(EBZkBP&_RR%@-;IAI}jy+`U_)A5Y=z61L)Q-GziT=d{=jX z7IAri_^;usDfRjV_}@&b3Y!a_R_*9{}EU z4X}QA-D3)P3gBR1U|?e4U}EABU}Iqukl^Fs;FFLO5s?rPkrUutmtP+LzJPGCv2pQm zZ{XqGAjZSPBfh%f5&!H$@ZSso{{RqR0A|2DWDo;@L;yl20KsPvs$#+0K{5y_Q9;+` z7nP9_%Aug5p<`fTVT1nKh_D&*uZ=eV5DEwx2?Yri9Ss8&8AkxoNPvuTlaLSfj@APr z2KPt&XvEPOWwMM+B-$S>1q3}F56Pi3$LMU&?N~vCNHfcyu-uK+wU%$q@)RZ;)|7t3#uTHhqRbSd9iz00*rBuZQNSTL%&*gHfmMQ)p2E4hsZXXmwF(Xl zI_lxS>g^)7#C2D_bTSDHzmt+Jza7%DPN8$ER9)1AOzC(eS@$8`s7@lRp!a|| z-R6u-ch=$@e^0e!HGX;KX^;3bXDIVjjs904c6GJBuLL49M=CPfX_dt9gi8l@epC_? zqE=N>oONW<;=f9q^2X)^KLz+^t|%V4V%OQaU%ukY4~mAVc3ifBGWFRp$|jC~QVR~i z2me*sj=7FVT;6#M^be){Me@$*uK}4GO;UbC`B8nJbFv^|CFJv#=2Ig2V{o9etTaFT z;!GyU_FO|`)8OF61?dsJ<1`#Vfdj){m${QhsnK^vVENUUTV+Es$KvY=peIS^syp>h zD9!oMGh#mOSCdHHWG5pIu5$jl48w%_8uvUU)}yv0J?84KO7u z@`3|s!KJ5afgAXBUB;@K+nIe#F$Ts3zY2~}kXZ&k^sgGh*8HAeBb{gUsWHDhaz7lK z-83|AToIY7`noBUcF9qEx)@hM8h+cW>Fldaw0Xgr~^6Zh+7NyP>bV~35Q$!YfaKMX3^-6yl5hOooq!--(I}$1&-EOw zMdUTn=A+%{(hWF}hS12|;jbF+J*j@&V7;%)X&}VhR6U~_HwYR1nrJIl0-e%pP$F}g zVG#>*xuCnKS>>!U(RP!(eU*j=IVz!*k^14M9zTbv^&qng9@^wYr3P4VUy1i8 zDl_YqDH(UU46g?9vQPLqm8VpUjy=o4TcieOq3Po{$wjkTSKz>hjXS5Y{XQ3tyT(wl z-JnC!+9ni7%FFERc0RcuP-cHP5O6L{e4)9n{zdG_QiP-$OZB$j`^wZ_n{>sIkgdWK zDWiQ)VXr&)ATwtA{w6Q!a)ct9b7y-GWZXSk4B^0H??6Pz$y!d$XvhwQ!MOs@g&w;o zghH+Eoz3}R;`1jXZ5^%khVCzSzbh{DE{vYm);Pd{0TVdzgGgp`1P)~Dzfe0Jd6DSo zzV)D^zO5?xC4^dY$jbTfYz7WsbaDs0^E?mEO51RXm_p_8om5qF^Ku49!vXR~uzJ7M zi7`tuviHF0S5M~1Q;F)!0Ml_kIa5 z%SSgWM|-F4?Pd-8rF87)D)j~ zkF1E1UvR9!fhmvFs+uoHRqs?&l=lm4oX?k~;#~BcPFLSpoN_7%r9Szp+8jVt)v^z> zC^{0^gniQ%UihXv#+Uje1q27OG&5n4%pl{Ao{ui(5B$6qyqp}XpI7YBZJug|jOahz zON_Jt5s+K8vH83Sc0K7uBflH8(R$H#-<$9xWU1kTL-YU#s{%JTy2i8IM`2vNB?sqX zV8+PIYF(&FM(WF(!5%sCaj|}P@bqSvYgNg4UziE>eg$-{f*{H(yr{u3l`5m(D{ZsE z>DH?6 z?71Z004F5k75Q1fWdh9gWEC+-+$P|FOZo*vJziYO#$~#O$y*NL$Eu)d6tUjZdjm73 zA+XETh*5}B7OQusUZaycIJM8!HFV8`qcGc3Vj@z>R!W$%Cp@(al8ji~;U1D{rn}+g z-(Sb`GUq*_P6Ycvs=5eHTkfKgH8&hq<8VTQYYY!1;lQ)|TX2BJ z;@INM=YkcQ1*_Mi(Ig%Le>ptMuf*i^iQ0X;wH$|H9I% zcPuRE$EK>#n{7S5l$-$rgEiQ~FV`$n+VFOD&xtG*@{b!a|VJoU#o|yIJLFa)pBx7<%bbEGZSVc7pm>O z&3oa!mc3&ptI5*IDW^U|w9tz@hpdtMJ^v$ptM}Z&tcJw3WKOJIQfX4qK@Mzz=67K<_pB0uUCqh zXw@yy^eJk)NgJnrz$_dE8 zaFy@!SW-%V3v697B@F-Mo8j!KFwgy!Lu`Kq+^jIZHMe6@p>B^aSvZLp&1|j?OW7Kd zK`muv(LuiZM$us0l6dj1+HK0Ax(>f_rG5W+6ZVoZ({+yOR?2T0TN+(eQ^5&){l#AC zX1kF*F!Ri%w_a7@?r^{Y;@-06Y>Gab1|2@tG^&uupIRB?o6%FW+F;%aauL7RLp@Ve zc$s86cI$h0xYFRO7W~Ck15Pz}>o@YT?@mKj2ILRSm-WW@x`*m;f@}k))`aSL}sb%~UoOlG1r`$fJIG_U7E8u(U41 zF@-x@E|>nx*d^E@3Xe@Oz9;gy*@bR9vxSe&w}ZWqaXVIS&F4Jd=ll*FD6||uo$-MV z^@Xf%*o3$rL|srCh+OiVW?jgFo%Zl|u5;h#=O_pa|`xh|1GsGOw`7r_G%zjIz zt>#-_BjS2N#d*)8lXu|xOG&K*{VKK{e^qWbn-^S20V6E*&alcypGz&rBVv;+v?>Nm*{bRrUNUFE z{F4iVXQo7|XNM4Wx#aTaF}O%Q6W}<^oqg}Gai(z+r6C0eT^`g2&~O*ZoZnC1$tGj>f`Gco9o?{LAJggfd(_{leBL z!lY%*;O2pR6X2Di=q2IomD_od)}mgVQKPvc70~3!Rk5EOL^r5sP<+0&72F&;bD$$= zxM#xh3S!b2H8Mimdg>E0^|DpmnkkYE8R{xzjhIw7@Nv|F^!7r$5Sw?$jF7e0c__Di zkimWP9!g&>ueZekA$_K2$+1JHuk4R(JR76H7t2=7MiNcp9P18S zHoVWw?iDHKM@Vl~S|F@j5aes8?lTr%VRmTXGTA&hq*T^i(s_Y?kr}m3XE(cX3T~8s zIYfPXwU9o2o%#Ou+sJ1dmvz>#gacL{_9ykps|AxY^W)9X_i!L-5%KN|YdP0Lxcyn_ zd1dkYHaHOBI2BZ~A0#vQ#qsD=x^`dY&bsp{U0-n7c~@?ENXLb5-)VoF*;W}Gu&bwB zlec8aKf1_7%)O^4NFKM3c|SY~qo-VFANd${+_AdVaoXdvT@hs6o=~`*9Efq+D1Xk;AQNQl%~!FEgTrP_!3e^ zcjg$9)96nd?*Fw?!fvAGOv)?`x`$XAO`0bAs-HPaiKRI{l^tB3t>F6fS1%gRo|7Ok zQzXjfgz%aXQ7nXeOgk>dk6#QQrkh>9w>oewloH>tZLZ%dPg^Sggf|hfuDiJj4ml1{ zo>jKIFg;CAJa|I5QP1z#Wh0#A{iRE?_BsE!#FtaVsYiS)&r7AO<-z_9ey20uQjsA@ z*;L)YndZ907k)UPc!@oH!Q9+|*!aStLuU)iB99D%hg^%61$nokPa?{Tj}i0m+^ju79qnS~ow%?xKM8 zZt3h}F?-Fs;d79(mV&UjD%H8A0OqU_NJP9axW}MiY?PCz`Qk;$m`$eRHMWo%JBY@87>n;U2o$ci}z%u-|5OSnYCQF>>C1>r5~AbnUg(R*dW7i0u9h z&)N%%8nkezosOexetf7)@z*S$N~6`FjOrkk{=O}n&;(d;-7{DHk7Xr7MpkW79D*`A z;6g{bea<79Q#i2gIGn$KLF%uyx=Fz=LvB00;00Y z>L@=m1?bdQF*XEnjbpyX-B{T%-Q)R4o{+`xF%XJ&x z?=euBhrf)7`%5MQ0BEo46o0NG?_Jk1e~+bJVOeinSFnBytzL6MKKLc#$75@YXmLW^ z(SGUl6O)mc^c#l%`fhv`ar^}%bbaUg9dkYA@ipuQ0PufXkXNpn|NgdXTVVWR(Vx-M z+dr>g+Gu~X)6Y8Pb>vU;H|c+>V0IN{MF6+}1n>ep05D($JODfqmj&PixB_;F>t6%Z ze+gP&jqqE1_CH3o{~+pBaq)6;0)EaMG)q@67i);7rGwS)?b=qJe7`E7i-opJtf#B<&-za>wC(JFX}?wu4dMj0vVrJ3sX?yB{}Uh7>ox>Hcr}-=E6R8O zFgCiKhpU&{pHOJ79$-7Li;atyGopqguXEK&^BQ+$$*YWnqK%7<#{*9r>uc%#+-!a! z#`;Nog}G``cDAGczo0*|mxq(CyrJ%&jsItiI>gTAPZ+cZPM*3C?EZwqv$8?-v+?y* zhA8Q(t693bI$bqj{EGe)F{Zt%hyNWXu-&hg!vCqf(y!<%>ss5`KJaq7%86lm+jw~X z8*=?$(SIh#wzQLTb#nFigK-Idc92#4t>H=x4Of?|C#I*Xo2Hj1#O9BN!*W6x@?Wqx zmad)%gZ>L18{uO6zmi|Cty@3)T}@}1ZQyr2@o#Go>AHSJ0TA*3Vxo753*j!%HvlNP zf1Qya|0e_SPX^+j48%Vfh<`E=|70Nk$w2&*f%qo_@lOWgpA5u58Hj%}5dUN#{>ec6 zlY#gr1MyD=;{U}A#C7!S=5=&P?0Oe<79Q`^djo<;F$1zlvle4&|t*M}_CV$NqM@bFr;)-+w0GwSs zJ+u{N=?#sH>CyWUeJ}wufDZs3SV7#>brf{31HAHb^biEmpTpvZV?RTrBV0=N=;?v~ zSs}1;^YBCrbM-?C0c#tG6#{;WfSr6i-LCLg@ke4y$151=D)LC|fe;V@lV8DhKVi;m znxF7h#(>z`*~J>>Zz?Of2J#Boie-9z&>gIPHU8TQe z#YWF3CMHU+WaHyx17Vw5N6LGZ1O-@3?85JH!k| z_^o>25BiW^%@=!5Pd9NM9v>ecZm^9N_mx3^EB{A=|DybXANSR8znO>r?$78t{gvIU zT%BCKJm?{A53FqHx&Atd|JNP=y&Rm{Hnuh%HZF)B`iNNucCkaa+r=8}33hd%2fO?y zC;l(H{iXbz*H_y`_9Z}U!42FPAO?^(djS+8YyjCb?aJ%F`ArQ|AGlh126W3m=ly?5 zbssmtxIp^<>3wdo|Hocun=1qF+c&(0*t^dfD7OUL;wlkHXskE0Gfa< zU<8;0R*0?28SnsnfI#38@EiyOUITGJ5|9pL1NlG+P!7}pjlf5s6X*d30T?g^d;=DN zbzmDf1kOMp5IP7KLC`cM44^jhZgN#7;L3SV)kQXQr^aKNd8Dq zks^`aB4r{KAyp%NMCw6;A$>zyM>;?Tkg<_Tk#8b%A&Vl*A!{NVBikZ-AO|CdBF7_V zB9|c7BX=Q>Ab&&NKt4f1Lm@(;N8v(|Kv6=`L$N|}M+rs=M@d4-L#ak-M;SqxL)k{T zM8!p=M&&>iM^#2OM72ZpL4A%IkD7~Gh1!7%LtR8YL_ycakFefi zm0)#XO=In0V`DR5i(zYFgRviCzr}u!{Rw*x`viv&haE=_#}vm4ClUvW^8sf9XAc(_ zmj(AWt}(7BZX|9#ZX51b++#cKl@%{1R@hk8L z@HcK?-e9>QcjLj0;2X&|>TZnRI3OS*;3Lo^a3%;RC?M!2SRq6wWFeF%v?hE?m_^t| zxIlzV#7HDZWJUCZD4VE*XptC=n3Y(W*nv2VxR|(~c$1DkDKaSw zsWPb(X%uNW=@{uL84cMTG8?j2WF=(7WJlywv}Jt5*vh!gM8~Ag6v$M_G|7y~EXr)poWR`0e8j@aV!-l(rG{mN zm7GyvZ1kwvN^J)vJJ8$u?w-=vnR6;a3FCAbAUNgIfgh< zImI|#I5RoNxp27daCvhTa?Np*a;tGa=C0xX!NbI3%oEMi#dFCk#OuVH%{#?M$fv^h zn6I91m!F;Aia(iuQ~*~%K_En+R$xbvL(oPrP4J5lk&wF33!zq_3tddO)q_4`knMQnVT{XWHM#uZ!_MuzMXq}`3~D1hdV`ge#r95ddODE9?6Nz1<8H5 zi+oq{Zs^^9c|v(T`6T(T3JeN%3WW;Wib9G3iXW6vl~k3YmBy86l&zHWmA6$yRDx96 zRdG~xRFhQa)!5ZM)auod)K%1D)u%O>HC!}mGyzRz%~;Kud#v}|?=@(lY2DLG)>_i$ z(+hP`lX;T`zQqHJiuVI_8VY1a1waOLCGQA z;mA?b5$XtcGH@z&#&EvxT<1dQ;^@-uO6%(DI^@RT_T258ySRIt`?iOwM=k^eF@w~4 z5+e>%y0`vHQL9TlQD*&j~;YunK4myczf?a4zUh zP)0B)*fO{^gfZl4$l^oAhk1{%9yvbhd(8Vd=JEa$gD3S*X`ViOy6{Z#S>bcM=N`|; zUr4-2e~I!E{IdU*z^lYpm!a07pTl^=;=|6vt-?P?@I}0hfJfR!_D2avrM*Ub?ecmo zS|&O#h9Jg2W+7HRw)zeIo6tA=aTami@q+Q`30MhU3E$qTy{%1TN_?Goo@Ac{OO{P8 zO`%SCm2#A7ojRO$JFO(0COs_u^d0!!mkh;>>P(i*_$;(6@2sV4{p_wB(VYBT%G|Kr z3#be9Tb_1ad%j41egSnsR3TEKSK(@rY0+Tu-QwC3u9A#W($cW^z!R8 zTPs8>N-CKvQ>uunLaRa5e%0GG_BG#XjcSMLRO(vmCF-jhxEr92Hye|iNSdOWv6`PY z!(04Y4nDYj*!XDoaiP_sb*jyaFS%>Z|G(?ynvY8K@l;8>}Ca9BLkx8U8qOccgPvd9(+n0UH|A8~ZYDI{xj8 z^_P_ir-_|O@5!^NhtsIjp))sT;=fXV&75VME&V3^t!eJ=T<^Tj{M3Tg!uof}_w&W4 zOSnt%%XG{6EBq^ss|u@wYbI-p>u&338_zchHdB7w`cb)cd#iWbaC>pbV+Xz)zDKbK z-51<%J-B!9_0ak7>?rh@;yCX_^rY+5;B@)S=N$d~?FHLK{iW*VG~5{uhfg6sJuuL& z3gV7|gMp5LgNKEIfrWPi7Z(o~_r`yfaz_jT!oK`XxXRlT{7>`t zATuPxKjiJ(0qUzHJQDIB&oyZ1s2Ct*l&fEEYux}q$Vf;?n0Pp-2+Z{_Ew5Ad1cW!y ziHI5a`0u!v3kl0=X+N;^fIN=L$gChCWfTzfd=y>QIy6isryKi`Nykd>Nmg6s+}-(Y z#E_I%>3?L<9~mNsMnk$1<}Lw%1VTbW#Xv_xV6KHiup>YrM7_zU1X(R_ps6GXyt zX}M4z)__K99x~F&Vi-yPET{8Vk?Mo5RZ zqNJuXzOSzL-9jrM>9Ra_;6#-aosfKwI#_80S=kE~27mDjyT_^#oz5O(Y6n}N;K1k} z#Rg(0ubn2vPEJr|GQ2q;U(W8HwCr}0O|H`9ADz3_&^NgoTW0K@qkG9HCd4HP!*N)wW?;_+e~Q%Mvu_tMmC=4v!}58}X7t!re#Fv8Yjt0FvA~e@->P3RI^2vwVgYgC>yDoVLPxfJC!v&>NUOW*koH_mq?XTpsH)8#DeLm z?8Y@COl590g}&NI%*e^_sP}y-4hgI18Hnih7#aa< zguhu}_6l|i6D4oJovW!w8)FL4iSDQChoBvWtOmcn zySF`nulO4HTgp9RB#tQS!E&LLa*g($#+S<>kE>YE7*yl9aKzRsg$z=2&+D5|FLR~N^SSI!d=7P4*mb&Fd)!8S)ifL3X@8z^yYdup}Bbl(KmBn z?I|_lM3D5XF?sjmdlp7VmfX#T&ILO}M(b3L<=W4RzUMlu=PbK7F37r`$-1yEnG7wtKJn1;MluAn~=C;3Ztg|x)pp~U; z=0f93GT9BOaya`H_?iy1huhw|U{kX%FLF7(+O4qpklH4&;VHC(T%GVgn`djz8oy; zj%nv)J!bbl!