From 8f3c66663ec6a6457c79f9bf802b07eec341d898 Mon Sep 17 00:00:00 2001
From: Haleema Khan <hsadia538@gmail.com>
Date: Fri, 13 Jan 2023 17:28:50 +0500
Subject: [PATCH] mqtt: test mqtt frames

---
 tests/mqtt-frames/README.md  |  10 ++++++++++
 tests/mqtt-frames/input.pcap | Bin 0 -> 1350 bytes
 tests/mqtt-frames/test.rules |   2 ++
 tests/mqtt-frames/test.yaml  |  12 ++++++++++++
 4 files changed, 24 insertions(+)
 create mode 100644 tests/mqtt-frames/README.md
 create mode 100644 tests/mqtt-frames/input.pcap
 create mode 100644 tests/mqtt-frames/test.rules
 create mode 100644 tests/mqtt-frames/test.yaml

diff --git a/tests/mqtt-frames/README.md b/tests/mqtt-frames/README.md
new file mode 100644
index 000000000..fe06819ac
--- /dev/null
+++ b/tests/mqtt-frames/README.md
@@ -0,0 +1,10 @@
+Description
+===========
+Test MQTT frames.
+
+PCAP
+====
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5731
\ No newline at end of file
diff --git a/tests/mqtt-frames/input.pcap b/tests/mqtt-frames/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9b4ec516b731fdcc1514e8ad97361280f92967b1
GIT binary patch
literal 1350
zcmca|c+)~A1{MYcU}0bca>9+P;x?+WGQ<JdAdC#!?j~?e?qJYhb3hgavOyY=0psL4
z_UOmGM-PGo7cl)l!eGF_z{K+Z2n!PjSMi-Svq9pF%*^Z{+iu~ujc2n2F}ATsPp;d!
zx$PIw#zPB){_jAy4P+zCHU@Q8hA^P*AdC#4ep4XYZ-;<3{%#OpVqnk!`h^kVFOW?j
zKP>>-(hf8pgpmQ%mOv71kpS8fiE4|0J_CzyU`Pn-AqE>}MFtTD;oQoy{LJLk%;Mb2
zg2dwDg8ZTq2A0y|)FK8J5Fg~M&A2@e3Th%e4-M+yz@Yw&%k#T5a3&wpA{1f^$n(JD
z0}bLipdeOYV_;xbV&DS#=_1fJszm7LotxX4(fkCmZ4StmXiZjzLSRgSFfxEfs5Q|M
z3b6&`CubBt%`uQ<U@OTl$V`r4NJ>lup`66z?Ba~n)B=zLRskIl0kj!}kpa{JO2j(g
z7$4Z1l0XM&p*r9JIPY_6;S5fal1MxA<KAO}xPsG>y0!=ceS^q_@JRE=Z3}loJ~7E1
PQjQ%H1cn(4HopJ>NDuxy

literal 0
HcmV?d00001

diff --git a/tests/mqtt-frames/test.rules b/tests/mqtt-frames/test.rules
new file mode 100644
index 000000000..6155b0e05
--- /dev/null
+++ b/tests/mqtt-frames/test.rules
@@ -0,0 +1,2 @@
+alert mqtt any any -> any any (msg:"mqtt Frame 3"; frame:header; content:"|10|"; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:pdu; content:"|10|"; sid:2;)
\ No newline at end of file
diff --git a/tests/mqtt-frames/test.yaml b/tests/mqtt-frames/test.yaml
new file mode 100644
index 000000000..127105044
--- /dev/null
+++ b/tests/mqtt-frames/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 7
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
\ No newline at end of file