Project

General

Profile

Actions

Bug #6984

closed

mqtt: do not log non-string messages?

Added by Juliana Fajardini Reichow 6 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Noticed the lengthy log message shown for our Suricata-Verify MQTT connect rules (https://github.com/OISF/suricata-verify/tree/master/tests/mqtt-connect-rules) for
MQTT Publish message (packet 9): according to Wireshark, 35.758 bytes.

Image shows a screenshot of part of the logged message.


Files

image (4).png (177 KB) image (4).png Juliana Fajardini Reichow, 04/24/2024 07:06 PM
Actions #1

Updated by Juliana Fajardini Reichow 6 months ago

Not sure here if the solution is just not to log non-string messages, or define a limit to message length logged, or something else.

Actions #2

Updated by Sascha Steinbiss 6 months ago

Juliana Fajardini Reichow wrote in #note-1:

Not sure here if the solution is just not to log non-string messages, or define a limit to message length logged, or something else.

The payload in the screenshot is a JPEG image transferred via MQTT, like a camera would, for example.

Note that there already is a parser option (app-layer.mqtt.max-msg-length) that restricts the maximum length of a message to be processed (otherwise the message is skipped; default is 1MB). Of course this is different from logging; one might want to have a large message processed for detection but not logged in its entirety. I'd be happy to add a maximum logging threshold here in the outputs configuration for mqtt.

I can imagine that a use case of the MQTT parser is to monitor transmission patterns rather than alert on content (I'm not aware of any related attacks, at least), so I at least would rather opt for completeness of content rather than log file frugality.

Actions #3

Updated by Juliana Fajardini Reichow 6 months ago · Edited

Sascha Steinbiss wrote in #note-2:

Juliana Fajardini Reichow wrote in #note-1:

Not sure here if the solution is just not to log non-string messages, or define a limit to message length logged, or something else.

The payload in the screenshot is a JPEG image transferred via MQTT, like a camera would, for example.

Note that there already is a parser option (app-layer.mqtt.max-msg-length) that restricts the maximum length of a message to be processed (otherwise the message is skipped; default is 1MB). Of course this is different from logging; one might want to have a large message processed for detection but not logged in its entirety. I'd be happy to add a maximum logging threshold here in the outputs configuration for mqtt.

Thanks for volunteering your time! :)

I can imagine that a use case of the MQTT parser is to monitor transmission patterns rather than alert on content (I'm not aware of any related attacks, at least), so I at least would rather opt for completeness of content rather than log file frugality.

I think that it makes sense that one may want to process the whole content, but optionally limit the log output. To your point of allowed for completeness, I wonder if it would make sense to log full contents in case an alert is triggered for it. - Or if this makes things unnecessarily overly complex.

Actions #4

Updated by Sascha Steinbiss 6 months ago · Edited

OK, I'll come up with a PR.

Actions #6

Updated by Victor Julien 6 months ago

For files/binary blobs, would it make sense to use the file tracking infrastructure in suri for those?

Actions #7

Updated by Sascha Steinbiss 6 months ago

Victor Julien wrote in #note-6:

For files/binary blobs, would it make sense to use the file tracking infrastructure in suri for those?

I wouldn't think so. There is no direct notion of files or file transfer in the protocol, it's just that some payloads may happen to be data that could make sense as a standalone file. Question is, how would we detect these without the use of magic (expensive) or looking at the presence of MQTT5 properties that specify MIME types (depends on whether the sender includes that). In the latter case one would also again need to decide which of those types would be useful to extract to files.

Actions #9

Updated by Philippe Antoine 6 months ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Sascha Steinbiss
Actions #10

Updated by Sascha Steinbiss about 1 month ago

I think this can also be closed since https://github.com/OISF/suricata/pull/11454 has been merged into master?

Actions #11

Updated by Juliana Fajardini Reichow about 1 month ago · Edited

  • Status changed from In Review to Closed

Sascha Steinbiss wrote in #note-10:

I think this can also be closed since https://github.com/OISF/suricata/pull/11454 has been merged into master?

Indeed, thanks for catching this (and for working on it, in the first place!)
(As Sascha pointed out, merged with https://github.com/OISF/suricata/pull/11454)

Actions

Also available in: Atom PDF