Some questions about mqtt

Suricata.yaml file has been configured: start mqtt protocol parsing and mqtt protocol log.

Find a pcap package of mqtt, write a test rule, hit it and generate an alarm.

However, when checking eve.json, I find that there are no mqtt events. Why? Obviously, the mqtt configuration has been configured and an alarm has been generated. We also found some rule fields about mqtt, such as mqtt.protocol_version, mqtt.type and other fields can not make the written rules hit. Please refer to the instructions on the official website. After many tests, no alarm can be generated. If these fields are used.
mqtt1.pcap (1.8 KB)

Hi, first of all please don’t post ET Pro rules publicly, they’re not for free. I removed the picture from your post. You can repost your dedicated rule again.

1 Like

Your pcap file is missing the connection setup so add

  midstream: true

You’ll see the mqtt event types in the log once you enable this config option.


so sorry! I’ll pay attention next time.

Hello, I set midstream to true and there are still no mqtt events

Those are different results than what I get.

I’ve used your pcap with Suricata 6.0.4 and Suricata 7 (not yet released) and started Suricata with

suricata -c suricata.yaml -l /tmp/ll -r ~/pcap/mqtt1.pcap  --set stream.midstream=true

I always get MQTT log events in /tmp/ll/eve.json.

When --set stream.midstream=false, there are no MQTT logs.

How are you setting stream.midstream=true?

You can also add this setting to your suricata.yaml configuration file as I showed earlier.

I use suricata.yaml to configure midstream, but this configuration method does not take effect. Then I try to set it by command. There are mqtt events in the output log.

The version of Suricata is 6.0.1

Sounds like things are working and you’re now getting MQTT events.

Note that Suricata can reload rules and rule variables but cannot reload configuration changes – configuration changes require Suricata to be restarted.

First of all, thank you very much for helping me solve the problem!

But what I wonder is Why doesn’t suricata.yaml configure midstream take effect, but the command is valid? I passed the following command

  • suricata -c /etc/suricata/suricata.yaml -s /etc/suricata/rules/xmr.rules -r /home/kali/pcap/mqtt1.pcap -l /home/kali/pcap -k none

I’d guess that the configuration file was incorrect? If you upload or DM your config file, I’ll take a look.