OISF · hsadia538 · Jan 13, 2023 · Feb 3, 2023 · inashivb · Apr 18, 2023
diff --git a/tests/mqtt-frames-truncated/README.md b/tests/mqtt-frames-truncated/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test MQTT frames[Pdu, Header, Data] for truncated messages where msg_len > max_msg_size.
+
+PCAP
+====
+PCAP was shared by Sascha Steinbiss and was generated by setting up a Mosquitto server and recording communication between `mosquitto_sub` client and `local_broker` via a script.
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5731
diff --git a/tests/mqtt-frames-truncated/input.pcap b/tests/mqtt-frames-truncated/input.pcap
diff --git a/tests/mqtt-frames-truncated/suricata.yaml b/tests/mqtt-frames-truncated/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mqtt
+        - alert
+        - frame
+
+app-layer:
+  protocols:
+    mqtt:
+      enabled: yes
+      max-msg-length: 60
diff --git a/tests/mqtt-frames-truncated/test.rules b/tests/mqtt-frames-truncated/test.rules
@@ -0,0 +1,17 @@
+alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 1c|"; startswith; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|14|"; endswith; sid:2;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 3"; frame:header; content:"|10|"; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|10 1c|"; sid:4;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;)
+alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;)
+
+# pre-boundary test for truncated data
+alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|0a|"; sid:7;)
+
+# At boundary test for truncated data
+alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|51|"; sid:8;)
+
+# post-boundary test for truncated data
+alert mqtt any any -> any any (msg:"mqtt Frame 9"; frame:data; content:"|c1 90 34|"; sid:9;)
diff --git a/tests/mqtt-frames-truncated/test.yaml b/tests/mqtt-frames-truncated/test.yaml
@@ -0,0 +1,51 @@
+requires:
+  min-version: 7
+
+args:
+ - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      frame.type: "pdu"
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.type: "pdu"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+      frame.type: "header"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      frame.type: "header"
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 5
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 8
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 9
diff --git a/tests/mqtt-frames/README.md b/tests/mqtt-frames/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test MQTT frames[Pdu, Header, Data].
+
+PCAP
+====
+PCAP comes from the suricata verify test[mqtt5-pub-userpass]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5731
diff --git a/tests/mqtt-frames/test.rules b/tests/mqtt-frames/test.rules
@@ -0,0 +1,11 @@
+alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 2f 00|"; startswith; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|61 73 73|"; endswith; sid:2;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 3"; flow:to_server; frame:header; content:"|10|"; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|20|"; sid:4;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;)
+alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|00 00 03 22|"; startswith; sid:7;)
+alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 06|"; sid:8;)
diff --git a/tests/mqtt-frames/test.yaml b/tests/mqtt-frames/test.yaml
@@ -0,0 +1,54 @@
+pcap: ../mqtt5-pub-userpass/input.pcap
+
+requires:
+  min-version: 7
+
+args:
+ - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      frame.type: "pdu"
+      frame.length: 49
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.type: "pdu"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+      frame.type: "header"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      frame.type: "header"
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 5
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 7
+      frame.type: "data"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 8
+      frame.type: "data"
+      frame.complete: true