Project

General

Profile

Actions
Copy link

Bug #7323

open

mqtt: wrong and missing direction for keywords

Added by Philippe Antoine 19 days ago. Updated 7 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Sascha Steinbiss
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

As reported https://forum.suricata.io/t/question-about-mqtt-detection/4890/3

@Sascha Steinbiss do you want to fix this ?

diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs
index c7dedc7ee8..b65d70686b 100644
--- a/rust/src/mqtt/detect.rs
+++ b/rust/src/mqtt/detect.rs
@@ -1127,7 +1127,7 @@ pub unsafe extern "C" fn ScDetectMqttRegister() {
     G_MQTT_TYPE_BUFFER_ID = DetectHelperBufferRegister(
         b"mqtt.type\0".as_ptr() as *const libc::c_char,
         ALPROTO_MQTT,
-        false, // only to server
+        true,
         true,
     );

@@ -1172,7 +1172,7 @@ pub unsafe extern "C" fn ScDetectMqttRegister() {
     G_MQTT_REASON_CODE_BUFFER_ID = DetectHelperBufferRegister(
         b"mqtt.reason_code\0".as_ptr() as *const libc::c_char,
         ALPROTO_MQTT,
-        false, // only to server
+        true, // only to client
         true,
     );
     let kw = SCSigTableElmt {

allows to have more alerts for SV test about unsub

Also SUBACK case seems to be missing for reason code

Files

mqtt5_pub_jpeg_connack134.pcap (36.4 KB) mqtt5_pub_jpeg_connack134.pcap Pcap with C Sascha Steinbiss, 10/20/2024 12:45 AM

Subtasks 1 (1 open0 closed)

Bug #7324: mqtt: wrong and missing direction for keywords (7.0.x backport)AssignedSascha SteinbissActions
Actions
Copy link

Also available in: Atom PDF