Project

General

Profile

Actions

Feature #3549

closed

Add MQTT parser

Added by Sascha Steinbiss about 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

It would probably be useful if Suricata had more support for IoT related protocols, such as MQTT. Zeek has support for that (https://docs.zeek.org/en/current/scripts/policy/protocols/mqtt/main.zeek.html) and it seems to be used in some popular contexts, such as The Things Network.

Both detailed logging (to gather information about communicating parties and publisher/subscriber relationships, potentially allowing to implement anomaly detection on top of that) and indicator based detection (via rules) would be needed to gain visibility into such network activity.

Actions

Also available in: Atom PDF