Bug #6984
openmqtt: do not log non-string messages?
Description
Noticed the lengthy log message shown for our Suricata-Verify MQTT connect rules (https://github.com/OISF/suricata-verify/tree/master/tests/mqtt-connect-rules) for
MQTT Publish message (packet 9): according to Wireshark, 35.758 bytes.
Image shows a screenshot of part of the logged message.
Files
.png){kind=link}
Updated by Juliana Fajardini Reichow 24 days ago
Not sure here if the solution is just not to log non-string messages, or define a limit to message length logged, or something else.
Updated by Sascha Steinbiss 11 days ago
Juliana Fajardini Reichow wrote in #note-1:
Not sure here if the solution is just not to log non-string messages, or define a limit to message length logged, or something else.
The payload in the screenshot is a JPEG image transferred via MQTT, like a camera would, for example.
Note that there already is a parser option (app-layer.mqtt.max-msg-length) that restricts the maximum length of a message to be processed (otherwise the message is skipped; default is 1MB). Of course this is different from logging; one might want to have a large message processed for detection but not logged in its entirety. I'd be happy to add a maximum logging threshold here in the outputs configuration for mqtt.
I can imagine that a use case of the MQTT parser is to monitor transmission patterns rather than alert on content (I'm not aware of any related attacks, at least), so I at least would rather opt for completeness of content rather than log file frugality.
Updated by Juliana Fajardini Reichow 9 days ago · Edited
Sascha Steinbiss wrote in #note-2:
Juliana Fajardini Reichow wrote in #note-1:
Not sure here if the solution is just not to log non-string messages, or define a limit to message length logged, or something else.
The payload in the screenshot is a JPEG image transferred via MQTT, like a camera would, for example.
Note that there already is a parser option (
app-layer.mqtt.max-msg-length) that restricts the maximum length of a message to be processed (otherwise the message is skipped; default is 1MB). Of course this is different from logging; one might want to have a large message processed for detection but not logged in its entirety. I'd be happy to add a maximum logging threshold here in theoutputsconfiguration formqtt.
Thanks for volunteering your time! :)
I can imagine that a use case of the MQTT parser is to monitor transmission patterns rather than alert on content (I'm not aware of any related attacks, at least), so I at least would rather opt for completeness of content rather than log file frugality.
I think that it makes sense that one may want to process the whole content, but optionally limit the log output. To your point of allowed for completeness, I wonder if it would make sense to log full contents in case an alert is triggered for it. - Or if this makes things unnecessarily overly complex.
Updated by Sascha Steinbiss 8 days ago
Updated by Victor Julien 5 days ago
For files/binary blobs, would it make sense to use the file tracking infrastructure in suri for those?
Updated by Sascha Steinbiss 5 days ago
Victor Julien wrote in #note-6:
For files/binary blobs, would it make sense to use the file tracking infrastructure in suri for those?
I wouldn't think so. There is no direct notion of files or file transfer in the protocol, it's just that some payloads may happen to be data that could make sense as a standalone file. Question is, how would we detect these without the use of magic (expensive) or looking at the presence of MQTT5 properties that specify MIME types (depends on whether the sender includes that). In the latter case one would also again need to decide which of those types would be useful to extract to files.
Updated by Philippe Antoine 4 days ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Sascha Steinbiss