From b1dfc4c7d7e3b36c31faa0de4021e0414a081b38 Mon Sep 17 00:00:00 2001 From: Haleema Khan Date: Fri, 13 Jan 2023 17:28:50 +0500 Subject: [PATCH 1/2] mqtt: test mqtt frames --- tests/mqtt-frames/README.md | 11 ++++++++ tests/mqtt-frames/input.pcap | Bin 0 -> 1350 bytes tests/mqtt-frames/test.rules | 11 ++++++++ tests/mqtt-frames/test.yaml | 52 +++++++++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+) create mode 100644 tests/mqtt-frames/README.md create mode 100644 tests/mqtt-frames/input.pcap create mode 100644 tests/mqtt-frames/test.rules create mode 100644 tests/mqtt-frames/test.yaml diff --git a/tests/mqtt-frames/README.md b/tests/mqtt-frames/README.md new file mode 100644 index 000000000..4ebd816ed --- /dev/null +++ b/tests/mqtt-frames/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test MQTT frames[Pdu, Header, Data]. + +PCAP +==== +PCAP comes from the suricata verify test[mqtt5-pub-userpass] + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5731 \ No newline at end of file diff --git a/tests/mqtt-frames/input.pcap b/tests/mqtt-frames/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9b4ec516b731fdcc1514e8ad97361280f92967b1 GIT binary patch literal 1350 zcmca|c+)~A1{MYcU}0bca>9+P;x?+WGQ>-(hf8pgpmQ%mOv71kpS8fiE4|0J_CzyU`Pn-AqE>}MFtTD;oQoy{LJLk%;Mb2 zg2dwDg8ZTq2A0y|)FK8J5Fg~M&A2@e3Th%e4-M+yz@Yw&%k#T5a3&wpA{1f^$n(JD z0}bLipdeOYV_;xbV&DS#=_1fJszm7LotxX4(fkCmZ4StmXiZjzLSRgSFfxEfs5Q|M z3b6&`CubBt%`uQlup`66z?Ba~n)B=zLRskIl0kj!}kpa{JO2j(g z7$4Z1l0XM&p*r9JIPY_6;S5fal1MxAy0!=ceS^q_@JRE=Z3}loJ~7E1 PQjQ%H1cn(4HopJ>NDuxy literal 0 HcmV?d00001 diff --git a/tests/mqtt-frames/test.rules b/tests/mqtt-frames/test.rules new file mode 100644 index 000000000..f3b053b3d --- /dev/null +++ b/tests/mqtt-frames/test.rules @@ -0,0 +1,11 @@ +alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 2f 00|"; startswith; sid:1;) +alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|61 73 73|"; endswith; sid:2;) + +alert mqtt any any -> any any (msg:"mqtt Frame 3"; flow:to_server; frame:header; content:"|10|"; sid:3;) +alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|20|"; sid:4;) + +alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) +alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) + +alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|00 00 03 22|"; startswith; sid:7;) +alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 06|"; sid:8;) \ No newline at end of file diff --git a/tests/mqtt-frames/test.yaml b/tests/mqtt-frames/test.yaml new file mode 100644 index 000000000..2ea13450a --- /dev/null +++ b/tests/mqtt-frames/test.yaml @@ -0,0 +1,52 @@ +requires: + min-version: 7 + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + frame.type: "pdu" + frame.length: 49 +- filter: + count: 1 + match: + alert.signature_id: 2 + frame.type: "pdu" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 3 + frame.type: "header" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 4 + frame.type: "header" + frame.length: 2 + frame.complete: true +- filter: + count: 0 + match: + alert.signature_id: 5 +- filter: + count: 0 + match: + alert.signature_id: 6 +- filter: + count: 1 + match: + alert.signature_id: 7 + frame.type: "data" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 8 + frame.type: "data" + frame.complete: true \ No newline at end of file From d24e8cd58b5462197dcdb8f000f61dad4fc70245 Mon Sep 17 00:00:00 2001 From: Haleema Khan Date: Fri, 3 Feb 2023 19:29:03 +0500 Subject: [PATCH 2/2] mqtt: test mqtt frames for truncated messages --- tests/mqtt-frames-truncated/README.md | 11 +++++ tests/mqtt-frames-truncated/suricata.yaml | 18 +++++++ tests/mqtt-frames-truncated/test.rules | 11 +++++ tests/mqtt-frames-truncated/test.yaml | 60 +++++++++++++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 tests/mqtt-frames-truncated/README.md create mode 100644 tests/mqtt-frames-truncated/suricata.yaml create mode 100644 tests/mqtt-frames-truncated/test.rules create mode 100644 tests/mqtt-frames-truncated/test.yaml diff --git a/tests/mqtt-frames-truncated/README.md b/tests/mqtt-frames-truncated/README.md new file mode 100644 index 000000000..6f1bc9da2 --- /dev/null +++ b/tests/mqtt-frames-truncated/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test MQTT frames[Pdu, Header, Data] for truncated messages where msg_len > max_msg_size. + +PCAP +==== +PCAP comes from the suricata verify test[mqtt-limit-1] + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5731 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/suricata.yaml b/tests/mqtt-frames-truncated/suricata.yaml new file mode 100644 index 000000000..7220b4216 --- /dev/null +++ b/tests/mqtt-frames-truncated/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + - frame + +app-layer: + protocols: + mqtt: + enabled: yes + max-msg-length: 50000 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/test.rules b/tests/mqtt-frames-truncated/test.rules new file mode 100644 index 000000000..e3030769a --- /dev/null +++ b/tests/mqtt-frames-truncated/test.rules @@ -0,0 +1,11 @@ +alert mqtt any any -> any any (msg:"mqtt truncated Frame 1"; frame:pdu; content:"|32 a7 8d|"; startswith; sid:1;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 2"; frame:pdu; content:"|58 58 58|"; endswith; sid:2;) + +alert mqtt any any -> any any (msg:"mqtt truncated Frame 3"; frame:header; content:"|32|"; sid:3;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 4"; frame:header; content:"|30|"; sid:4;) + +alert mqtt any any -> any any (msg:"mqtt truncated Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) + +alert mqtt any any -> any any (msg:"mqtt truncated Frame 7"; frame:trunc.data; content:"|00 03|"; startswith; sid:7;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 8"; frame:trunc.data; content:"|58 58 58|"; sid:8;) \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/test.yaml b/tests/mqtt-frames-truncated/test.yaml new file mode 100644 index 000000000..fa2a6bc5f --- /dev/null +++ b/tests/mqtt-frames-truncated/test.yaml @@ -0,0 +1,60 @@ +pcap: ../mqtt-limit-1/input.pcap + +requires: + min-version: 7 + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + frame.type: "pdu" +- filter: + count: 2 + match: + alert.signature_id: 2 + frame.type: "pdu" + frame.complete: true +- filter: + count: 3 + match: + alert.signature_id: 3 + frame.type: "header" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 4 + frame.type: "header" + frame.length: 4 + frame.complete: true +- filter: + count: 0 + match: + alert.signature_id: 5 +- filter: + count: 0 + match: + alert.signature_id: 6 +- filter: + count: 2 + match: + alert.signature_id: 7 + frame.type: "trunc.data" +- filter: + count: 2 + match: + alert.signature_id: 8 + frame.type: "trunc.data" +- filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.truncated: true + mqtt.publish.skipped_length: 100009 \ No newline at end of file