Question about mqtt detection

kimichang · October 10, 2024, 2:19am

hi all:
I meet a problem about mqtt detection.Key words are mqtt.reason_code and unsubscribe topic.Added some debug log and found reason_code detection can not capture packet contains reason code field. detect-mqtt-reason-code show suricata register to_server direction to detect reason_code,but i found that packets contain reason_code usually in to_client direction.

another question is about unsubscribe topic , not work.

rules are :

alert mqtt any any → any any (msg:"MQTT unsubscribe topic "; mqtt.unsubscribe.topic; content:“testtopic”;classtype:misc-attack;sid:5000136;rev:1;)

alert mqtt any any → any any (msg:"MQTT reason code "; mqtt.type:CONNACK; mqtt.reason_code:134;classtype:misc-attack;sid:5000126;rev:1;)

version:6.0.3
OS:linux 5.4.86
install from source

I do need some advice. Thanks a lot.

satta · October 10, 2024, 12:17pm

Thanks for the input. For both cases, could you please provide some pcaps with example MQTT traffic expected output and actual output for further debugging so we can reproduce your issue?
Please also include information about how you are running Suricata (command line parameters, etc.). Thanks!

Philippe_Antoine · October 13, 2024, 7:17pm

@satta this looks a bug indeed cf SV test mqtt-sub-rules not testing sid 16

Philippe_Antoine · October 13, 2024, 7:44pm

Created Bug #7323: mqtt: wrong and missing direction for keywords - Suricata - Open Information Security Foundation

satta · October 14, 2024, 8:50am

Thanks, will look into it

Topic		Replies	Views
mqtt.type:PUBLISH does not work as expected Rules suricata	5	552	November 7, 2022
Can't detect AMQ message Help	3	669	March 11, 2021
Some match bypass? Rules rules	27	1959	September 17, 2021
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	723	August 10, 2023
Some questions about mqtt Help	9	1145	December 27, 2021

Question about mqtt detection

Related topics