_g{Os@w`x?MqAYPcay*;xhI;g;Jd@Ty#%rlR+^LZCpKD$`}C}O!B`^ zTNDXvHWIGUXb*Wc%V{8|S4(Up`J)f-Ncy z0OS~P#8)*@apamv)qdfpqPP|pXN!;7#BaV)R5$cS^X$FzV3jZ(r%Dp`bAOX|INo05 zXl0d*t5aw3q5Q*buNRVkpZLhwVe~WP!Bus(MGi_|y~SuQafX&lU$JK7KMP4DnmVew z*JVtxs{7>fR@Hoz=VE*|bG`DLx0oLu&iAJPfS7(A0d-zp ztiF2j^f1edC8-+f0^YcS3?ehm;gKf4J&#}%zY+*_l*9L>0RZ!2~9QsyUUh%RNeVXmqOzz(2=g`L+(X%O$iDhi& zDZ|PdDdxpHORCGrBxol)&NZ0bjx*eWAzBPoaGL+@cOE4nv+=bwt z8D$(t9J3CMrdB$V&^cCPzhpvy>0#(98;jah=VJ}U&PD^)C25$^_I?3ZVCrg5gSov$ zq}6w^s)9RkfCfs3Q?dP7eVe9_{g#c)9yIlf@LAhfiOFl&25@yUEo-Q3zL+<5ESoxf0B>yvW zU*0+MnEwYycwW#)`Oqn|Id%2Lzb)c&fiu%6deVaTtrqQCr3>|Ctw{?=GG)#uRE z7K{OnB5D%K3%a?aRUOv@xhf)@)o#_eoZNB=6agPpLW?Zm%?IlD|P33Pb=mMjFmNr zjL%5!AB9}>NlRAE<=1}ZImr;HFNyJ|Ok`t!Th>Ro($umj@!9UZ^H*c46i;r`RY#h4 zOFYQd<{VQ)?tM%0^>b_3y?J2<)M3h64BqxH3p#v4w4PP9IMxld)TJ>W4(^w}=+KE1 zlPvDk3UVP@3(@I;1C&o;^2N5{O|=J^s{jpn;BWIF8~OxR1BQVt) zQYUY<#P{-wSK6PJ9S--CWA@e4;>nuh)Xn?!E?3CKMWcFO^e4jsr~WC6(?%Yj%()Fu^w1C<`3EVA2L}q6r_ubLl!y)fJr+d=$j>%iKOQF4 zSDL1Lf-&yQG`Uvhh^?FJadN$O^sX0oKr1=*DT>lWlg0;k_(S|{O9Ewc(+b?-fNoXG zq{&d_?hs@>`Q$EuX?qL+m~s<4kspbpT}!;QvXCkH@2ZOX&l>dyJU~FeQkpiEM$p!tgA*_=+>TJb-c~i3EhqMGI?s1O=c@& zn8$XBa=hJrRBO$@X~I&c`A^1c4G$Qw5|WC`@99WJMPw%j5H?^6Z`6P8q0s-)u+i(V z^x0a;q(6E2%!L z9H^>zb6#=oi$hpXKR;DeYx?ZX2MwF>l{fhOY=Nw=qC@jTSq4~Ek6qW{2d2%BzJSXZ zmpA#$7cMOU5s@q?v z=Q?gVO?imT^xu8J0(9ISd?fw43b|E!qc0!zD+rk`b{DHn7v>Y(C@Pb_6~E50dh2UZ zO_>KQ-$r*M^_vfukh^cauY+GsiDnjUoy>||+Z@!~&nln$O${McwRlE0B%?;a>vK|d z@4lt{@`6ks1I(}$4rmv~X$*cX~GkXg$IFAS4&(kqOWoKnpw;jgxU$K-N<3i?dU?#CtQ^VnX6=5lF`-2u+Y?-y8k@lGKyhba0c;WvW85;xXI za@Zr?V=J`Bzx7Gll0ME6kA57USyH}sLMl!ksAHk$T+wZyuy5TLfH-LYZ-hBZST2^ko%Fboh4a2K)}Frn!6oRIWSlWo?aelKjL$H+#BBx)dtyib~*;}jHcGf;MJ74E9G=?Bzy41$G%YC^ddPi$imGb-Xe86PW zVU-^Koy9sY@zPJ-gWBz~Vp6@yM&kCuo6&}fmfr}y&n}fY!fX=Ds;5$r#we1%3681Kb+E0E7S&y=wBgpo z)Ht*8YgwAOj7{&-lxFarpmn&kIKj$$Sr;A9EL<~KH>f4ztuZ~MSNKNV{OpW}H)=k` zfH`2+wMNQF0jA&0;l)|lQ+m;yNGw=ZZ*z4LT=NYMxK}+J>dq0r@E;WpR0uAm zuqcT0v{Ui+5GKtG&=_`)^4i@!=o`m+1_$c5Mz@jf?g%Yyu~&rje&)+iVIP7L*D|uw zGBmf>mCuPE{}|D9RT`MsY3exO)izN0{Ji(DGe$^|HuOMYsm^xX?e)mG<5~{>*v-|- zZaK1-PZ#2giYE14)|Y$>Uu50t5fWX~=;M%y_Pp8sv3s0)MN}uY%PUVs)!9tL&)Hq7 zdmyu3y5f6w78z?fTMP1<0hqhSm9Vm~!=Og5|Gj?G>&>Xiw=buo>s2$8rY6OM1?TbC zzn>+ZsmZ!Ij^Rno@8H&a?lYUs?vHq|lAXYcYxb$<9NbPf-hCu+m?$ap%4N?SOkY$O z_+IUzxYt93b2>EQn}hdV-Ob!Y@Y>BhR~&7j)r7}+&;sB3oqSA{qDgIaC~KLNUH4qR zs4}~|I@Hdlw&COMIOAlL!_qhdJCC1cR;gGkSNIkg_FYexcX5nHru(tNSrrPI?C#M4 z)~X9>jFqZoN&mi=Q3fZzI$KL85)Pt#F(Wsp@NbFm)!Hu(G+#w2WE|Z))=EEKeu+4-xgI8- zQvbH9aWH6q4n%vsCuV;9IKG}US)EIH5~H9RPR zf`(3Or%r6Fi}6&$q^XZ5&EkQejrISQHkBaMJ;% z^iuH94)jKd1?%*{q$Q}wU!QTyZioLUYv?R5@Ye6XjO8TqDXROZ|9LeYoDrZ`;;mHA zt%0kQ8msap?i*!9$)=EaN&cK^-Iu(rkESm6=Xw?@xlnCwZD*tEv8uu)#|7T~3tE>O z;ilR?%B=bEO2F#N+W-i^%g0B1n139(JibswCBHSArKs_UWFn#cAj~ANFjjJc>M$On z*aTY!lRt?WCYfVg_ELkMpGcm$c%EB`-lM{p3NMTl!`emeZ+9ynlPGWrdhjrA8QiK~JV2A-Y$#>>c z!BU;{q60DMtB%^G9+K(Bq7i>ZywsA}pem9&&MyeZ!srallQojlFzU4!dX(~w2tD`& zt?%xTMJ&~Bec*!dkZ>X_(4dKIRJCxM-whNg&DregExe6R>-hq2zLd{rIEWOV zr9YJTNo`@T*?zkGlkSSlXT|8lrLAn=A0<*e034sSEq#@m3m_A&5-we95yjH8{X^nHRec&5NpTOia0% zeDebD#pi}hwNJL6LgX@bOIG6c6TYl%o7<;8K2w+G>5e-FzV|;xu8wCJ&_Th|Q|Mu2 z)YBkV6r(EKVvTk3Qz$kYFyf%;&K;|hGG^(gLpQFE&5rGHoSAZ2Ky^}Q=VFg2ni4WC zeU#WZmmHTUJQ2;3`)!6`ImUOT{>y`KAvTSa6n6QJl3bf-N*ZDr%*;*5GxqhmM(bHc zkMy)e%DX-tdQ^q5&7ptNxEGURmSQ&YjhXy2H@|_pQIpa6n$|yJu)4zQ3ar__%S~lBEC4O&1OXbssqh)6#0S73{*&{H(sljP2RqO16i&_UxCX1u$T>BC4GN74uq-a8khcF`JixNiB`NK71@5%hsH!#eU z9~z_`AG6>9BvX|s`gP}twP_+HM@m!n-98nEWi#f_&Hk&Rw*G}Wm7}Ab7ZKd6YKk{y z1@qS+OC>9cu4l^RSdztd+Ww<{)7FQyw?TagfW+#pHODmyRb|RTno%=zkjDWhzz_nHbUmYQ0zO>b1mkxkN?O#B}A86ZazK7F|X*cy+E zIsf1*GQ*0F35RVQNIP=fc6-695BU~pwMuwaMz;Le zva|uK9|7gpn4~0GKi;^s{n&h{clYTIC83}X25d$G1e_9ul;Eds7P z-&ZOhk$$Cb8=9R$W=b7o!dhmi%G=nFCQ5kw5f0$xx0J>Xx~?g8t(>bnsjcZecK5Dm z)c^D)>uKjbs4QX_3hnY}6{<5g>S0{K8#N zTf=y)@;u^HXmw0|#HV_y5CA>=4C1Z0pT}MOg=1F#IF+Bhkg~IYMMHnPlyB>jMhCIq zzndNX`aHa&pD*QpF;mjAqLq+MWLu{Ox5kdQf7+<8u;f~t-D`~`(wlVe=j@Aw2uBsQ zSI6|39L9yH;#G6fGH+W9?b|8hQhJeOC$Be;DR$~TQyEU78BuMpM0JcR5T0tk$BJ?z zH&_5>HZ;T;$Bv_{RbN^)yqv^TNM+DOX&~1ZcSd~LUv^ju$dQb@Dcu{pZI{?3$c#7a z*xvYP9H%&mMWvrJLJ=wuEAW0(!xR8+t(uqjFcr2jrX1`g2z*=AVb(P#Hci+N74_aK zK1fy3*T4PVTRO|ie$5dkt!*TnZ9Zc7vM#8^-GY>*3#JxSpBXE4&cC|&t%=AYdz@HM zB`T*&^X$N@}sDo}k8jMDfWIgdVtMp;!O4qHE3h@GS!o1NvvB+Z|_saVlXS}+Y( zVOaZbc6xHYberN6k6nQW%|ohFQHlBw@g!IAXgbU-x3W(;Y1LDS+0fk$-ZrdChoQ&X z$zvPi=U6Y*bIji0m4hNr>*P^F}j4?()MYEBXs` z`HU+2`P+8w(On!g#6^mo`}$2KW1(TKp}K~T$G4@19Tb);OSEqnPD?zJgnf-aeXaib z+g)Ra8k)U!!~0f}0{Jdp!l`HJLT@X*3@9gf3c!Uv#r97g;@Q{w7r%E& zj$oEH+Kg3zX&lDbt#M5iv;3%rY1@<-ri>j=Aif&&oe4P&j46n;t9_eX?{eGl*xTo8 zm6DySvwqCfc;l>_J+589;1NES6vwYSnm^0$%^^5m|2-#SlAua(IkwJ{+qjX{n~^{( z2Y0PJH9uCkBl^|1?iS7Vm<`X-DQ^58b1jw-$I;|xZERMgw7DHDIkT~6R8{M>bE)>u z?&?0aES|c$W2g43Y(^Qx%CS0e0WNxrkUACbIpLMkg1qlBVCt05i=XPPO|$%=4D6?& zVh~6IH;G#jJj|Q=xfwkq*ktmiUj?R9 zxawJuC7tc%sRLD7*c=urm z(#m!TCIPjSzC~(<>N9&feg@vV5)m9eG?Ds39zi-WXnWi>XI$*Vj^#Ak^_ig&WIE)l zDXB-?VgBs0FO!T*0(G-sC|PHT28ud8FEmS>TQYY6+6FV0tvczrh&mzS?}toNN2Dxx73DL|&bq~LKu`bW5&L#kSaJASO+Qm!U?!s$L4C9k zgHKded4`H0SmBMgyvb>cUoR}5J@(CFwFVs6#v>8X{jp1j=#^^-mX zkQ~bv6?De6*>~P{Yf0+qmnvtU7reJoSZ?_MGmY_XWnNp~`KOV=r-W0#ns}si%9>OTY=zsy2o~_4@87dMx=f zw$Lybdy|VTw`s>8bL^OoL44m@mm=O)=d|wuVH{>YpIl>!VjF%qz-_nKTbMnooyPDW zs<;r>+CZ4Kdz59I{V?0oHHgJi$**gERopQ2b&$4m0RLEIEWVa*7Uq%Bj`3T5VUx;g zheLgZ&?R@RFc#@ zLefsY>eZSM)DLLYt(g|y;opJ-3m$NQPhw`mo^LZiYr{jVL~ZgrVpsW)=jF?3>Mpp) zrEQ!;GZ0eVA42jx4s+3e{*=f665*^Vp^r437p{E^UBj|>72R7*_I!8tUypZQ#MdnL zeCm6Cu-{aB5@!!A^uL~))?4B})y(|(ePT%VwGWA3Saa;kdp}{%dsXjF^^WC^2=_}B z5-5U4YImpWQw_dbuduC2)^J1hPAJ5&Ow(meDY$8F?Z~sIU?92Ci^k^tzRlkIeeWG? z0jDpvzzBoi91t9i#|k_Zu$IXfJTdT8PW&xG)Esk0V~*WN^xgst?Kt6Y0jLuP(~^JN zX5aj}_pbBUOFwhrJB<-6RY^y4%NDVgtidG>lz@~k4QgB85x$!$@Ge(=EZMpsbyHol z*JV{W9ZTvIzXKS~e=#CxF^W216NJK0?U$ z83I!cjuWC8Rhol@rayPlWHKKK&KWWeY`G_Y*(}SUaU2TP8?K^G&CT*@35!Z`eNa#s z=%XUcSx6;ZH}6topIK0~snNrE)GiJ4DXP%@ktAYW*c30~Zk`IgS*jfzmYt(tWNsup z@*`%lmLh}p|7-5NgWAfrbg%Aq#Nal`m}r}5a+5Rewh;tl;3b zr+gXIU4yJf4qL*~J5aS2=!|qYUaR{}mG74mo6lm;iWKgxcw2?1i{Qr9lU0#>Z514&WZKe8`g&N^%j=jbr7F7XX$PBS{eiBbDiIh1M5* z?3YSg!{27@$;{H-G|Z0N=ZZdjx@_(9=T15RUs!K41xb;K3RZ?NV=<{M=YSRSfu}^3zL2D&@Po^FZ&3SG zeEO=HhUs`L`Ds3OX1vfLHH|0jBnGR@ zAW(tjQ`hh9J%(wI2Z9U zP5DV0$C|y^H?cvIF!x=k>&T!<-b%Dk5GHh^YwPjPDmJ3(M>RQb2DX4_7i7QW9+gVp z2;$b;&kgnV;*@)A8=%m4hRH-h`j>yVOxu~3)HBHJHf=qP4bhM??%RSSe`8gEr?G{z z&E1ZSe$FUt;!w7(9pPsqR)V#6i_AJulm1M910B^y``9x8ZLh-mOS7q6;{%e(sy08X zk6PD9DQtwy@+C!-an>3eEdegdX>HNm`)Mx1xfv$98SUQ0WkRW;ljuo}#S+dbzsTcV znTqA!0^M*Y)$3;KQNR~vrBDGM!i$>moNjx6O|{@3os&P;^wV8SLT>g_0=%@p#kYDx z<`<5U;f&G!03YB7gJ1lGCQF?PN#}s&DH24FKC2RZaf^5KP*9!o!%+(m9!e%pKdBO;+ z8lq^Y%lrM?MKK59I{&itydH*ud(3Py&P$|Wzr7E$K51J{xwY|YaA387X}`h&lqK#-2i z;;c0zzJoH{Ax}Q!Vj6%Y~Elv@ma1-d?)hj-OOLqBJwRGVJ(BAQ-hF#lzSkUb^OM zA`9+lH`s&c(X+Sf_*i3X76_;)}$iTSWlDN5Eo@(#E2wkzc%opr4Y&3d=k6RG~bMPQVsaCIkNV6t6X^! zKjE!%BDI@9^r$x=?6BA=X35s>ZY3@CALB+3#l$+= z@-|`X!`SJ5Gsh=xr}xTR*^&u`DPMk^FXL}S=#HSc^G8aeQSXHZa=8>#^gKYT)KJS# z7z>^e#Xhp9=y08eEsK349t-4lhz`(*G2+iJO22OUBpcM6IHGvvg8|*gA&KW$Akq6Y zE8n3?bX6+8(`b_i%y1Sf)*pkv(ldrYSa88a^z!HQ46lM#3`W!n&H-N5t1fwky{ho2 z-yJf)!V~Mwqe&t!1CeZ{lG4@ZfPt8LT+N}6_ZGqCLFt5e{8ipB_iT1m56dZVeX)QQ ztymfTKv%OyC(A~sseous+6&{XCQVi3bEW~bx?ssZm=Wn9_z3{$xOeL@TC&g7;#&zF zQk5?#1O~}?Pj}M&8x@N0lub(|o&)Y1wIj^Vc)lexL-CQBL$RnNqmQ*O;kTZNj0DUY zkgM9CK2h*9^B&fU>BZ5{xS-6l@V2vg<9f9*VmP~0=sRJ{I@Oc?cm$38XDx%>9sw=q zkgH|o>Rs5gREg3y6} zTWrpwuLSt-Kp@mQ^|wyyaJDS-Gu*Q9F?RIZj*8rAtbse{LuRw|^{mQud{%K!L^hm_ zb`FS;X43I;nMsdrXuiho_vx^uuA>ID;$`M&c%W9)gQ7&&F_0}Ymk0sCLU(5MkCnAv zUSFpxoAVtqu1`B*PQ&u&0lxDBpZ}SHVp5JNh__Vwk|_9w{9Mb>z>jquJteLmOuW1d4 zxxg*xHuY(;A>pI_gFc;D>DG)d-{}0AfOTwy>x%OWh)}dng*1ETTjRTU#T?VT=m5~B znOf1JCH$k9RWsYW@Vt4GbvQab4(x(Wmk!jEfyhIp)YuJIEBYx?L|+LV=}>Imrsd5_ z!DA|RQ%|3U{Wj=~dV}-X^g2QF1Ei9EYs!3n<)&=2SZnC)iwx>CtYr##4)DVc?RESX zNMa@@6}r@**a$Mt+(%NdQncp@r%i)>xacZ*o;I4`TNvLt#UD+r^0Kju3Y%^CiPN`; z67+q38wY`(E|{bpG7b*)@M>K*)n`rY4tkoG>oMxdJVjW;d4N&1rOjcY`@{ zqk3yqwRlc}@ZEs7zVl8M=}*0+|5i`kSReD_ zk4lR7ybGZp`2Dl^7uTxyWh$nmV4P@-DKYrgVbqF>?