mqtt.type:PUBLISH does not work as expected

Rules
1

I have a simple rule that I want to trigger to recognize MQTT publish messages and it does not work as expected:

alert mqtt any any -> $HOME_NET any (msg:"Test MQTT."; mqtt.type:PUBLISH; reference:cve,test; classtype:test-activity; sid:1810100; rev:1; metadata:affected_protocol MQTT, attack_target Eclipse Mosquitto, deployment Perimeter;)

the pcap that I used includes several publish messages and I would expect multiple alerts to be triggered, however I get no alerts. If I remove the mqtt.type:PUBLISH all mqtt protocol packets are recognized. Am I missing something here? I am attaching an image if the pcap and I can send the pcap if someone is interested in replicating the error. Thanks!

image
image1333×821 279 KB

I am using suricata v6.0.4.

2

As I can see in wireshark, both source and destination is in the 192.168.1.0/24 CIDR and the rule that you posted has HOME_NET variable.

Can you post the values for HOME_NET from suricata.yaml?
Moreover, if you enable mqtt protocol events (not alerts), do you see the events you wanted to detect using the rule there?

3

Thanks for the response! The $HOME_NET var value is: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

I have 427 mqtt events detected:

[
    {
        "timestamp": "2022-11-07T15:56:10.042966+0000",
        "event_type": "stats",
        "stats": {
            "uptime": 1,
            "decoder": {
                "pkts": 2546,
                "bytes": 349200,
                "invalid": 0,
                "ipv4": 1903,
                "ipv6": 223,
                "ethernet": 2546,
                "chdlc": 0,
                "raw": 0,
                "null": 0,
                "sll": 0,
                "tcp": 1451,
                "udp": 620,
                "sctp": 0,
                "icmpv4": 14,
                "icmpv6": 25,
                "ppp": 0,
                "pppoe": 0,
                "geneve": 0,
                "gre": 0,
                "vlan": 1,
                "vlan_qinq": 0,
                "vxlan": 0,
                "vntag": 0,
                "ieee8021ah": 0,
                "teredo": 0,
                "ipv4_in_ipv6": 0,
                "ipv6_in_ipv6": 0,
                "mpls": 0,
                "avg_pkt_size": 137,
                "max_pkt_size": 11650,
                "max_mac_addrs_src": 0,
                "max_mac_addrs_dst": 0,
                "erspan": 0,
                "event": {
                    "ipv4": {
                        "pkt_too_small": 0,
                        "hlen_too_small": 0,
                        "iplen_smaller_than_hlen": 0,
                        "trunc_pkt": 0,
                        "opt_invalid": 0,
                        "opt_invalid_len": 0,
                        "opt_malformed": 0,
                        "opt_pad_required": 16,
                        "opt_eol_required": 0,
                        "opt_duplicate": 0,
                        "opt_unknown": 0,
                        "wrong_ip_version": 0,
                        "icmpv6": 0,
                        "frag_pkt_too_large": 0,
                        "frag_overlap": 0,
                        "frag_ignored": 0
                    },
                    "icmpv4": {
                        "pkt_too_small": 0,
                        "unknown_type": 0,
                        "unknown_code": 0,
                        "ipv4_trunc_pkt": 0,
                        "ipv4_unknown_ver": 0
                    },
                    "icmpv6": {
                        "unknown_type": 0,
                        "unknown_code": 0,
                        "pkt_too_small": 0,
                        "ipv6_unknown_version": 0,
                        "ipv6_trunc_pkt": 0,
                        "mld_message_with_invalid_hl": 0,
                        "unassigned_type": 0,
                        "experimentation_type": 0
                    },
                    "ipv6": {
                        "pkt_too_small": 0,
                        "trunc_pkt": 0,
                        "trunc_exthdr": 0,
                        "exthdr_dupl_fh": 0,
                        "exthdr_useless_fh": 0,
                        "exthdr_dupl_rh": 0,
                        "exthdr_dupl_hh": 0,
                        "exthdr_dupl_dh": 0,
                        "exthdr_dupl_ah": 0,
                        "exthdr_dupl_eh": 0,
                        "exthdr_invalid_optlen": 0,
                        "wrong_ip_version": 0,
                        "exthdr_ah_res_not_null": 0,
                        "hopopts_unknown_opt": 0,
                        "hopopts_only_padding": 0,
                        "dstopts_unknown_opt": 0,
                        "dstopts_only_padding": 0,
                        "rh_type_0": 0,
                        "zero_len_padn": 22,
                        "fh_non_zero_reserved_field": 0,
                        "data_after_none_header": 0,
                        "unknown_next_header": 0,
                        "icmpv4": 0,
                        "frag_pkt_too_large": 0,
                        "frag_overlap": 0,
                        "frag_invalid_length": 0,
                        "frag_ignored": 0,
                        "ipv4_in_ipv6_too_small": 0,
                        "ipv4_in_ipv6_wrong_version": 0,
                        "ipv6_in_ipv6_too_small": 0,
                        "ipv6_in_ipv6_wrong_version": 0
                    },
                    "tcp": {
                        "pkt_too_small": 0,
                        "hlen_too_small": 0,
                        "invalid_optlen": 0,
                        "opt_invalid_len": 0,
                        "opt_duplicate": 0
                    },
                    "udp": {
                        "pkt_too_small": 0,
                        "hlen_too_small": 0,
                        "hlen_invalid": 0
                    },
                    "sll": {
                        "pkt_too_small": 0
                    },
                    "ethernet": {
                        "pkt_too_small": 0
                    },
                    "ppp": {
                        "pkt_too_small": 0,
                        "vju_pkt_too_small": 0,
                        "ip4_pkt_too_small": 0,
                        "ip6_pkt_too_small": 0,
                        "wrong_type": 0,
                        "unsup_proto": 0
                    },
                    "pppoe": {
                        "pkt_too_small": 0,
                        "wrong_code": 0,
                        "malformed_tags": 0
                    },
                    "gre": {
                        "pkt_too_small": 0,
                        "wrong_version": 0,
                        "version0_recur": 0,
                        "version0_flags": 0,
                        "version0_hdr_too_big": 0,
                        "version0_malformed_sre_hdr": 0,
                        "version1_chksum": 0,
                        "version1_route": 0,
                        "version1_ssr": 0,
                        "version1_recur": 0,
                        "version1_flags": 0,
                        "version1_no_key": 0,
                        "version1_wrong_protocol": 0,
                        "version1_malformed_sre_hdr": 0,
