From 05541f7282375a18ec99f0f6fb1f1486bfb9ef01 Mon Sep 17 00:00:00 2001
From: Haleema Khan <hsadia538@gmail.com>
Date: Fri, 13 Jan 2023 17:28:50 +0500
Subject: [PATCH 1/2] mqtt: test mqtt frames

---
 tests/mqtt-frames/README.md  | 11 ++++++++
 tests/mqtt-frames/test.rules | 11 ++++++++
 tests/mqtt-frames/test.yaml  | 54 ++++++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 tests/mqtt-frames/README.md
 create mode 100644 tests/mqtt-frames/test.rules
 create mode 100644 tests/mqtt-frames/test.yaml

diff --git a/tests/mqtt-frames/README.md b/tests/mqtt-frames/README.md
new file mode 100644
index 000000000..4ebd816ed
--- /dev/null
+++ b/tests/mqtt-frames/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test MQTT frames[Pdu, Header, Data].
+
+PCAP
+====
+PCAP comes from the suricata verify test[mqtt5-pub-userpass]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5731
\ No newline at end of file
diff --git a/tests/mqtt-frames/test.rules b/tests/mqtt-frames/test.rules
new file mode 100644
index 000000000..f3b053b3d
--- /dev/null
+++ b/tests/mqtt-frames/test.rules
@@ -0,0 +1,11 @@
+alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 2f 00|"; startswith; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|61 73 73|"; endswith; sid:2;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 3"; flow:to_server; frame:header; content:"|10|"; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|20|"; sid:4;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;)
+alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|00 00 03 22|"; startswith; sid:7;)
+alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 06|"; sid:8;)
\ No newline at end of file
diff --git a/tests/mqtt-frames/test.yaml b/tests/mqtt-frames/test.yaml
new file mode 100644
index 000000000..85ad1e2c2
--- /dev/null
+++ b/tests/mqtt-frames/test.yaml
@@ -0,0 +1,54 @@
+pcap: ../mqtt5-pub-userpass/input.pcap
+
+requires:
+  min-version: 7
+
+args:
+ - -k none
+ 
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      frame.type: "pdu"
+      frame.length: 49
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.type: "pdu"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+      frame.type: "header"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      frame.type: "header"
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 5
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 7
+      frame.type: "data"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 8
+      frame.type: "data"
+      frame.complete: true
\ No newline at end of file

From c2b5cca2333e70e434a03f5d3c2bc5b8a6b361f8 Mon Sep 17 00:00:00 2001
From: Haleema Khan <hsadia538@gmail.com>
Date: Fri, 3 Feb 2023 19:29:03 +0500
Subject: [PATCH 2/2] mqtt: test mqtt frames for truncated messages

---
 tests/mqtt-frames-truncated/README.md     |  11 +++++
 tests/mqtt-frames-truncated/input.pcap    | Bin 0 -> 699 bytes
 tests/mqtt-frames-truncated/suricata.yaml |  18 ++++++++
 tests/mqtt-frames-truncated/test.rules    |  17 ++++++++
 tests/mqtt-frames-truncated/test.yaml     |  51 ++++++++++++++++++++++
 5 files changed, 97 insertions(+)
 create mode 100644 tests/mqtt-frames-truncated/README.md
 create mode 100644 tests/mqtt-frames-truncated/input.pcap
 create mode 100644 tests/mqtt-frames-truncated/suricata.yaml
 create mode 100644 tests/mqtt-frames-truncated/test.rules
 create mode 100644 tests/mqtt-frames-truncated/test.yaml

diff --git a/tests/mqtt-frames-truncated/README.md b/tests/mqtt-frames-truncated/README.md
new file mode 100644
index 000000000..453e33df7
--- /dev/null
+++ b/tests/mqtt-frames-truncated/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test MQTT frames[Pdu, Header, Data] for truncated messages where msg_len > max_msg_size.
+
+PCAP
+====
+PCAP was shared by Sascha Steinbiss and was generated by setting up a Mosquitto server and recording communication between `mosquitto_sub` client and `local_broker` via a script.
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5731
\ No newline at end of file
diff --git a/tests/mqtt-frames-truncated/input.pcap b/tests/mqtt-frames-truncated/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1ac1c2ac42ffe98cfe707e532df9c4b55970c8ef
GIT binary patch
literal 699
zcmca|c+)~A1{MYcU}0bca?%u;Q{K99GI#;mAdCz+7+e_`Y;@N;FgURB^VTykFoN)T
z3-)OFH^2XaR4!opfBl~U0|OJw|LZJF99)6@k;Nc!MrLMqkjdii_)KPC0GVvF3uZEV
z^m&Va{+}NLP5-w*=>KUnlS@FR!%VgTn(PF$351aW*v%%o>%eXnftd_-^FN^Jj~WD+
z82)Jh-N*=bFUZsqkXw%fO-uk91;WSxY+{h^dXR~HU$L4f0W{GK)kFaq1{UAIkPy~G
z3^vS)3?e`iSxSpjix^l65{rvL_C3ezgV_5Z`|dr0*#`}qNAhp}$l&t9Tu)AhN}xp`
zj10g&$c}vgHgOeJ6G1+RNA-b%DFcI%5(AeIgJxoBNxrV3xskD%v8A!Dlc}+hu7R<e
zk*=Akk(sWWxuKz<sgs4HiIXePqad$s0y+dw<ZJ*(ju6ZtkjVKX^Uwc_BsQ-B08R{;
A6#xJL

literal 0
HcmV?d00001

diff --git a/tests/mqtt-frames-truncated/suricata.yaml b/tests/mqtt-frames-truncated/suricata.yaml
new file mode 100644
index 000000000..5d5fbdbe7
--- /dev/null
+++ b/tests/mqtt-frames-truncated/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mqtt
+        - alert
+        - frame
+
+app-layer:
+  protocols:
+    mqtt:
+      enabled: yes
+      max-msg-length: 60
\ No newline at end of file
diff --git a/tests/mqtt-frames-truncated/test.rules b/tests/mqtt-frames-truncated/test.rules
new file mode 100644
index 000000000..e3d5eda6c
--- /dev/null
+++ b/tests/mqtt-frames-truncated/test.rules
@@ -0,0 +1,17 @@
+alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 1c|"; startswith; sid:1;)
+alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|14|"; endswith; sid:2;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 3"; frame:header; content:"|10|"; sid:3;)
+alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|10 1c|"; sid:4;)
+
+alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;)
+alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;)
+
+# pre-boundary test for truncated data
+alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|0a|"; sid:7;)
+
+# At boundary test for truncated data
+alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 04 4d 51 54 54 05|"; sid:8;)
+
+# post-boundary test for truncated data
+alert mqtt any any -> any any (msg:"mqtt Frame 9"; frame:data; content:"|c1 90 34|"; sid:9;)
diff --git a/tests/mqtt-frames-truncated/test.yaml b/tests/mqtt-frames-truncated/test.yaml
new file mode 100644
index 000000000..9c2048713
--- /dev/null
+++ b/tests/mqtt-frames-truncated/test.yaml
@@ -0,0 +1,51 @@
+requires:
+  min-version: 7
+
+args:
+ - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      frame.type: "pdu"
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.type: "pdu"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+      frame.type: "header"
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      frame.type: "header"
+      frame.length: 2
+      frame.complete: true
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 5
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 8
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 9
\ No newline at end of file