(gs}cXZ3L4X`CmU;T!#kKX7| z6ZFC8X9!S}GdG1pV9xtKko<|H(Sdk?Bl&paQ>$tyql8#hGV!Q9cm(C^%x;1gb$0(q zEboGgxQZ?mupf;eg(6%lgkV6)^3lp23HZrdG^$Q4iqi?@-xF$3`PJUY-=sxwsYk)j z;o;TQFYQZ^B(Qu}X1U7h7ZtN@O@J`LO5v%*Uk?ZiDRW;jiY_6z#hOltqHbF${V4V{ zU($BN$mxyJwK0blrEz_A;#IxQ2!C&S`us4ST5P!9LECU9TS^?9@?J2Va1&)xx4x22 z?X{Jg+8}SNWx73HS`5qqhV&Si3Lq^61`(eJl?$L@)f0AitPYU?r~o(GqUgvGYNk- z3xDwMOow9ism(9%j_gx43gPwpHA-FR;PlSdrv+Z|vZHw#7?vr4na=WX>$rep89}md z4htnnX6A*5n;;gouHu8SZXh$fBUZ5ndEmQ4@I2Q~QAKL37#GeJ zcw3w_MGrVuC9?z|gD0GpbR-eGYlH7uhwti92b8@s%670!c_z>tI}Tc4FNPtqx>2T*OZ-*3nTh3kaUV>@Br~8jL-Y9^@r3w`yG0{E5WHu0@+9L$XmQd ze`+j|QC)5r!@C1?PDe`h1LoqAJIsHlDW%_n$>|tS1LVxWK|*b?qwm)6tQ`k`sYE_3 zeCZqW>r$nJC2*-y%kN~zl6c(-w=MGb!E#$H&f~0=2ll-;f7fEfJgD%R)GSIfWwyV)F(E=G7 zw<4QVlNe~6L{zCjG~UeM5)Sn8vZz7T@~zA;*?^oMoz70k6p>?T!jD;FCPKeD1?A zp=khQO7Gc>WdUww)CE)y@%{tIZ?%6w**W-d9Q)K`yNgD`9+$I2q0j8|^4#{g1ud2e z5rm~kKSRTkIPY;f@Q8lrUXcSd2n~B?O}NgpP=;F+Q@}RStrOl+?OmrcT={j8wPDB8 z0c!Dy3m!W6gu|pRrErWi$M+ZhdSQ?}c0m@} z$F43~AkpXMRV{BYxvx!>v%6|ge|TkAcEu5lH#8>+9iA$Th zH(I@#s%$&}RuJZ{j%c+lgAJn0e)iPk-L1d3H|~r98M3C-wm&Ylti_mQ`Z=Z07D#|h zK$9C^hM#X$=ZV$3Ysr;K<<7@31*uuBig`(eVx8vj8Jl}J0k^VJ_fjpNa8^jnseMdi zletB5l9~#kTs4c_MJ)Lyv}cpMz-fCBw!%RTZwH3|*f5al|Q$=s)aHxiqyW7Z{ z|FbyX=N-)q-68fEkC zG80j~-Kbh^?!r7End&Fmqvjrk+druMncXQRGsj2vQ5^h(T@;%OAlX{Ov@=pv3hL)4 z;hO;I;~8x0uFM=(;Ujni5$CPW0d2KPU!_V1V-Ax)$U^YSHo)}_8Cb3%+7Ny)R?=D; zsc2R)wMHCHuA<6NpVla9blr@xt{Gi)T-(uM|MfDNl1!shi%#{DMGM~-XMgaH_k}0P zc>A#PP}ju}51&7i<+gIeyZcoo5o-nuZ_$l3iZ*wGI#SwDwbhrbP-aRH^m5KQz;$K# zluNLZaQRv5CMW@}BSGiwK{H36jMjbCL(`P0^D~NX+4su=Pf$8FUU>2+*Ev<=nMVU( zIk$fWz%$y~-P~|%>~J$FM6NJ#r&LG_;$U0ut|^$kKVOXho}I^RwN$67FqLPYe;B)t zrWd)gmLcfSMW}t)b&;-5k7@<&R=MBd<_c5iu@-FHmh%hC0=_hSTLN`ZCV6Y{wWT3g zGPF;o3_WrjA=T-*6!6mz;HW%*aB-A*UAYcHgMHZ9b!8bhq#9@?;?C@cQF~_ST)>cg zVjSY1w~`dhDbTFciD27j?Yp*MVLmK}7@$OwYBhu&=$}3OZtH;er}`$%-uLO~+TZ&O z!3gG6!Hrx?%`R)_PcCG5*5~~ewYgVKFATW>y7qoZM4H-p3el8g)uITEv?o`{+dFIU0@A&f%X!rF-gkTPyH%SH*BF# zBq-k8b;obHuR^)eZ$BH+tRdPSViy~e3;5MvNB+95dl!e%lLm@0MGHAl{hMVhxm-yx zuSEaTrgFlBXG#~I*<}%t)5Tg{E~3U^QEJ4Y?SoQ~$6T77-Pf?HPQ$##UupAD9}}dc z5K99SFLS=@d36N}1OjJlS>n@}D|Cmq1SX?;(o?eUwG6MRc%;Cwqn&SwRz}wY>-(UT zqLyiw>Il7?6|5R#RnZze=YR}hqV0*&^Vou1vGM{#h7FaBP`!gPGi{MulnhE%(xG(% zS>kD#BWgW1s%cS5_wmZMki10|Dn_ohV5;I!lsh{wD0P{lyUaV`y_hQN&8wZI&Ulkl z*XQ5jSrd;p4qnr-g4j8fWTT}E#m!?45}EnqO+pKGoURNTuzEw+ZgPB$l9N-fWie6B zxZEy>6vAh_A{!{sD2=f@t$X@Un>paxg&s*MK>KH4kBm@vsiBwVP8W*H;aYm%?YKO> z1~HGgq73X|4t^rILuw`x$x{#n!9>x@hV9+($Y)k$nt3!lu}qEI)}i*Xp71h%-vb)? z(G=8tU%SCKNO+j3c+hGj5gi{xzUtw>EwrF?qhr)f3B>zp97GMTniEQ67}MV6tzdu- zEjt-|K?@>Ct5Db=YO*I*1MTf?{5oUBpdZ5_+9pmw+fK9^IwV{b>UZ;RXD)sw)*myb zy?A1x0e))BWam}+(IeLVC~Qm%i_9&IDmA+Hn|wVQafLJ(I^`Uvv3sYw^V=l@d=+BF z3A4%)Ts~+*7%Ro5sa!X!X50$yGbP59Vq& zXouGYk|qSoqvLSJcsj4g7zPRvB$;H9wXA=@0>%^rv&)EQWU7e(5O6T-l>EFP{p6pB|HGZtRYGmt+2QAd&-`tG9)fpVr?Pi2#aY{g~pH6??qU6||V0BMzUcZJ#rIr(j4 zqW%G@Q(1HYomwI_-Tysvx}{7+NVeV1EJ*uvJoEl`t_zn)l~ihuMU}kY(-D(q3&V9~ z`1cH|Ry9(X6ebe*Xw524ba}>uv$iwQ1$V})HX=Mv@A=&)HM+)5Y3b&MlcgWqY<~Tj zt{+w}bJC8qsdHyejy165K%YTI3g#Z?%FfNM7BEP%CJ7r?hjz93@9m9SPNAE?wL$@t zPMucH>9q1?w`%^CmzR6zH#^ta4(z2~*(mB0XdioLi%3;Dh(ga`guQF9hu151aY)rc zV#SNtRlD+x6XsujP%r*Lrdf@LRtBv2qNi7MC&DpAmt47rvPkimB0?mcpBzbtp96}F z&jIwWg+OgIsHiF}+B{muLpB`@cY>H}2@0%1I8Y%=TGv&61 zy4i*m7;j|4cb;+`^(H^#w!Dwlya!-{JR7CO29Ya|l7dH)%0@FGqDI}IZV>SySkgH$7PDvQ5`H07*Xw zY&##)Ri^aM`h?B_NmHu{#ZDtkX7ZsIegVS}i9Ij`@cL->p=cu9-@EQtAMV;`+DySl7ta=xK!{*fU=2%juHM(kW7deaLp3>O z!H*HlH}Iz^!jAegQ?c^;SyMn z**fH9#4So;@v5P<k92W94T88?J>|)GkH$xG-qp*wMRw!}c^2H#hUs6s@KY zBvkQ8O>}voxF|X)4R^d4Y#)W~Tr7zRh5MzHw0!(+r}vM-FMP&28Scg2URkXnC#N^J z1vG|UWhR?7zKA0N4X=CR?Wej-dpzO>T+zfTk@vV$Z%L6c8zB?M<#^jI1$wHro=dCChsX>MlfFwd4(H@jvxeFjeXt z6WIjb?gZte(^#J%pBEnpH1$>YgCfN((8jhDCvofa3B#D|)US((ZLY!YdtY)>ID(x@ zX%tW!6oPds=c@nuSg+c-q0lm{Or%y)NQ{<#lID8SlD)QXN7dbq*x#Bxi*^JUNMx`6 zZFV(s;?eD2MxhvC;7-;T7M<9gs(`+`wU;ihz`D(yw2~)CZ8>S6Hy=Wad(PE zY9Bd)@6E%@)@?5$kU|elJxxc(Hui@}%C5p8-|0lL9^F()mr|b-D3P1Sp2nMBosz|n zXrV>`07dEhnzzsRZiGz4%xYB#rG9eA)Q9mbC)WpduadRaehZj1e`Dns*D3x^FV+xT z#WOWspYb@D?Za*lH~=0tt0=}PuJ23gn)>g1U%xmgHcz=N{ZG9wz2s2qXZ%9pHjwcr z*R`Nzh`cQu#L|oK;>d>?){lmX=KD`;Zvdl#FfAkD^?N<3cWdu{x&7`SR@D^K+B9c_oPh=_I-i;)9FOcGV_^60++=v1>DX*{qXgJQp zs{e!ER@$n+LaYBDgIwJCJyBSs15(tolp1W?J8==f%n11F_}9-H+V2;JUtgQJ^y~ld zKBgZAQZ8FTu>@-BS`=Nr10FBRCmwJ}twduM2|dA0cG%EWx;J1)nM0qS!L#TB^l@+EPP? zJ{`TByWeR7UvCiUPJCx;UVz7%j~}XVMK4N$J&3UNySP-nYO~2zL?($~u+w#*u`<8U zEgB=rm8&Exx7%qg@B&w~r zW-PR?`GG!eIbqWrmjx_ned08cnOR8jjwLoJdQ3+9ookkvaD#j9>QvfI>DIQ+yV&I2nv^`Q6e*(@>!`Xl zZF;o2dO09=LJWwl)UNY`z_!%`tQP*Gu3cxV>1X{*;+S#Pb8{E)B; z4>sz4y@t0U{o)RFA*q(=Vu#XthXOvdbDdaoE1J@cT&orQ>UW?TYTa6~SxRij=;#2f zJDER)K`}4KwR-Q8)io23GmvXOv_}vZ15&?9;@fm86iiz)1J#se2~g$St?GfpWr1b7bORrn|M~QFtiA~vXp7%`_ek{OqP5zcaW$yn5UN|=gh$2bfVE0 zJ!TS>1RHES2N0u|MkvGSqr`7q!8vK9=O`SpL3;kTW!#GEZ46idZ3{KLxaj#q4!Wh- z-=M_#C0O;55kq31&iqqRm;vI<{D|*P9^$ zQKS{nokEmmUuwj3V7#w#I7l9W@D23IkGcQN;>8f6MEW?f5)V8FFpk{PKe^Q(SptRg z<1|SX>u*woMwtyp!-hwTECdKQUf>zNcOrk@Pjl>RUxVbjZmg+A9D^6IAd9j zzBdz<(A3t>;}Yw@m8L)d>qbU(gu+#nT(vV{?}w&_NJ`AAL$1`A=oPR9;D_W-AsubH z?K%R+-9h5kBf>64H7IrlCEhi6*pn2if@l$_gh73 zu_}UvlmNxGC(XUZf^>oZ(X4;5s+YeRIuNA*uVE5ap@+YBSB z*drYM{Yj?N5STz9x3LiqVp+#nELiyUveVc-a)81-6l0}OdiC>R>qN`ei_YMs*>dqj z4+WUp6LDAUY|x1bRA)e4C{%Ci&_OUiuViz>&{pSp`BT0&B8RAb?d+8lZXeifCV>It z-5sLs)Xj(MpxLy{%V#nZbCY89nkPF5KP`~lIUq`5XgTnHvZRf6j~H~QZjoa$U4GT9 zcqmrP$817`Bm61CvPGN7%oUZy57*L~f0)2D`}@B;$u5xYrB2beDQ~8?qYx~Tq*LuL zy43L?uDt^)+-2$DogZqMY$Lu&ac-_7zF(tdx0H0=V(G4u+t>_?RodWmdqSJ~%H=uf z;%!v@a}>LZ-zauV?kA^}p6b=7!NVC)#D1Bg%8}t)pN8G)jYxlj;?R=odTjp?d2DIf zt6cHIc(aaJO6A5$Ru7LGg?`-)?RcUu`dMeK)n&4}6H)2jsrK5EMOt{``r!!oAGU%5 zj+-$tj)g}p#H%-#Jr*tH?Rzlq*Cnc`+Dk58eSWhA;KD&#fV;DV#3Z~BnS${}(PG0c zR7<`)t(``LPvc}q`)cb?aS={n?MYK8VVHV{ytYs^W_cC7*kpk@tO`%c)_v-4kj+ta0PKz z$Fy!SWlA{ljJRS*(-sA>nNL!oc_Xe)6i1JLsQ@Ofy&3rk_g|O9yCU8C=UkRbQsP2W zv>W){oRS<*|5SJ*#+m8YYI$n&h9U1|j-uhZuc^K8Rc9;C!+=KZj6=r1CqaQEGV!)0 zcFM+IEQFDG@XvZdx2k>m!kKyD5i|VeD?=Lsd>~3H2vJZ#T?504p&n1D9Dxw*7LHN`lNeFU}lG-p}d!CRs}V%4$LsGYNpav$Jf#XB-7l-zT9| zdNsfz;l~PfEQsXb+nQz}oW}kUb?J{ji>uRA-lq=A1cP7cFB5BSL*IUf4{n(_!qH@` z1T!awR9HWjUUD!z;q{|LMx_@I;J_57J_jLRRd(47`h%Xx7a#qi7 zjBLHJJhTli?U@MQ;%2gDlq1$Afj==D02cU-W z_ZynS^nlA8O)}c4Dz;C@8>2Ysb{XOi3f9)Uou;1un8 zmo*GAei?#QZn##R1JcH)tB%se3sy8i!s)?jD@<4*!DFSZFmEBU{)4{kXjkH4U7e-p zFoH%7EoBL5Id`x`MnDQ%&&&4I$NZH2Wx%(1v1I zP#lT_5FI{S)?L&TM*hW3Z5e}W+u8K3+LC3vD&eUF#fveKG~QD1xFr{-*E_zy?>{b> zYqbfuQ*5(D7o%MXyC-zDR)_$s)arWp*b=OkHAsR$f6-x(4$~2D+)u3gdl5+V#6Xw| zc-v=JsCfSckJ!mX^ltx@i@P2+x9yAO00y4uVeCJ-(Wjg~Rz$uBwj;FWn*;7Bk$*2b za6?axtqv&U_575Y#VrsdCE3JU?)mAO1LmlSC~8z=MU-Tbahj07{cQ#9EALzR4o3Zs zZYkAwqpr%sF`!yMp#TTF-z5H?+AseMXZ&B`grwR;=lmoys#-m>264f`$ONndUjt)~ z;3niVDne0d0zGaQJmEV*oF8}F+XeGf)A}`byyw@`6?=jgOzY!$DpjnGPX^&9+$X@D|Jfj1wi-zJ(;RG)j>Mkd_`wZu?>`!ZKUK!Q ztNi(nQFFk5WkUe`|F<^eNbGML0ucL;Dl>pTb!Pti(fp}%=l@zq;x8TM?