                        "version1_hdr_too_big": 0
                    },
                    "vlan": {
                        "header_too_small": 0,
                        "unknown_type": 0,
                        "too_many_layers": 0
                    },
                    "ieee8021ah": {
                        "header_too_small": 0
                    },
                    "vntag": {
                        "header_too_small": 0,
                        "unknown_type": 0
                    },
                    "ipraw": {
                        "invalid_ip_version": 0
                    },
                    "ltnull": {
                        "pkt_too_small": 0,
                        "unsupported_type": 0
                    },
                    "sctp": {
                        "pkt_too_small": 0
                    },
                    "mpls": {
                        "header_too_small": 0,
                        "pkt_too_small": 0,
                        "bad_label_router_alert": 0,
                        "bad_label_implicit_null": 0,
                        "bad_label_reserved": 0,
                        "unknown_payload_type": 0
                    },
                    "vxlan": {
                        "unknown_payload_type": 0
                    },
                    "geneve": {
                        "unknown_payload_type": 0
                    },
                    "erspan": {
                        "header_too_small": 0,
                        "unsupported_version": 0,
                        "too_many_vlan_layers": 0
                    },
                    "dce": {
                        "pkt_too_small": 0
                    },
                    "chdlc": {
                        "pkt_too_small": 0
                    }
                },
                "too_many_layers": 0
            },
            "flow": {
                "memcap": 0,
                "tcp": 7,
                "udp": 147,
                "icmpv4": 1,
                "icmpv6": 25,
                "tcp_reuse": 0,
                "get_used": 0,
                "get_used_eval": 0,
                "get_used_eval_reject": 0,
                "get_used_eval_busy": 0,
                "get_used_failed": 0,
                "wrk": {
                    "spare_sync_avg": 100,
                    "spare_sync": 6,
                    "spare_sync_incomplete": 0,
                    "spare_sync_empty": 0,
                    "flows_evicted_needs_work": 2,
                    "flows_evicted_pkt_inject": 4,
                    "flows_evicted": 46,
                    "flows_injected": 2
                },
                "mgr": {
                    "full_hash_pass": 1,
                    "closed_pruned": 0,
                    "new_pruned": 0,
                    "est_pruned": 0,
                    "bypassed_pruned": 0,
                    "rows_maxlen": 1,
                    "flows_checked": 84,
                    "flows_notimeout": 84,
                    "flows_timeout": 0,
                    "flows_timeout_inuse": 0,
                    "flows_evicted": 0,
                    "flows_evicted_needs_work": 0
                },
                "spare": 9400,
                "emerg_mode_entered": 0,
                "emerg_mode_over": 0,
                "memuse": 7394304
            },
            "defrag": {
                "ipv4": {
                    "fragments": 0,
                    "reassembled": 0,
                    "timeouts": 0
                },
                "ipv6": {
                    "fragments": 0,
                    "reassembled": 0,
                    "timeouts": 0
                },
                "max_frag_hits": 0
            },
            "flow_bypassed": {
                "local_pkts": 0,
                "local_bytes": 0,
                "local_capture_pkts": 0,
                "local_capture_bytes": 0,
                "closed": 0,
                "pkts": 0,
                "bytes": 0
            },
            "tcp": {
                "sessions": 2,
                "ssn_memcap_drop": 0,
                "pseudo": 0,
                "pseudo_failed": 0,
                "invalid_checksum": 0,
                "no_flow": 0,
                "syn": 2,
                "synack": 2,
                "rst": 0,
                "midstream_pickups": 0,
                "pkt_on_wrong_thread": 0,
                "segment_memcap_drop": 0,
                "stream_depth_reached": 0,
                "reassembly_gap": 0,
                "overlap": 0,
                "overlap_diff_data": 0,
                "insert_data_normal_fail": 0,
                "insert_data_overlap_fail": 0,
                "insert_list_fail": 0,
                "memuse": 3637248,
                "reassembly_memuse": 589824
            },
            "detect": {
                "engines": [
                    {
                        "id": 0,
                        "last_reload": "2022-11-07T15:56:09.997971+0000",
                        "rules_loaded": 1,
                        "rules_failed": 0
                    }
                ],
                "alert": 0
            },
            "app_layer": {
                "flow": {
                    "http": 0,
                    "ftp": 0,
                    "smtp": 0,
                    "tls": 0,
                    "ssh": 0,
                    "imap": 0,
                    "smb": 0,
                    "dcerpc_tcp": 0,
                    "dns_tcp": 0,
                    "nfs_tcp": 0,
                    "ntp": 0,
                    "ftp-data": 0,
                    "tftp": 0,
                    "ikev2": 0,
                    "krb5_tcp": 0,
                    "dhcp": 0,
                    "snmp": 0,
                    "sip": 0,
                    "rfb": 0,
                    "mqtt": 2,
                    "rdp": 0,
                    "http2": 0,
                    "failed_tcp": 0,
                    "dcerpc_udp": 0,
                    "dns_udp": 0,
                    "nfs_udp": 0,
                    "krb5_udp": 0,
                    "failed_udp": 147
                },
                "tx": {
                    "http": 0,
                    "ftp": 0,
                    "smtp": 0,
                    "tls": 0,
                    "ssh": 0,
                    "imap": 0,
                    "smb": 0,
                    "dcerpc_tcp": 0,
                    "dns_tcp": 0,
                    "nfs_tcp": 0,
                    "ntp": 0,
                    "ftp-data": 0,
                    "tftp": 0,
                    "ikev2": 0,
                    "krb5_tcp": 0,
                    "dhcp": 0,
                    "snmp": 0,
                    "sip": 0,
                    "rfb": 0,
                    "mqtt": 427,
                    "rdp": 0,
                    "http2": 0,
                    "dcerpc_udp": 0,
                    "dns_udp": 0,
                    "nfs_udp": 0,
                    "krb5_udp": 0
                },
                "expectations": 0
            },
            "http": {
                "memuse": 0,
                "memcap": 0
            },
            "ftp": {
                "memuse": 0,
                "memcap": 0
            },
            "file_store": {
                "open_files": 0
            }
        }
    }
]
4

