Mqtt rust keywords 4863 v1#11316
Conversation
So that MQTTTypeCode::CONNECT does not become c_o_n_n_e_c_t
As needed for MQTTTypeCode which accepts both CONNECT uppercase and unassigned lowercase
for easier later matching
Ticket: 4863 On the way, convert some keywords to use the first-class integer support. And imports in pure rust the support for multi-buffer.
catenacyber
requested review from
jasonish,
jufajardini and
victorjulien
as code owners
| transform_name("UnassignedMsgType"), | ||
| "unassigned_msg_type".to_string() | ||
| ); | ||
| assert_eq!(transform_name("SAMECASE"), "samecase".to_string()); |
|
|
||
| Match on the numeric value of the reason code that is used in MQTT 5.0 for some message types. Please refer to the specification for the meaning of these values, which are often specific to the message type in question. | ||
|
|
||
| mqtt.reason_code uses an :ref:`unsigned 8-bits integer <rules-integer-keywords>`. |
There was a problem hiding this comment.
We can now use all the operators
|
|
||
| Match on a combination of MQTT CONNECT flags, separated by commas (``,``). Flags may be prefixed by ``!`` to indicate negation, i.e. a flag prefixed by ``!`` must `not` be set to match. | ||
|
|
||
| mqtt.connect.flags uses an :ref:`unsigned 8-bits integer <rules-integer-keywords>` |
There was a problem hiding this comment.
We can now match on the unassigned bit and the qos 2 bits if we want
| "IPPROTO_TCP", | ||
| "IPPROTO_UDP", | ||
| "SRepCatGetByShortname", | ||
| "SIG_FLAG_TOSERVER", |
There was a problem hiding this comment.
@satta why is MQTT detection only to server ?
There was a problem hiding this comment.
Good question. I just grepped through detect-mqtt-* and saw many instances of SIG_FLAG_TOSERVER... well, not all of the things that are alerted on in the detection keywords are sent to the broker, but most are (e.g. anything with CONNECT or PUBLISH, but not CONNACK, the reason code, etc.).
Could be a copy-paste artifact; interesting that these keywords still seem to work though.
Maybe I should also revisit the code and check if maybe the transactions the parser produces are deliberately registered as being toserver because I didn't know an alternative (even though they likely contain messages in various directions) and that's why we want to apply the keywords to toserver.
There was a problem hiding this comment.
And there is no SIG_FLAG_TOCLIENT
| #[no_mangle] | ||
| pub unsafe extern "C" fn rs_mqtt_tx_is_toclient( | ||
| tx: *const std::os::raw::c_void, | ||
| tx: &MQTTTransaction, |
There was a problem hiding this comment.
needed so that MQTTTransaction is exported by cbindgen
| FAIL_IF_NULL(sig); | ||
|
|
||
| sig = DetectEngineAppendSig( | ||
| de_ctx, "alert ip any any -> any any (mqtt.protocol_version:3; sid:2; rev:1;)"); |
There was a problem hiding this comment.
@satta why put another time the same signature with a different sid ?
There was a problem hiding this comment.
The second one should certainly have been mqtt.protocol_version:5.
There was a problem hiding this comment.
will fix in next version
| return Some(rcode); | ||
| } | ||
| } | ||
| _ => return None, |
There was a problem hiding this comment.
@satta why do we not continue with the loop ?
There was a problem hiding this comment.
Right, we should. Good catch! This is likely an oversight when extending transactions to multi-operations.
There was a problem hiding this comment.
will fix in next version
| if let MQTTOperation::UNSUBSCRIBE(ref unsubv) = msg.op { | ||
| if (local_id as usize) < unsubv.topics.len() + offset { | ||
| let topic = &unsubv.topics[(local_id as usize) - offset]; | ||
| if !topic.is_empty() { |
There was a problem hiding this comment.
I wonder if we treat right the empty topic case here
There was a problem hiding this comment.
You mean, in that empty topics should be returned nevertheless? Well, the spec does not forbid zero length topic strings (e.g. in MQTT5 if the topic alias property is used) so we might just return length of 0 and a null pointer, right?
There was a problem hiding this comment.
yes, we should...
|
This is a follow up on #11291 There are more protocols to do... |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11316 +/- ##
==========================================
+ Coverage 82.47% 82.48% +0.01%
==========================================
Files 934 918 -16
Lines 252270 252086 -184
==========================================
- Hits 208055 207944 -111
+ Misses 44215 44142 -73
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 21114 |
|
Information: QA ran without warnings. Pipeline 21128 |
|
Thanks for the porting work and also for taking a closer look at the code! Will give it a deeper look later and reply here. |
ok waiting for it then, thanks |
|
Continued in #11374 |
4 participants
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/4683
Describe changes:
SV_BRANCH=OISF/suricata-verify#1920
cc @satta