>hg*XyhmV a7h@**->Ilf{x6M1^1G7e^BezJ<^KSnqz2Xi literal 0 Hc-jL100001 diff --git a/tests/mqtt-pub-rules/suricata.yaml b/tests/mqtt-pub-rules/suricata.yaml new file mode 100644 index 000000000..6fb68aab1 --- /dev/null +++ b/tests/mqtt-pub-rules/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt-pub-rules/test.rules b/tests/mqtt-pub-rules/test.rules new file mode 100644 index 000000000..4ae61c6b2 --- /dev/null +++ b/tests/mqtt-pub-rules/test.rules @@ -0,0 +1,10 @@ +alert mqtt any any -> any any (msg:"MQTT Test CONNACK"; mqtt.type:CONNACK; sid:1;) +alert mqtt any any -> any any (msg:"MQTT Test DISCONNECT"; mqtt.type:DISCONNECT; sid:3;) +alert mqtt any any -> any any (msg:"MQTT Test flags"; mqtt.flags: !retain,!dup; sid:4;) +alert mqtt any any -> any any (msg:"MQTT QOS 0 (val0)"; mqtt.qos:0; sid:6;) +alert mqtt any any -> any any (msg:"MQTT proto version 5 CONNECT"; mqtt.protocol_version:5; mqtt.type:CONNECT; sid:12;) +alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:username,password,clean_session; sid:13;) +alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;) +alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;) +alert mqtt any any -> any any (msg:"MQTT PUBLISH topicX"; mqtt.type:PUBLISH; mqtt.publish.topic; content:"topicX"; sid:16;) +alert mqtt any any -> any any (msg:"MQTT PUBLISH JPEG message"; mqtt.type:PUBLISH; mqtt.publish.message; content:"|FF D8 FF E0|"; startswith; fast_pattern; sid:18;) diff --git a/tests/mqtt-pub-rules/test.yaml b/tests/mqtt-pub-rules/test.yaml new file mode 100644 index 000000000..ec7a923f3 --- /dev/null +++ b/tests/mqtt-pub-rules/test.yaml @@ -0,0 +1,107 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "" + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT PUBLISH JPEG message + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT Test CONNACK + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT Test DISCONNECT + + - filter: + count: 3 + match: + event_type: alert + alert.signature: MQTT Test flags + + - filter: + count: 3 + match: + event_type: alert + alert.signature: "MQTT QOS 0 (val0)" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT proto version 5 CONNECT + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT flags + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT username + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT password + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT PUBLISH topicX diff --git a/tests/mqtt-sub-rules/mqtt5_sub_userpass.pcap b/tests/mqtt-sub-rules/mqtt5_sub_userpass.pcap new file mode 100644 index 0000000000000000000000000000000000000000..52ed40e9cfe8948cd96948be8d68a4b2b968eeec GIT binary patch literal 1558 zc-p&ic+)~A1{MYcU}0bclCj2Bahor&GsFSeaSW)S?QQ}~S}TJFn**8zBRYQy6MMAK z`{^e@oCQq(k1!Z8Ffg(FKf=Pq!Bu?c$S$xVW@dJfZKrVC#>UA^jBV`EQ<(m1U*`bY zcyfWz{~hSIfiTRr2SD4xfSSUv`%Qspznuiy$k`yk#K52d6l6r$1hU2GB0EDnP;onU zTLMY6MFMC`B&sa}`V1_-fgvHRhZt;_6&XYrgmWv)@-vfDGmCR83lfWq3-XIf7+6Y+ zQ;Qf_Kzxw194_MYJSeCYhz@E_pwoWg@_h6qDn%&77Lex+P;F6QV_;xbV&DSVmU)Rv z5&8>gqaZFnF<)k9$OS6S#cqo^iMD|JWRGe~lPE|JTS*Y9O`%0E=T3Gynhq literal 0 Hc-jL100001 diff --git a/tests/mqtt-sub-rules/suricata.yaml b/tests/mqtt-sub-rules/suricata.yaml new file mode 100644 index 000000000..6fb68aab1 --- /dev/null +++ b/tests/mqtt-sub-rules/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt-sub-rules/test.rules b/tests/mqtt-sub-rules/test.rules new file mode 100644 index 000000000..7639ec7ab --- /dev/null +++ b/tests/mqtt-sub-rules/test.rules @@ -0,0 +1,10 @@ +alert mqtt any any -> any any (msg:"MQTT Test CONNACK"; mqtt.type:CONNACK; sid:1;) +alert mqtt any any -> any any (msg:"MQTT Test DISCONNECT"; mqtt.type:DISCONNECT; sid:3;) +alert mqtt any any -> any any (msg:"MQTT Test flags"; mqtt.flags: !retain,!dup; sid:4;) +alert mqtt any any -> any any (msg:"MQTT QOS 1 (val0)"; mqtt.qos:0; sid:6;) +alert mqtt any any -> any any (msg:"MQTT proto version 5 CONNECT"; mqtt.protocol_version:5; mqtt.type:CONNECT; sid:12;) +alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:username,password,clean_session; sid:13;) +alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;) +alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;) +alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBSCRIBE; mqtt.subscribe.topic; content:"topicY"; sid:15;) +alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBACK; mqtt.reason_code:0; sid:16;) diff --git a/tests/mqtt-sub-rules/test.yaml b/tests/mqtt-sub-rules/test.yaml new file mode 100644 index 000000000..117752bd4 --- /dev/null +++ b/tests/mqtt-sub-rules/test.yaml @@ -0,0 +1,109 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "myvoiceismypassport" + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [{topic: topicX, qos: 0}, {topic: topicY, qos: 0} ] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT Test CONNACK + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT Test DISCONNECT + + - filter: + count: 3 + match: + event_type: alert + alert.signature: MQTT Test flags + + - filter: + count: 3 + match: + event_type: alert + alert.signature: "MQTT QOS 1 (val0)" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT proto version 5 CONNECT + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT flags + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT username + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT password + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT SUBSCRIBE topicY diff --git a/tests/mqtt-unsub-rules/mqtt5_unsub_userpass.pcap b/tests/mqtt-unsub-rules/mqtt5_unsub_userpass.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3c4d235f7f8b9a2989b027debfba8ea702797259 GIT binary patch literal 1994 zc-pPhze@sP7zgmjyEnCL=!Zk26@^(?5Hv&w(HJxY5k)G69pn%mT?I8oLoE#vWwce) z8WB;}B4nE`g5aXjAJ7_2Vb61-b@mD;yay-uobSu${l4$LZ#H>%ApwKmi-8S)mxi}P z9}i9l;d2Pg*Ir@KesBg}`*_tKw(9zLz_D<2J(i;4Tq?f85P-yruS{|_>G|x5(MXmZ zq`4n!YRr+dqB$0h2UhOgFDRzZ+lujOjqbAMM{O26&GNH(EN4rjnA~ZR0KE9p_A8Nc zipoAV-sdaRbt)aG%$t>#L10tUGcye@FeZ0`8`@X5HlvZS8qrs`v?X2FqHF8GHgt6j z7}YeatJ>jdsy&vcI*CL3t`+_>E@(kZ3WXmsD;_(5+yzaf$xnh7^c%%gtxR{QEMwzk zzT&S_p-dxYWw)97*w>?4Bs^zq!^vkS1h8v>KaahZ=P`A3t+))+Uom539vXX|EEO#c zyJ-A;qgL}NF7z^nHDR)1moAVh`LK}7#XR{JqOxXi3_YBzv0FwySzm!hAzzHrgI=!c zi%F10iZ9qGCQ*))h?E2-lA)EXk)Xgt1x}(w7!@7&HJ(Do%~87RR47q@S;?!UyxSN- rH*qmrTJaiC>)$vfh!o$Gpu@0$Qr~|iuaYt@=y+24P any any (msg:"MQTT Test CONNACK"; mqtt.type:CONNACK; sid:1;) +#1 +alert mqtt any any -> any any (msg:"MQTT Test DISCONNECT"; mqtt.type:DISCONNECT; sid:3;) +#4 +alert mqtt any any -> any any (msg:"MQTT Test flags"; mqtt.flags: !retain,!dup; sid:4;) +#4 +alert mqtt any any -> any any (msg:"MQTT QOS 1 (val0)"; mqtt.qos:0; sid:6;) +#1 +alert mqtt any any -> any any (msg:"MQTT proto version 5 CONNECT"; mqtt.protocol_version:5; mqtt.type:CONNECT; sid:12;) +#1 +alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:username,password,clean_session; sid:13;) +#1 +alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;) +#1 +alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;) +#1 +alert mqtt any any -> any any (msg:"MQTT UNSUBSCRIBE topicX"; mqtt.type:UNSUBSCRIBE; mqtt.unsubscribe.topic; content:"topicX"; sid:16;) +#1 +alert mqtt any any -> any any (msg:"MQTT UNSUBSCRIBE topicY"; mqtt.type:UNSUBSCRIBE; mqtt.unsubscribe.topic; content:"topicY"; sid:17;) +#1 +alert mqtt any any -> any any (msg:"MQTT UNSUBACK reason 17"; mqtt.type:UNSUBACK; mqtt.reason_code:17; sid:18;) +#1 +alert mqtt any any -> any any (msg:"MQTT UNSUBACK reason 0"; mqtt.type:UNSUBACK; mqtt.reason_code:0; sid:21;) \ No newline at end of file diff --git a/tests/mqtt-unsub-rules/test.yaml b/tests/mqtt-unsub-rules/test.yaml new file mode 100644 index 000000000..573f0f85a --- /dev/null +++ b/tests/mqtt-unsub-rules/test.yaml @@ -0,0 +1,115 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "myvoiceismypassport" + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT Test CONNACK + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT Test DISCONNECT + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT proto version 5 CONNECT + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT flags + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT username + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT password + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT UNSUBSCRIBE topicX + mqtt.unsubscribe.message_id: 2 + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT UNSUBSCRIBE topicY + mqtt.unsubscribe.message_id: 3 + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT UNSUBACK reason 17 + mqtt.unsuback.message_id: 3 + mqtt.unsuback.reason_codes: [ 17 ] + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT UNSUBACK reason 0 + mqtt.unsuback.message_id: 2 + mqtt.unsuback.reason_codes: [ 0 ] diff --git a/tests/mqtt31-pub-qos1/input.pcap b/tests/mqtt31-pub-qos1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c35e969621b22985587a5fab48f607193feafa57 GIT binary patch literal 1451 zc-p&ic+)~A1{MYcU}0bcl7+@qagi##3~@kq90Mw7yPLpmc$Gne%>hk<5uHDki#@tS zAxj*@S-|xF2!jCw0~5>tBP>iDT*Y@q%)yG7nb|?M72vjw%W4rZwy{S~<=T2mb0yG5 zi3LLccc9w_!Z6!ffwqMKHHBgKn*z~(lK|SdszHE>fk6W($cV5BWXlDhEv-Pst=Mhx zC(#xOpe^C3wg~7lu=xgh7N-<2A7Zd!5YDYE%g;;F`F8KQuSqp;heLZU4ouj`=NqQC@6rrc^&ib{8& zZR>FPrvhk85m0dvc3W&nv<2iJ7gSq}q!