Project

General

Profile

Actions

Feature #6396

closed

Add protocol string support for mqtt

Added by Jason Taylor 7 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
C, Needs Suricata-Verify test, Rust

Description

we would like the ability to sig on the protocol string content on mqtt traffic. The key/value is currently being logged:

"mqtt":{"connect":{"qos":0,"retain":false,"dup":false,"protocol_string":"MQIsdp","protocol_version":3,"client_id":"<snipped>

So something like mqtt.protocol_string would be great.

Actions #1

Updated by Jason Taylor 7 months ago

When looking at the mqtt sources, I noticed what are probably the remnants from a copy/paste in detect-mqtt-type.c:

/** * \brief Registration function for ipopts: keyword
*/

Totally a minor thing of course just figured a fixup could go in with this tickets main work

Actions #2

Updated by Sascha Steinbiss 7 months ago

  • Status changed from New to In Progress
  • Label C, Needs Suricata-Verify test, Rust added
Actions #3

Updated by Sascha Steinbiss 7 months ago

Jason Taylor wrote in #note-1:

When looking at the mqtt sources, I noticed what are probably the remnants from a copy/paste in detect-mqtt-type.c:

/**
  • \brief Registration function for ipopts: keyword
    */

Totally a minor thing of course just figured a fixup could go in with this tickets main work

True, will include that in the PR. Thanks for spotting this!

Actions #5

Updated by Sascha Steinbiss 6 months ago

  • Status changed from In Progress to In Review
Actions #6

Updated by Philippe Antoine 6 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #7

Updated by Philippe Antoine 5 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF