-
Notifications
You must be signed in to change notification settings - Fork 105
Mqtt frames v5 #1172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mqtt frames v5 #1172
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| Description | ||
| =========== | ||
| Test MQTT frames[Pdu, Header, Data] for truncated messages where msg_len > max_msg_size. | ||
|
|
||
| PCAP | ||
| ==== | ||
| PCAP was shared by Sascha Steinbiss and was generated by setting up a Mosquitto server and recording communication between `mosquitto_sub` client and `local_broker` via a script. | ||
|
|
||
| Redmine ticket | ||
| ============== | ||
| https://redmine.openinfosecfoundation.org/issues/5731 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| %YAML 1.1 | ||
| --- | ||
|
|
||
| outputs: | ||
| - eve-log: | ||
| enabled: yes | ||
| filetype: regular | ||
| filename: eve.json | ||
| types: | ||
| - mqtt | ||
| - alert | ||
| - frame | ||
|
|
||
| app-layer: | ||
| protocols: | ||
| mqtt: | ||
| enabled: yes | ||
| max-msg-length: 60 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 1"; frame:pdu; content:"|10 1c|"; startswith; sid:1;) | ||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 2"; frame:pdu; content:"|14|"; endswith; sid:2;) | ||
|
|
||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 3"; frame:header; content:"|10|"; sid:3;) | ||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 4"; frame:header; content:"|10 1c|"; sid:4;) | ||
|
|
||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) | ||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) | ||
|
|
||
| # pre-boundary test for truncated data | ||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 7"; frame:data; content:"|0a|"; sid:7;) | ||
|
|
||
| # At boundary test for truncated data | ||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 8"; frame:data; content:"|51|"; sid:8;) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we add a few more bytes to ensure it is the truncated data that we want to be looking at. Unless
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am not sure what do you mean by adding more bytes. For this purpose of this rule, I counted the bytes up till a point where there is a boundary. Since after last update to frames, we are no longer making frames for truncated data so after this specific byte we don't get a match
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It looks like we get a match even after this specific byte cf #1365
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yep. did think that might happen. Thanks for picking this up! :) |
||
|
|
||
| # post-boundary test for truncated data | ||
| alert mqtt any any -> any any (msg:"mqtt truncated Frame 9"; frame:data; content:"|5b|"; sid:9;) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same comments as above.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I can add more bytes to the post boundary test |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| requires: | ||
| min-version: 7 | ||
|
|
||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 1 | ||
| frame.type: "pdu" | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 2 | ||
| frame.type: "pdu" | ||
| frame.complete: true | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 3 | ||
| frame.type: "header" | ||
| frame.complete: true | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 4 | ||
| frame.type: "header" | ||
| frame.length: 2 | ||
| frame.complete: true | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| alert.signature_id: 5 | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| alert.signature_id: 6 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 7 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 8 | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| alert.signature_id: 9 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| Description | ||
| =========== | ||
| Test MQTT frames[Pdu, Header, Data]. | ||
|
|
||
| PCAP | ||
| ==== | ||
| PCAP comes from the suricata verify test[mqtt5-pub-userpass] | ||
|
|
||
| Redmine ticket | ||
| ============== | ||
| https://redmine.openinfosecfoundation.org/issues/5731 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 2f 00|"; startswith; sid:1;) | ||
| alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|61 73 73|"; endswith; sid:2;) | ||
|
|
||
| alert mqtt any any -> any any (msg:"mqtt Frame 3"; flow:to_server; frame:header; content:"|10|"; sid:3;) | ||
| alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|20|"; sid:4;) | ||
|
|
||
| alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) | ||
| alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) | ||
|
|
||
| alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|00 00 03 22|"; startswith; sid:7;) | ||
| alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 06|"; sid:8;) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| requires: | ||
| min-version: 7 | ||
|
|
||
| args: | ||
| - -k none | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: README mentions the pcap already exists. Can we try to deduplicate it w the |
||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 1 | ||
| frame.type: "pdu" | ||
| frame.length: 49 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 2 | ||
| frame.type: "pdu" | ||
| frame.complete: true | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 3 | ||
| frame.type: "header" | ||
| frame.complete: true | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 4 | ||
| frame.type: "header" | ||
| frame.length: 2 | ||
| frame.complete: true | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| alert.signature_id: 5 | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| alert.signature_id: 6 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 7 | ||
| frame.type: "data" | ||
| frame.complete: true | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 8 | ||
| frame.type: "data" | ||
| frame.complete: true | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: msg indicates all these are truncated frames which from the matches does not seem to be true?