`#r@(VJPBN!Ny5)(lvCows@I3qQ+0OW$N zYE%l*bwF1nV+&CSCI&{3P4Viy3=u#L5!n5zM6_R%fwpY|+oXkR(*tnKwX0Jp=2F4- l2x5=9tLjur@0)-&rJ>nk0kh>5wfvF>v}rS1Dg@bL0RV}6;-dfn literal 0 Hc-jL100001 diff --git a/tests/mqtt31-pub-qos1/suricata.yaml b/tests/mqtt31-pub-qos1/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt31-pub-qos1/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt31-pub-qos1/test.yaml b/tests/mqtt31-pub-qos1/test.yaml new file mode 100644 index 000000000..1e12c5451 --- /dev/null +++ b/tests/mqtt31-pub-qos1/test.yaml @@ -0,0 +1,71 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQIsdp + mqtt.connect.protocol_version: 3 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 1 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + mqtt.publish.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.puback.qos: 0 + mqtt.puback.retain: false + mqtt.puback.dup: false + mqtt.puback.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt31-pub-qos2/input.pcap b/tests/mqtt31-pub-qos2/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ba491cca27286fb8f26fd9a22f8d831e73a62a8c GIT binary patch literal 1663 zc-pPg!ArtW90%~<=FkWXtxH4)2@jGAX*+u8&?P7;ND~EVu0c}b*eozQL}34cbhTU8 z)F6pGOz~hymyQYLKVrYP6xrBd!XDe$+uq~zzHh&MwQG+wFfeTlP|K)&7)t^snVkkYyi;AsKd~6^YUOds19;CTtwr|HTZn6 zqPfx)w#^6MQ5;qmN3VK~oD;2tS^_5}jI;SHXB(o}y7kZi0enbJC8G3EDdXU>v9dp- zvW&{HR`GY^4glEkr;MJb6BlE#_VEN6EZ*t@NW-<6Xn1YTQ&EucjJ9lWKfw*z^zg TP-4xLH@mVB=|lHt5he5od}<2Z literal 0 Hc-jL100001 diff --git a/tests/mqtt31-pub-qos2/suricata.yaml b/tests/mqtt31-pub-qos2/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt31-pub-qos2/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt31-pub-qos2/test.yaml b/tests/mqtt31-pub-qos2/test.yaml new file mode 100644 index 000000000..70e7d0eb7 --- /dev/null +++ b/tests/mqtt31-pub-qos2/test.yaml @@ -0,0 +1,89 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQIsdp + mqtt.connect.protocol_version: 3 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 2 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + mqtt.publish.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.pubrec.qos: 0 + mqtt.pubrec.retain: false + mqtt.pubrec.dup: false + mqtt.pubrec.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.pubrel.qos: 1 + mqtt.pubrel.retain: false + mqtt.pubrel.dup: false + mqtt.pubrel.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.pubcomp.qos: 0 + mqtt.pubcomp.retain: false + mqtt.pubcomp.dup: false + mqtt.pubcomp.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt31-pub-userpass-auto-clientid/input.pcap b/tests/mqtt31-pub-userpass-auto-clientid/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3cdc5b22ed91838b4e4756390f54622f679ce331 GIT binary patch literal 1347 zc-p&ic+)~A1{MYcU}0bclDWoJamFd!3~@kq90Mw7yPLqj*@HoY%>hk<5uHC}6MOU_ zwl`)V&H|?YM;Htk7?@c8A7NqQ;3~e$q5@XL%*+n5EfTkFjNO97*v1|`Ws{g*=UJeQ z<_m=W??AT=gkiRo0&NQeY6`>dHwB{oW)8IRT!R1;1A_)okP%@M$d*SyTRMS?JF(jm zOrk9kKwF|wZ4oeJVDk<1EKVt4KEzH z#Tluo1t9zP0_~3g8WVxtekG#qZvopc3AA4e)&2+I&=gOnQtG$_w5uI0G(q;Lf^6}k at}TMtZ3)M13j;?22`Qr;XwzkEegOakqS(d& literal 0 Hc-jL100001 diff --git a/tests/mqtt31-pub-userpass-auto-clientid/suricata.yaml b/tests/mqtt31-pub-userpass-auto-clientid/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt31-pub-userpass-auto-clientid/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt31-pub-userpass-auto-clientid/test.yaml b/tests/mqtt31-pub-userpass-auto-clientid/test.yaml new file mode 100644 index 000000000..462b0c351 --- /dev/null +++ b/tests/mqtt31-pub-userpass-auto-clientid/test.yaml @@ -0,0 +1,61 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQIsdp + mqtt.connect.protocol_version: 3 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "mosq-dRkAMvJQvimi16jz72" + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt31-pub-userpass/input.pcap b/tests/mqtt31-pub-userpass/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..146727d1437805e4bfed4ba51b6054fda58f4f9a GIT binary patch literal 1343 zc-p&ic+)~A1{MYcU}0bclKI9}alx)U3~@kq90Mw7yPLrM>o|i3n**8zBRYS|9rkFY z{2*=+X93gyBMb%%3`{KlkFYRta24O>(E}@DW@ZQ3mWA6kt_mY!Y-5j}a%YMCg9xCF zJPU;W??AT=gkiQd0Bs8cY6`>dHwB{o#sjo5vO$1}fk6W($cV5BWXoZoEv-Pst=Mhx zC(#xOpe^C3wg~7lu=xgh7N-<2A7Zd!5YDYE%g;X%=4jay literal 0 Hc-jL100001 diff --git a/tests/mqtt31-pub-userpass/suricata.yaml b/tests/mqtt31-pub-userpass/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt31-pub-userpass/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt31-pub-userpass/test.yaml b/tests/mqtt31-pub-userpass/test.yaml new file mode 100644 index 000000000..63d601842 --- /dev/null +++ b/tests/mqtt31-pub-userpass/test.yaml @@ -0,0 +1,61 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQIsdp + mqtt.connect.protocol_version: 3 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt31-sub-userpass/input.pcap b/tests/mqtt31-sub-userpass/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3f571701bddb7f84091d2ac00ce9b885d6b515ba GIT binary patch literal 1549 zc-p&ic+)~A1{MYcU}0bclBLE~aUm1<7~+8JI0jVEb~k~o`U!&un**8zBRYR-9DB6c zq1X@*X93gyBMb%%3`{KlkFYRta24NGF##)LW@ZQ3mWA6k4yGt#Y-5j}8kfbe&Occ9w_!Z6z!fVPDJHHBgKn*z~(3kBNvr$K;;fk6W($cV5BWXl<#Ev-Pst=Mhx zC(#xOpe^C3wg~7lu=xgh7N-<2A7Zd!5YDYE%g;o+IzF+>3sM`5=`g+yCGUe`gjMS%&DOrKArQdG8N zF)U@k<)8dXd<;22#W~n*F(c6ykbmq@ZD|q#>R~I%FUU-eV1P0r!9M%~v^xf9L=5(@ zR3kPlmofnDp9QvC57q7o;9Oq@v@3>?#M^G6fiCKu>}(7F(1^ zv<2iNEtoAjEFfDRFo5jYPpz~u2W*cZvTq>vfNY7LM4cS9lnrRpTufVZSU|QEPNI@u N<^pYEM~xYXEdc6I^q~L% literal 0 Hc-jL100001 diff --git a/tests/mqtt31-sub-userpass/suricata.yaml b/tests/mqtt31-sub-userpass/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt31-sub-userpass/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt31-sub-userpass/test.yaml b/tests/mqtt31-sub-userpass/test.yaml new file mode 100644 index 000000000..c784b1211 --- /dev/null +++ b/tests/mqtt31-sub-userpass/test.yaml @@ -0,0 +1,71 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQIsdp + mqtt.connect.protocol_version: 3 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [0, 0] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt31-unsub-qos1/input.pcap b/tests/mqtt31-unsub-qos1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..926c7b2ce5903847389422a18ac04fc4463f076d GIT binary patch literal 1979 zc-pPhO-lk%6b9fkcLwbf{8-phqCg@ch#<&CksFbST9heBG8VZghsFXWA_806qJ8xX zqJ_4oMI|l@3?gb%RGW%+{Q^5@%xZLm8JGd(UOkuRzIV>d-R1EC0|EXn0XY2L9Lz)) zZ5%{#90m2Y^EA)<7r|p0t^0$kpYP?Zk?7}J2Tk@_r3eE6OsEtE*3u?FjlU~JJZ~j! zqq!zLXY^>+$X-4;;ygvMbKg-psn_UJ({@pt!9_FL+1$Fbb)tB-Wn%yy{E_>UNO?dd zi^W-OWzwM1h03g2v3bEVF%^*G5`O_ca4x6UlL>JlAup$;m@G@l)f5P8^1>k^JaM@2L~b+i`t6U zph9_u)XH`{uCb(&QbG)IM1CO|!Ics1Bka|Egy+Zx6w>=keh``CaY|IHlY2Lw@?16MA;s^)JUmJ7X67k3=JC6>P|4vF7Q*6?w$g1-p*(#xC0HQk1<1KI>q!}+cfG<1cc8qlJ};m5``&Z+oQR(=kl^={K)~1oG(4Yb<^41Wm5`C-N`ceNcI(Fa%8X{04>QW##uWKf+Aix1Eb_4ARHP*4d3)%i$xMpeV1#U+rI)xaW1G^b7N zmXA&c?J|APG2B?PT=ZC803R0n_)1HK3PtbGD=t=S)0@0Sw=#*^MY%k_4*?V`R``mi zLWT15{3r=cao`%;QYai$yo|^@BxPJF^N+CA^buYlo6<;+j!f)}AZXMRQVY0ZfuF9= zbh;FBml`#or%tPZmD1r@{2ot|?)_3Z+{>_u@Yw7@y}}V{+FwaDh8`j(hJ1pZELTbNA=s$Dx3Z z+NL8!dwbBHDfI(0kX65ZEYE6pDfEU@o(m!Gcy}j~{&f1UhX)6ua)|*z=#@)dw6t2~ zp?2pcO^dL0+E~NMH$Pe=y}R@4=JpGT@q^CFu~*}&YQIT)2U&`2G2hwZB<^i>2%wiv zhH4Tk&kW!LWGR%lO)AexnQ$u|2EwCbZ>;%(c8=HRT3lbt=Q7!xwYXk*Z&`)>@(T1- zE4vJx$2_T*M#Jd5&@tZ&y+;!pZxlV60Hz^Jp>#K?aP)q+5)-mbUnBy0mE)xCH_G#q zlni7k6r)Ln^9;L{?KXNQypk{EGLufQvm}s)EX5M`_+G+&V&@#vaFd@kdWNaLL@hy< zBHf7ZbaTWN9V+!mMVTtLLR8byvG#C0#d`ZdK)q6=8Q7j)VLkd?K(G|Q4yadb(n_9Q zFN=o2B}E=qOvA{Yl7DD6g7SI8R?yG0Uu6ft`h*zT^$Z jd0L-FI;`l)fc}3+ByIk$m}OQH$$+wKlJwR6W~6ctFA!