The HOME_NET dose not seems to be the issue,
Can you try to enable mqtt protocol events output and verify that the expected metadata are extracted (eg: mqtt.type is publish)

What you have shared are the stats, what I am trying to find out if suricata is actually detecting mqtt protocol events correctly in general (outside alerts).

To do this go to suricata.yaml and update eve-output section to include mqtt event type (in addition to alerts & stats).

If everything is ok, you will see mqtt protocol transactions extracted with different fields (eg: message type), then you can compare things with wireshark.

More info: 15.1.2. Eve JSON Format — Suricata 6.0.0 documentation

5

Thank you for the responses. This helps. However I am still baffled why the alert is not detecting publish messages, even though publish events are showing up. I am not pasting all events for brevity, but just an example. I found this publish event:

{"timestamp":"2022-10-24T20:06:14.757375+0000","flow_id":319566767927315,"pcap_cnt":1605,"event_type":"mqtt","src_ip":"192.168.1.222","src_port":1883,"dest_ip":"192.168.1.147","dest_port":56106,"proto":"TCP","mqtt":{"publish":{"qos":0,"retain":false,"dup":false,"topic":"$SYS/broker/uptime","message":"4257 seconds"}}}

and its corresponding packet:

image
image1271×448 130 KB

It seems the event has a publish label, however the simple alert is not triggered.

6

This is indeed confusing, I suggest trying the latest version of suricata, if that doesn’t work, maybe open a ticket and attach the pcap.

It could be that mqtt protocol version implemented in suricata is different from the one you use.