OISF · jasonish · Oct 20, 2024 · Nov 26, 2024 · jasonish · Nov 26, 2024
@@ -373,6 +373,27 @@ pub unsafe extern "C" fn rs_mqtt_tx_get_reason_code(tx: &MQTTTransaction, result
 
 #[no_mangle]
 pub extern "C" fn rs_mqtt_tx_unsuback_has_reason_code(tx: &MQTTTransaction, code: u8) -> u8 {
+    for msg in tx.msg.iter() {
+        match msg.op {
+            MQTTOperation::UNSUBACK(ref unsuback) => {
+                if let Some(ref reason_codes) = unsuback.reason_codes {
+                    for rc in reason_codes.iter() {
+                        if *rc == code {
+                            return 1;
+                        }
+                    }
+                }
+            }
+            MQTTOperation::SUBACK(ref suback) => {
+                for rc in suback.qoss.iter() {
+                    if *rc == code {
+                        return 1;
+                    }
+                }
+            }
+            _ => {}
+        }
+    }
     for msg in tx.msg.iter() {
         if let MQTTOperation::UNSUBACK(ref unsuback) = msg.op {
             if let Some(ref reason_codes) = unsuback.reason_codes {

@@ -63,7 +63,7 @@ void DetectMQTTConnackSessionPresentRegister (void)
     DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
 
     DetectAppLayerInspectEngineRegister2("mqtt.connack.session_present", ALPROTO_MQTT,
-            SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);
+            SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL);
 
     mqtt_connack_session_present_id = DetectBufferTypeGetByName("mqtt.connack.session_present");
 }

@@ -81,10 +81,14 @@ void DetectMQTTPublishTopicRegister(void)
     DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT,
             SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectBufferGeneric, GetData);
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 0,
+            DetectEngineInspectBufferGeneric, GetData);
 
     DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
             PrefilterGenericMpmRegister, GetData, ALPROTO_MQTT,
 	        1);
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
+            GetData, ALPROTO_MQTT, 1);
 
     DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
 

@@ -66,6 +66,8 @@ void DetectMQTTReasonCodeRegister (void)
 
     DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1,
             DetectEngineInspectGenericList, NULL);
+    DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1,
+            DetectEngineInspectGenericList, NULL);
 
     mqtt_reason_code_id = DetectBufferTypeGetByName("mqtt.reason_code");
 }

@@ -214,10 +214,14 @@ void DetectMQTTSubscribeTopicRegister (void)
     DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOSERVER, 1,
             PrefilterMpmMQTTSubscribeTopicRegister, NULL,
             ALPROTO_MQTT, 1);
+    DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOCLIENT, 1,
+            PrefilterMpmMQTTSubscribeTopicRegister, NULL, ALPROTO_MQTT, 1);
 
     DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic",
             ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1,
             DetectEngineInspectMQTTSubscribeTopic, NULL);
+    DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1,
+            DetectEngineInspectMQTTSubscribeTopic, NULL);
 
     DetectBufferTypeSetDescriptionByName("mqtt.subscribe.topic",
             "subscribe topic query");

@@ -57,6 +57,8 @@ void DetectMQTTTypeRegister (void)
     sigmatch_table[DETECT_AL_MQTT_TYPE].RegisterTests = MQTTTypeRegisterTests;
 #endif
 
+    DetectAppLayerInspectEngineRegister2(
+            "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL);
     DetectAppLayerInspectEngineRegister2(
             "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);