%~ literal 0 Hc-jL100001 diff --git a/tests/mqtt31-unsub-userpass/suricata.yaml b/tests/mqtt31-unsub-userpass/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt31-unsub-userpass/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt31-unsub-userpass/test.yaml b/tests/mqtt31-unsub-userpass/test.yaml new file mode 100644 index 000000000..14b6ed60d --- /dev/null +++ b/tests/mqtt31-unsub-userpass/test.yaml @@ -0,0 +1,110 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 5 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQIsdp + mqtt.connect.protocol_version: 3 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 0} ] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [ 0 ] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicX ] + mqtt.unsubscribe.message_id: 2 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicY ] + mqtt.unsubscribe.message_id: 3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 2 + + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt311-pub-qos1/input.pcap b/tests/mqtt311-pub-qos1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..26525a0b7ab05d672397a37eead68a958f023df2 GIT binary patch literal 1449 zc-p&ic+)~A1{MYcU}0bcl3m7Cabgdc8RCHKI0jVEb~k}*!Dt}}r) zzFQ#le+Rm4APlq37ie1;P*WIozbO#yw|77rXEg{gF)(NV1sM@Gfoxe1w51uSxEZ@G zz9iZr0kkC))fNG51{UAIkPwzb3^okHxs_%4naQb{#krLQiN(bQ`9&oRETzS%MGPz; zKFCSCaeEvT%nC#Y^Q<4|^rUfm{2?<#6i{&#c3V_Pv<2jG9aLKsm>`LC??dWDq@Fa; zwt2Yxqx^`Op$MqB2)ivdB-#S_7eCNO zj|D>icc9w_!Z6#^fwqMKHHBgKn*z~(^8nf?&>+CXz@PyXWJK5mvc(f~i zNwh@*XiF%nEdtsMEWUvuAuNX&Y#4-dE6egTlT$N`b1MrHi;D~Li%J++N{dsA7+64j zkdypzdmI$Z3PcC90MJ>bxIBImXiF4OaTIo2R7kW1~%*+n5&0sN3+gP;Ah_Q`5dK!<7Oxp~g zjiw8P{_jAy4TNE~g#m2~18NGx?l%RZ{bmZZab|-669a<=P>>N}6UdfFKwH{@ircZ< z5=f#g5XJGLS3<+U5#9+f9o||7>sGI2Sn;B-7mztC0oMd27Qsx-Rz*1VA zTExIokXT#{a@Hr@o(BcB0?|P|6X>)wT%M0w%ES-_R2+rf78Me00eM~r)fNRNNJ1@H zN~Oq51KKth%|HDx|14g{#83cKT!7scD-vx1`Ns*>76S173~@kq90Mw7yPLqh<2i!{n**8zBRYSY6?^oP zu=52V&H|?YM;Htk7?@c8A7NqQ;3~eG-40g7%*+n5%?OWemAS;&#vVP*s_eiQ6`+lU z3xxjfK(`HqVYXQTZ3_cx3d8O<1)}{{2((ePL4b*YK?5krh_DG{OE}P$W}xC`?6&xl zXp02UmQYk%1hg4gd;>#5SPn7RFbL;XmgQ$Ar)C!CRu&`{7Z>Cgl`ycB7N-_5uz>g= zCq?7&I53zMhz@2|ptI)T^7s{?Em1(lQP^!!A<-6)$93SgbbxG8V1gvlJJgEEc|hAV z(fk9lsRLw-x*IbCC>0lAx5bJ?TR{GCLbb&}f`P3hzaTR?A}KKugmMy-vx_rQQwu=$ z+XC&602&j4-F_va?cV{mUlM4)7OMRZz@ZuCMy1rD3AAfBuFx!?t}TMtZ7IiX3-2Ch O5>m!)piNrX`~m=KVD=mU literal 0 Hc-jL100001 diff --git a/tests/mqtt311-pub-userpass/suricata.yaml b/tests/mqtt311-pub-userpass/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt311-pub-userpass/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt311-pub-userpass/test.yaml b/tests/mqtt311-pub-userpass/test.yaml new file mode 100644 index 000000000..23f5ff9b6 --- /dev/null +++ b/tests/mqtt311-pub-userpass/test.yaml @@ -0,0 +1,61 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 4 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt311-sub-userpass/input.pcap b/tests/mqtt311-sub-userpass/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..80d370945b0e7de98c9303dd5f87dba75217b84e GIT binary patch literal 1547 zc-p&ic+)~A1{MYcU}0bcl6}TiaqKr)7~+8JI0jVEb~k~e+lfJg%>hk<5uHD64|}vx zR8laAvw-RU5e5SW1}2vOM_8CRxQg#K$Ac9yGqZziQ^#!^^CW9xY-5j}wnsD|E(2&| z$O57NJJ4+dVVG?uK-RAO@U~?g#c~LY!F~#V9)>xG9qjO*^&vgr5UKW8M`gM zB-$bYv?UbP76EMr7T>^-5SBv>HVneKm1X&v$*Gyexs?Tp#l;2rMI{U@rNya53@ji% z$VvIQJq`+H1)_sF6X>i)TpoA2#ljE;R2+rf78Me00eM^p)fNRNNFw#QMWu*r1lpF1 z%RhU8w&Va6=U}(Rj6_>N{;@-~rAY*+hpi;PATv3F0m_I3`%vaK3quUhh#2f)sYY~I z<^t`X4z^nl)$R%4JP)$VVG1jCLUTIMzGAe{><8NgwB;Ny4FWw0##n4oBGDF*kF;R6 zbnAm`dB6a&=N+{&`Ao1qg2=vs*aNb~?iQ7DR58$|S(vtT>w|0wpjJAc1+=LIHD(~T F003Z>{WSmp literal 0 Hc-jL100001 diff --git a/tests/mqtt311-sub-userpass/suricata.yaml b/tests/mqtt311-sub-userpass/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt311-sub-userpass/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt311-sub-userpass/test.yaml b/tests/mqtt311-sub-userpass/test.yaml new file mode 100644 index 000000000..2aec4ac10 --- /dev/null +++ b/tests/mqtt311-sub-userpass/test.yaml @@ -0,0 +1,71 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 4 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [0, 0] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt311-unsub-qos1/input.pcap b/tests/mqtt311-unsub-qos1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2f5846703e0aae7fbd04123180fbcc26c9abc5f0 GIT binary patch literal 1977 zc-pPhKS%;m90%~gBSezCs zGj%FmsLbn?RwwY8S)Y$Tz!Y@EHrC_O$Z}MTZ6uadH4#syfUl{`N#Hc6Exp$cPRHyp zea!v1t=*cz_Z0|YaZs%E)TvPLVZGvD-%a|lZ_$n1Ma@|&&q_vt2o^`g%1E6G|KEhtpN9aU0r;#H%(taT0l&DXnR&m9uIGx*cx*T#Y zjq>WLlO|x*bU2oO#sSiYvljJ=3wKa7^opimF<>M~lQwI5rHI;?p;tU4k>W+gl00LA zJfwIqk4)0Em3iEPJf1^(RpJxo$6~)&>8?|uJVRCG?1hv!Am_=dC;38i+Wx2cc1X!) cEPDUBQMxoJuOyLjp0Oy)B}x@~ literal 0 Hc-jL100001 diff --git a/tests/mqtt311-unsub-qos1/suricata.yaml b/tests/mqtt311-unsub-qos1/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt311-unsub-qos1/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt311-unsub-qos1/test.yaml b/tests/mqtt311-unsub-qos1/test.yaml new file mode 100644 index 000000000..3d79118f6 --- /dev/null +++ b/tests/mqtt311-unsub-qos1/test.yaml @@ -0,0 +1,109 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 5 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 4 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 1} ] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [ 1 ] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicX ] + mqtt.unsubscribe.message_id: 2 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicY ] + mqtt.unsubscribe.message_id: 3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 2 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt311-unsub-qos2/input.pcap b/tests/mqtt311-unsub-qos2/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..00fc7d66af5723862740b078da65be7064cec9df GIT binary patch literal 1977 zc-pPhze~eF6bJB^%VC06s7BGTh(gf{iUO-6 z5`=La2J5wXH(T310{*JuqCbS<`R!1fYv=-C+_>gUuGa5PAI&0Blt|ku zuL((y6HN;34yFb=K2f|ls5f%O8hr}dF=~^zXwp8L&vCX36u;KI48V^+3V#wQ&!}u* z@rJ!JTA|X6%EYhoM2fcq_~_X9IKPB`P+}{~S~M~r)nhC1IbDxyO9|jfeSQfz&1p+- z<%82P`y3zh7jEmNC^&8DiImrv1k+eNZLhRes8H~LRq?TWlYYcpx{)ua8RhcqsS-r6 zIAX7KR;W;(UaPWRgKMf1T09yFG9vw&1R-1*vOmH$$46)&`)-n*R&rYe!K8+eQgMZ9 zpRUhwy7$yTfSc5?l{%^hR!E0q@n<|mdO~xjR|0$|llI#6$_WEA=Y50hO0T57sL9q| z$ts0jscDqm$s?EMAtkF|9+9M`Mi=vVO7mou3@S(XgaxrUXs@(Xs8F8vf^wE4DgL zwSORjqA{wep{2Iy2SfxxLqkIi+4G!9-SrA5+`-BFp3lqYzVAJE*JlTL1|s|(B3STu z)3X>k$yp(S;|OSvwcE+Mr#I-b`E`F-^z)q;Ne+1r?`V=^#dGKfU}EuHWHol>c56T_ z5(J5~tIC?a{=$eR$vZE;Sn31C`&?7;Sg+Ap)*ev{;i3>fo6B&vdlWxc8W=zqUbOs5 zq&V|d$YODpuLP=8T2UF(Dh)j#21bKH@f3!kc_uTTh(}{_WhRrHQj}z3E(Ky*iOqpX zbGjv0zG86NW|!e@{tS7KYAXeQMr8tvC-_Q7l?ny#)haGlYSQ<-IS=xv7PYTRdDaV7 zh+=V+uk=-^P@X}pvg*J!wp1b+kA~G?H%Q93Qs!@Ar{OL9Le{C0eOhuuz%@j@A~lOE zX8Gxc45xGYVrfC8{93AD2UbppW8r5!PI}v(IlYn=@DAL(UfE~BNE-3m%;^<3YLc#3 z41CY~FFzHS9 ks7~YGG$n_W>4G`mzqA7-?|)^Nk+N)77B5P=uWU*A2H;0l_y7O^ literal 0 Hc-jL100001 diff --git a/tests/mqtt311-unsub-userpass/suricata.yaml b/tests/mqtt311-unsub-userpass/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt311-unsub-userpass/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt311-unsub-userpass/test.yaml b/tests/mqtt311-unsub-userpass/test.yaml new file mode 100644 index 000000000..644eaae00 --- /dev/null +++ b/tests/mqtt311-unsub-userpass/test.yaml @@ -0,0 +1,110 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 5 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 4 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 0} ] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [ 0 ] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicX ] + mqtt.unsubscribe.message_id: 2 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicY ] + mqtt.unsubscribe.message_id: 3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 2 + + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false diff --git a/tests/mqtt5-pub-mosquittoprops/input.pcap b/tests/mqtt5-pub-mosquittoprops/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f2c8d76a8d8643c7148e41e235c2f8dbddfccb49 GIT binary patch literal 1713 zc-pO#%WD%+6vn@KB$>oTQ@bfhF;=6MBIK!?KnvOzp%kH%LLfQ~Lrps|Lneu)8?