Some questions about mqtt

YukkioII · November 24, 2021, 7:32am

Suricata.yaml file has been configured: start mqtt protocol parsing and mqtt protocol log.

Find a pcap package of mqtt, write a test rule, hit it and generate an alarm.

However, when checking eve.json, I find that there are no mqtt events. Why? Obviously, the mqtt configuration has been configured and an alarm has been generated. We also found some rule fields about mqtt, such as mqtt.protocol_version, mqtt.type and other fields can not make the written rules hit. Please refer to the instructions on the official website. After many tests, no alarm can be generated. If these fields are used.
mqtt1.pcap (1.8 KB)

Andreas_Herz · November 27, 2021, 11:37pm

Hi, first of all please don’t post ET Pro rules publicly, they’re not for free. I removed the picture from your post. You can repost your dedicated rule again.

Jeff_Lucovsky · November 28, 2021, 4:06pm

Hi,
Your pcap file is missing the connection setup so add

stream:
  midstream: true

You’ll see the mqtt event types in the log once you enable this config option.

YukkioII · December 22, 2021, 6:56am

so sorry! I’ll pay attention next time.

YukkioII · December 22, 2021, 7:53am

Hello, I set midstream to true and there are still no mqtt events

Jeff_Lucovsky · December 23, 2021, 2:09pm

Hi,
Those are different results than what I get.

I’ve used your pcap with Suricata 6.0.4 and Suricata 7 (not yet released) and started Suricata with

suricata -c suricata.yaml -l /tmp/ll -r ~/pcap/mqtt1.pcap  --set stream.midstream=true

I always get MQTT log events in /tmp/ll/eve.json.

When --set stream.midstream=false, there are no MQTT logs.

How are you setting stream.midstream=true?

You can also add this setting to your suricata.yaml configuration file as I showed earlier.

YukkioII · December 24, 2021, 7:49am

I use suricata.yaml to configure midstream, but this configuration method does not take effect. Then I try to set it by command. There are mqtt events in the output log.

The version of Suricata is 6.0.1

Jeff_Lucovsky · December 26, 2021, 1:08pm

Sounds like things are working and you’re now getting MQTT events.

Note that Suricata can reload rules and rule variables but cannot reload configuration changes – configuration changes require Suricata to be restarted.

YukkioII · December 27, 2021, 3:54am

First of all, thank you very much for helping me solve the problem!

But what I wonder is Why doesn’t suricata.yaml configure midstream take effect, but the command is valid? I passed the following command

suricata -c /etc/suricata/suricata.yaml -s /etc/suricata/rules/xmr.rules -r /home/kali/pcap/mqtt1.pcap -l /home/kali/pcap -k none

Jeff_Lucovsky · December 27, 2021, 1:06pm

I’d guess that the configuration file was incorrect? If you upload or DM your config file, I’ll take a look.

Topic		Replies	Views
mqtt.type:PUBLISH does not work as expected Rules suricata	5	552	November 7, 2022
Some match bypass? Rules rules	27	1959	September 17, 2021
Eve.json only shows "event_type":"flow" Help	7	1594	October 22, 2020
Can I use a Suricata IDS alert to trigger some python code? Help	6	1885	July 18, 2020
Use suricata to replay pcap file without any output Help	4	676	August 4, 2021

Some questions about mqtt

Related topics