From 378b9bb55d0df898e0837335a6ed5ef2730083c0 Mon Sep 17 00:00:00 2001 From: Sascha Steinbiss Date: Sun, 20 Oct 2024 11:27:51 +0200 Subject: [PATCH 1/3] mqtt: add reason code support for SUBACK Ticket: #7323 (cherry picked from commit 377d4705e15aa54ae26176822b23eec0a98bbc59) --- rust/src/mqtt/detect.rs | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs index b47a84f74409..a34bc7da3906 100644 --- a/rust/src/mqtt/detect.rs +++ b/rust/src/mqtt/detect.rs @@ -373,6 +373,27 @@ pub unsafe extern "C" fn rs_mqtt_tx_get_reason_code(tx: &MQTTTransaction, result #[no_mangle] pub extern "C" fn rs_mqtt_tx_unsuback_has_reason_code(tx: &MQTTTransaction, code: u8) -> u8 { + for msg in tx.msg.iter() { + match msg.op { + MQTTOperation::UNSUBACK(ref unsuback) => { + if let Some(ref reason_codes) = unsuback.reason_codes { + for rc in reason_codes.iter() { + if *rc == code { + return 1; + } + } + } + } + MQTTOperation::SUBACK(ref suback) => { + for rc in suback.qoss.iter() { + if *rc == code { + return 1; + } + } + } + _ => {} + } + } for msg in tx.msg.iter() { if let MQTTOperation::UNSUBACK(ref unsuback) = msg.op { if let Some(ref reason_codes) = unsuback.reason_codes { From 552dea9f5bde82a05c049fa51bb07cff8e073444 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 26 Nov 2024 17:16:58 -0600 Subject: [PATCH 2/3] mqtt: double-check detection directions Backport of commit 5d8252117f3a6643be5867c6f1f19caa316fd76d. Ticket: 7323 --- src/detect-mqtt-connack-sessionpresent.c | 2 +- src/detect-mqtt-publish-topic.c | 4 ++++ src/detect-mqtt-reason-code.c | 2 ++ src/detect-mqtt-subscribe-topic.c | 4 ++++ src/detect-mqtt-type.c | 2 ++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/detect-mqtt-connack-sessionpresent.c b/src/detect-mqtt-connack-sessionpresent.c index 7ec902f1172c..d713e6edffdf 100644 --- a/src/detect-mqtt-connack-sessionpresent.c +++ b/src/detect-mqtt-connack-sessionpresent.c @@ -63,7 +63,7 @@ void DetectMQTTConnackSessionPresentRegister (void) DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); DetectAppLayerInspectEngineRegister2("mqtt.connack.session_present", ALPROTO_MQTT, - SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); + SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL); mqtt_connack_session_present_id = DetectBufferTypeGetByName("mqtt.connack.session_present"); } diff --git a/src/detect-mqtt-publish-topic.c b/src/detect-mqtt-publish-topic.c index c03a47b5eda7..045a2b4c550c 100644 --- a/src/detect-mqtt-publish-topic.c +++ b/src/detect-mqtt-publish-topic.c @@ -81,10 +81,14 @@ void DetectMQTTPublishTopicRegister(void) DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 0, + DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_MQTT, 1); + DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, + GetData, ALPROTO_MQTT, 1); DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); diff --git a/src/detect-mqtt-reason-code.c b/src/detect-mqtt-reason-code.c index 085c9c047c9f..b193190849c6 100644 --- a/src/detect-mqtt-reason-code.c +++ b/src/detect-mqtt-reason-code.c @@ -66,6 +66,8 @@ void DetectMQTTReasonCodeRegister (void) DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); + DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1, + DetectEngineInspectGenericList, NULL); mqtt_reason_code_id = DetectBufferTypeGetByName("mqtt.reason_code"); } diff --git a/src/detect-mqtt-subscribe-topic.c b/src/detect-mqtt-subscribe-topic.c index c2793bb13a80..7a977dddd6ad 100644 --- a/src/detect-mqtt-subscribe-topic.c +++ b/src/detect-mqtt-subscribe-topic.c @@ -214,10 +214,14 @@ void DetectMQTTSubscribeTopicRegister (void) DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOSERVER, 1, PrefilterMpmMQTTSubscribeTopicRegister, NULL, ALPROTO_MQTT, 1); + DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOCLIENT, 1, + PrefilterMpmMQTTSubscribeTopicRegister, NULL, ALPROTO_MQTT, 1); DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, DetectEngineInspectMQTTSubscribeTopic, NULL); + DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1, + DetectEngineInspectMQTTSubscribeTopic, NULL); DetectBufferTypeSetDescriptionByName("mqtt.subscribe.topic", "subscribe topic query"); diff --git a/src/detect-mqtt-type.c b/src/detect-mqtt-type.c index 3bc7f1e4f593..fc5713a4cd0b 100644 --- a/src/detect-mqtt-type.c +++ b/src/detect-mqtt-type.c @@ -57,6 +57,8 @@ void DetectMQTTTypeRegister (void) sigmatch_table[DETECT_AL_MQTT_TYPE].RegisterTests = MQTTTypeRegisterTests; #endif + DetectAppLayerInspectEngineRegister2( + "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL); DetectAppLayerInspectEngineRegister2( "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); From 1bae7618184db4b31621fa9c929fe9e3b2d6f909 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 27 Nov 2024 16:08:05 +0100 Subject: [PATCH 3/3] mqtt: look for a reason code in all messages instead of stopping on the first message if it does not have a reason code, like conn and conn_ack Was fixed in master by big refactor 0a1062fad2ece8f900113c381147e8e8bdd1c009 --- rust/src/mqtt/detect.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs index a34bc7da3906..a56e2ea22a3d 100644 --- a/rust/src/mqtt/detect.rs +++ b/rust/src/mqtt/detect.rs @@ -365,7 +365,7 @@ pub unsafe extern "C" fn rs_mqtt_tx_get_reason_code(tx: &MQTTTransaction, result return 1; } } - _ => return 0, + _ => {}, } } return 0;