*7X zb60R7ssBKsr9tSzs6||e-3YEK{s%7I8PAzwnn@>+LM}7Iy?4$%zx&cAW8BtZLK>^tY7Jc=1FbpYZuEqM6A}%H{W&A`2A0NPP8RjwB)QU(6hEG5qGP8 z5g4OM;e^B#OeqM`%Anv#`F%#pFj4;4DgLhl}W|B(4GDtC#R|kc5wqim$K2 zTQaqRQOFx%DBLZpdbn*i(wdE6C|4=xvl%UG<|>A2nnu1*OiJ+ODvz?dUaT0J7oKn= z8jIh&MH|6W;gy1cf<}Q4P3>MWZ)7v=x#O+e@nH)80a!*GtfIn6ZHRShzSL1rc& z+Q3xT(y$Q%JsV+nFBx8_`h~wvrFl8sC%YX}xHKUZkS6+cKtiZZ2~D--OwGW(=t+fs3(rJ}(qCM5`dMm?TYP@)wj=L4JQ`M|ab z*RW7CHdN!+2rkfV#73L`SWAD5H}Q71Pu}=uZDP>o4Qmrj8Jg?Ut!fbIup8z2T%WWY L66r&S&n?P7em_oB literal 0 Hc-jL100001 diff --git a/tests/mqtt5-pub-mosquittoprops/suricata.yaml b/tests/mqtt5-pub-mosquittoprops/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt5-pub-mosquittoprops/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt5-pub-mosquittoprops/test.yaml b/tests/mqtt5-pub-mosquittoprops/test.yaml new file mode 100644 index 000000000..f59e83e18 --- /dev/null +++ b/tests/mqtt5-pub-mosquittoprops/test.yaml @@ -0,0 +1,98 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: true + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.will.topic: willtopic + mqtt.connect.will.message: willmessage + mqtt.connect.will.properties.content_type: mywilltype + mqtt.connect.will.properties.correlation_data: "1234567" + mqtt.connect.will.properties.message_expiry_interval: 133 + mqtt.connect.will.properties.payload_format_indicator: 144 + mqtt.connect.will.properties.response_topic: response_topic1 + mqtt.connect.will.properties.userprop5: userval5 + mqtt.connect.will.properties.will_delay_interval: 200 + mqtt.connect.properties.maximum_packet_size: 11111 + mqtt.connect.properties.receive_maximum: 222 + mqtt.connect.properties.session_expiry_interval: 555 + mqtt.connect.properties.topic_alias_maximum: 666 + mqtt.connect.properties.userprop1: userval1 + mqtt.connect.properties.userprop2: userval2 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 1 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + mqtt.publish.message_id: 1 + mqtt.publish.properties.content_type: mytype + mqtt.publish.properties.correlation_data: "12345" + mqtt.publish.properties.message_expiry_interval: 77 + mqtt.publish.properties.payload_format_indicator: 88 + mqtt.publish.properties.response_topic: response_topic1 + mqtt.publish.properties.topic_alias: 5 + mqtt.publish.properties.userprop3: userval3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.puback.qos: 0 + mqtt.puback.retain: false + mqtt.puback.dup: false + mqtt.puback.message_id: 1 + mqtt.puback.reason_code: 16 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 + mqtt.disconnect.properties.session_expiry_interval: 122 + mqtt.disconnect.properties.userprop4: userval4 diff --git a/tests/mqtt5-pub-qos1/input.pcap b/tests/mqtt5-pub-qos1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..141d4c5ec49986fb09671f5ed85611c50e0dcb05 GIT binary patch literal 1459 zc-pPh&r8B!7zglY+v{t2(h3T?m=H)HNnI;E)Uksgq70-ZgCs@UYk_tNg8T!#bTmu? zj}g?-Ul)<=(y^dFBv{Y85ZRb8VPhM6xA)!W`M&SiXaD&@1On5IfPm-pZZ#uF6f$_7 z0rPhEeX@9e2w@ttJP@qydfO}iKCuhlXo&g%q5vY%2Si-(v9Fg$qmv|gxwbl6^HoPq zG_PE5ziWC2MXj-o=#*ap&F0Eb9a02#g_ex#*>c=ScElO*mjNHo7N9n`z9df1h2Xsyu A3jhEB literal 0 Hc-jL100001 diff --git a/tests/mqtt5-pub-qos1/suricata.yaml b/tests/mqtt5-pub-qos1/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt5-pub-qos1/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt5-pub-qos1/test.yaml b/tests/mqtt5-pub-qos1/test.yaml new file mode 100644 index 000000000..a185de289 --- /dev/null +++ b/tests/mqtt5-pub-qos1/test.yaml @@ -0,0 +1,76 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 1 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + mqtt.publish.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.puback.qos: 0 + mqtt.puback.retain: false + mqtt.puback.dup: false + mqtt.puback.message_id: 1 + # "no subscriber" + mqtt.puback.reason_code: 16 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 diff --git a/tests/mqtt5-pub-qos2/input.pcap b/tests/mqtt5-pub-qos2/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c6510788b334cbdec50e11af46f48179522e9615 GIT binary patch literal 1670 zc-pPh&r8B!7zglYb50QtS{;HeCLSb&#G*qK1mRIg5HSTwMNmo{t|IHwss4cefufs` z2TvY4L<$}xPeKF*L1`X3cDLslmQ3EkgpFJb6G)ln}YFzWfCinq(Vb~OSt4)5rzf(GyOcv6f zwKelkK#yigTy^VfFhsF@Ju|FNYP9`n->5}#P?Vj`r8`@>zQ)11g9q^9Np38WvfdNn z5<6eAmGG3xJSw~YN|hAHG6`aWaN13~@kq90Mw7yPLoj5z3&!=71)_h|ZrJ!XB++ z$Sn-wEMWS7gu#G;fr;h+5f&y6uHrjOdcca9nb|?Mx#6~rZR>4fY-5j}9FoTIZVAvv zkp)8kcc9w_!Z6!XfwqMKHHBgKn*z~(69L+|v_XK0fk6W($cV5BWQ%|i3quJ|aS3)? z>`1gl0%(gH+?HODEdnwOEWUvuA*_cOY?u`pL_iT(TAW(Mz*3M{Tnuu9nh{Q)g2GjS z=x|*MbcYd|PeE?z1=*rx!otu6RNRH#mJkwc0r@lr)fNRK1_pg41}-56&BW4@d|fj) za|>rj7bjgyLvu4-LrXUkT_;mFQ(Z#?Lvs^TV{>z7V^fgJ^h~G}(?&qo-NfbpeL!0Z zfr<;U+hR?kEg=6pquOF1$-q{UUyzv`!H|@g2tqlD$=Ssjsi_4Z2XL9PFhl^&iNNjv zC88bR3wD4c&;eSg4tM}A6dX*cl$>q??FzsZoYmB|MG(c7KA0_ixNYHkX-PuT2mso2 K3(YSeTlxSTblu(n literal 0 Hc-jL100001 diff --git a/tests/mqtt5-pub-userpass-auto-clientid/suricata.yaml b/tests/mqtt5-pub-userpass-auto-clientid/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt5-pub-userpass-auto-clientid/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt5-pub-userpass-auto-clientid/test.yaml b/tests/mqtt5-pub-userpass-auto-clientid/test.yaml new file mode 100644 index 000000000..0edf0b400 --- /dev/null +++ b/tests/mqtt5-pub-userpass-auto-clientid/test.yaml @@ -0,0 +1,65 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "" + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + mqtt.connack.properties.assigned_client_identifier: auto-6F78CADB-9176-19F4-B5F5-101745377C35 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + mqtt.publish.message: baabaablacksheep + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 diff --git a/tests/mqtt5-pub-userpass/input.pcap b/tests/mqtt5-pub-userpass/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9b4ec516b731fdcc1514e8ad97361280f92967b1 GIT binary patch literal 1350 zc-p&ic+)~A1{MYcU}0bclHtZxaU0cG8RCHKI0jVEb~k}*atDJ3n**8zBRYR_9eecS z-lGRWoCQq(k1!Z8Ffg(FKf=Pq!Bu=`&1|qDW@dJfZMSgS#u=`DcXull-+W5OcfQf-Y11QLdunA<#0-!DJK*jCY zZ3!gN773s&k*Kx^=rgeR28M*N9%8UzR%8%i5YDYE%g;H#Tluo1t15k0y-c9Xifxn2PhHifMa}M2S@@PpoQvy2jINVsYRV6(#{ODOAuFZ dI#SmbLF~5pf}FtPkU!otMCReblC-O$^hpNV z$hbi0{|qPB7+EnaBgK;er9rNW^rz1 zL1J-nL4HvQ$X!Qp`yLe53Pgu>3eauFxO}f~&B+iAR2+@n7F7~$0r_4RZp%54EegyG zJ>aD3VNIpzGzMCiiRK}YRp&sqOtPj@uw{ZhB#7OXE*mQPB@34=OKqs+mn@)7CfGs@ E0F`ISD*ylh literal 0 Hc-jL100001 diff --git a/tests/mqtt5-sub-customauth/suricata.yaml b/tests/mqtt5-sub-customauth/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt5-sub-customauth/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt5-sub-customauth/test.yaml b/tests/mqtt5-sub-customauth/test.yaml new file mode 100644 index 000000000..a13179b92 --- /dev/null +++ b/tests/mqtt5-sub-customauth/test.yaml @@ -0,0 +1,44 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: false + mqtt.connect.flags.password: false + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "myvoiceismypassport" + mqtt.connect.properties.receive_maximum: 20 + mqtt.connect.properties.authentication_method: foo + mqtt.connect.properties.authentication_data: "1234" + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 140 diff --git a/tests/mqtt5-sub-mosquittoprops/input.pcap b/tests/mqtt5-sub-mosquittoprops/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9d79a5058257d11e35a89ecb0885901b4d5547e4 GIT binary patch literal 1744 zc-p&ic+)~A1{MYcU}0bcl8cP1;u@s67~+8JI0jVEb~l0d*&_xGHU~5bMs)u41MJb_ zYVWH+oCQq(k1!Z8Ffg(FKf=Pq!Bu?s(si&RW@dJfZPRhv#+VjBjBV`E(+}L#5#QK&@-zrAF)(NV1sM@Gfo%B#v_%!DQORMFMEccT`&h&M-2t_y&fAupVQuu~BDW&`wumxF-noxV940EHwts(&E&jf};Ea zLk12Ivn(;k5J}VsE^5ReoLgCzpP8JRS)5y0kXT$?kY7~d&CI}+TUnl&lT%Vzkjlxx zZfIm|Vrpg%bO=K$;{*-{{-RW%!o1?t_>%mB%w%M;whcKip9RN(c%>Cj=gGwGUnm0*wE#Ma>@>DkV3FEug3|fZK8d zWQzhD0|T=X0~g3PVOi=Vw+~)G8%5BP8_2dBAX~zKw&Vg8=VG_ToJ3ndezHfkrAZW| zhYcKw5imw1xU{$lv^*AQMlALKRVO+?MSu=S1Y53;YWW0Kc+q5ggi7I=2((ZdH9Rjf zfh=1Bv}Gm*0_N3NSt?~ZX`oGwn6}(n4zi_)TG^lxXp;QEdPK literal 0 Hc-jL100001 diff --git a/tests/mqtt5-sub-mosquittoprops/suricata.yaml b/tests/mqtt5-sub-mosquittoprops/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt5-sub-mosquittoprops/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt5-sub-mosquittoprops/test.yaml b/tests/mqtt5-sub-mosquittoprops/test.yaml new file mode 100644 index 000000000..d2a4f872a --- /dev/null +++ b/tests/mqtt5-sub-mosquittoprops/test.yaml @@ -0,0 +1,91 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: true + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.will.topic: willtopic + mqtt.connect.will.message: willmessage + mqtt.connect.will.properties.content_type: mywilltype + mqtt.connect.will.properties.correlation_data: "1234567" + mqtt.connect.will.properties.message_expiry_interval: 133 + mqtt.connect.will.properties.payload_format_indicator: 144 + mqtt.connect.will.properties.response_topic: response_topic1 + mqtt.connect.will.properties.userprop5: userval5 + mqtt.connect.will.properties.will_delay_interval: 200 + mqtt.connect.properties.maximum_packet_size: 11111 + mqtt.connect.properties.receive_maximum: 222 + mqtt.connect.properties.session_expiry_interval: 555 + mqtt.connect.properties.topic_alias_maximum: 666 + mqtt.connect.properties.userprop1: userval1 + mqtt.connect.properties.userprop2: userval2 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [0, 0] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + # "Disconnect with Will Message" + mqtt.disconnect.reason_code: 4 + mqtt.disconnect.properties.session_expiry_interval: 122 + mqtt.disconnect.properties.userprop4: userval4 diff --git a/tests/mqtt5-sub-userpass/input.pcap b/tests/mqtt5-sub-userpass/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..52ed40e9cfe8948cd96948be8d68a4b2b968eeec GIT binary patch literal 1558 zc-p&ic+)~A1{MYcU}0bclCj2Bahor&GsFSeaSW)S?QQ}~S}TJFn**8zBRYQy6MMAK z`{^e@oCQq(k1!Z8Ffg(FKf=Pq!Bu?c$S$xVW@dJfZKrVC#>UA^jBV`EQ<(m1U*`bY zcyfWz{~hSIfiTRr2SD4xfSSUv`%Qspznuiy$k`yk#K52d6l6r$1hU2GB0EDnP;onU zTLMY6MFMC`B&sa}`V1_-fgvHRhZt;_6&XYrgmWv)@-vfDGmCR83lfWq3-XIf7+6Y+ zQ;Qf_Kzxw194_MYJSeCYhz@E_pwoWg@_h6qDn%&77Lex+P;F6QV_;xbV&DSVmU)Rv z5&8>gqaZFnF<)k9$OS6S#cqo^iMD|JWRGe~lPE|JTS*Y9O`%0E=T3Gynhq literal 0 Hc-jL100001 diff --git a/tests/mqtt5-sub-userpass/suricata.yaml b/tests/mqtt5-sub-userpass/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt5-sub-userpass/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt5-sub-userpass/test.yaml b/tests/mqtt5-sub-userpass/test.yaml new file mode 100644 index 000000000..b9784a22d --- /dev/null +++ b/tests/mqtt5-sub-userpass/test.yaml @@ -0,0 +1,74 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 3 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 0}, {topic: topicY, qos: 0}] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [0, 0] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 diff --git a/tests/mqtt5-unsub-qos1/input.pcap b/tests/mqtt5-unsub-qos1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..13819a6120aa5dee3d029c8e56b6f244ccf01a17 GIT binary patch literal 2194 zc-pPiKTH!*90%~<-93A>Vg%{n07(@QViPD)gb;^@7>6bX5mIb=X(Vl<9ZIiUCE#Qj zXd}@uurT0V-Q0|mvobh27}+2?I2jTrJFt}B@0x;F-oj#ge`4SBIqAfp2t?jM2n#^n@|5C$}>$?yEkXe0~ z$sGY>|Cesxq$nzBEAHCGYwx^hYH}-H>EG!^v1VPWe{9w0Y-+Dii({uaKU>Iiwi=3k zFS=xaA^cK0l}On`rHnV1`N~Y2%4Jj%PNi!E*!`KgxpSZ3j&cQp(34+XF67eLoRMGE z7Ysu$ER}#gGqOv-s7;Uc!#zBeI^?<3eVGky&@KEoQ_z4m6bc`4Dj^?$auou0CR5CS zYJ(^axMeadKV;Q=v?^oyuA#_3@PodM^D)BD033hFvv&9j|+?;{dv2wmE!a z7RlVCHE&xNs(zqVsq^zqdd@e7Uf8y#99Hq|d5}-?VMA#)66D{j3d$PBXPD+>Exu>u zlcmlF#LSp!^hR4|j7b(LH&79hXq1zP6cZCE&`nlEWTJ6SBJ&9<>08WgU3XUgcv;sk zUmr;@V`nvWF$Tf^Ye(qO1&WmiLA>Y%pnu-R9Rqh$`{Y!s zzs+jV$b_5KI*d}aeoBm>FQT@lhc?vx@31r=Qtn!UHuZ6oX3r{zQBo3?pe(Z}O*p4m GLpcVw&u!rV literal 0 Hc-jL100001 diff --git a/tests/mqtt5-unsub-qos1/suricata.yaml b/tests/mqtt5-unsub-qos1/suricata.yaml new file mode 100644 index 000000000..14f5a71ba --- /dev/null +++ b/tests/mqtt5-unsub-qos1/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt5-unsub-qos1/test.yaml b/tests/mqtt5-unsub-qos1/test.yaml new file mode 100644 index 000000000..a9b24dcda --- /dev/null +++ b/tests/mqtt5-unsub-qos1/test.yaml @@ -0,0 +1,117 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/mqtt/parser.rs + +args: + - -k none + +checks: + + - filter: + count: 5 + match: + dest_port: 1883 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.qos: 0 + mqtt.connect.retain: false + mqtt.connect.dup: false + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: myvoiceismypassport + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connack.qos: 0 + mqtt.connack.retain: false + mqtt.connack.dup: false + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.subscribe.qos: 1 + mqtt.subscribe.retain: false + mqtt.subscribe.dup: false + mqtt.subscribe.topics: [ {topic: topicX, qos: 1} ] + mqtt.subscribe.message_id: 1 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.suback.qos: 0 + mqtt.suback.retain: false + mqtt.suback.dup: false + mqtt.suback.message_id: 1 + mqtt.suback.qos_granted: [ 1 ] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicX ] + mqtt.unsubscribe.message_id: 2 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsubscribe.qos: 1 + mqtt.unsubscribe.retain: false + mqtt.unsubscribe.dup: false + mqtt.unsubscribe.topics: [ topicY ] + mqtt.unsubscribe.message_id: 3 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 2 + mqtt.unsuback.reason_codes: [ 0 ] + + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.unsuback.qos: 0 + mqtt.unsuback.retain: false + mqtt.unsuback.dup: false + mqtt.unsuback.message_id: 3 + # "No subscription" + mqtt.unsuback.reason_codes: [ 17 ] + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 diff --git a/tests/mqtt5-unsub-qos2/input.pcap b/tests/mqtt5-unsub-qos2/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..50ee5d98fe7fde373b6c1022b23c74f56833491d GIT binary patch literal 1994 zc-pPhyGz4B90%}UlQU}TP#=RJXjKqFd{!L9L39u-4uvAVD2nY+Y-uoR(M8czSHW%$ zKK=rAa&gh_E{+O1cCcM^5G(cfOR1WAg%mE3kY94gC*QlvJ=|TLNx*$i3y) z_w3-udq0?u{ij7o*a@A=XweH>ah=dB=M(PSD;1|wE(v`A63Zo-RAtv5-zJSlvRp~p zacQkeIkuvqr8f_4KckpFt;<~(X&w>_+9hh!*lC)d&1E@T8pW3#rv%W64{bk^hm;Rg z4zTe7U-6cyG@>$VR-C=Sro291#Vw4;t0XgL_tBAe=xrm4}@HDK#na1|KU z^jVT#GCU2n%kogaBnF|SRCpyWXhQP}h3_*fE(Jht13PIAaUm0m5{ju(nNCm%VB-K^ z=_ym8Ohaa6w}$#CYf&|{JR^}gzHf&G?7F}o#}3Qmm_oPPFni4AA^r1)HHVgpT~vO) zVaxft(aRXtnAtjafb^3O3%O9tl7A#BYX-kzf|vDzkx$lrzeCK5nLzKoXvM?|E9MIo zA&K5OiAafIA{lDQsvZ!S=#!Huwt~tH?jE=c87D_+FH@mJT?HlEM9Q;`5%i`D`lTlg jsP=E1JVZ)3E@(6SM9K4C$u^O)D{6c4pp-RFO%ApwKmi-8S)mxi}P z9}i9l;d2Pg*Ir@KesBg}`*_tKw(9zLz_D<2J(i;4Tq?f85P-yruS{|_>G|x5(MXmZ zq`4n!YRr+dqB$0h2UhOgFDRzZ+lujOjqbAMM{O26&GNH(EN4rjnA~ZR0KE9p_A8Nc zipoAV-sdaRbt)aG%$t>#L10tUGcye@FeZ0`8`@X5HlvZS8qrs`v?X2FqHF8GHgt6j z7}YeatJ>jdsy&vcI*CL3t`+_>E@(kZ3WXmsD;_(5+yzaf$xnh7^c%%gtxR{QEMwzk zzT&S_p-dxYWw)97*w>?4Bs^zq!^vkS1h8v>KaahZ=P`A3t+))+Uom539vXX|EEO#c zyJ-A;qgL}NF7z^nHDR)1moAVh`LK}7#XR{JqOxXi3_YBzv0FwySzm!hAzzHrgI=!c zi%F10iZ9qGCQ*))h?E2-lA)EXk)Xgt1x}(w7!@7&HJ(Do%~87RR47q@S;?!UyxSN- rH*qmrTJaiC>)$vfh!o$Gpu@0$Qr~|iuaYt@=y+24P