From fa7e64a3551d928d7b1344de3d0da8653523e5aa Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 26 Nov 2024 17:16:58 -0600 Subject: [PATCH] mqtt: double-check detection directions Backport of commit 5d8252117f3a6643be5867c6f1f19caa316fd76d. Ticket: 7323 --- src/detect-mqtt-connack-sessionpresent.c | 2 +- src/detect-mqtt-publish-topic.c | 4 ++++ src/detect-mqtt-reason-code.c | 4 +++- src/detect-mqtt-subscribe-topic.c | 4 ++++ src/detect-mqtt-type.c | 4 +++- 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/detect-mqtt-connack-sessionpresent.c b/src/detect-mqtt-connack-sessionpresent.c index 7ec902f1172c..d713e6edffdf 100644 --- a/src/detect-mqtt-connack-sessionpresent.c +++ b/src/detect-mqtt-connack-sessionpresent.c @@ -63,7 +63,7 @@ void DetectMQTTConnackSessionPresentRegister (void) DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); DetectAppLayerInspectEngineRegister2("mqtt.connack.session_present", ALPROTO_MQTT, - SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); + SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL); mqtt_connack_session_present_id = DetectBufferTypeGetByName("mqtt.connack.session_present"); } diff --git a/src/detect-mqtt-publish-topic.c b/src/detect-mqtt-publish-topic.c index c03a47b5eda7..045a2b4c550c 100644 --- a/src/detect-mqtt-publish-topic.c +++ b/src/detect-mqtt-publish-topic.c @@ -81,10 +81,14 @@ void DetectMQTTPublishTopicRegister(void) DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 0, + DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_MQTT, 1); + DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, + GetData, ALPROTO_MQTT, 1); DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); diff --git a/src/detect-mqtt-reason-code.c b/src/detect-mqtt-reason-code.c index 085c9c047c9f..452554cfba9a 100644 --- a/src/detect-mqtt-reason-code.c +++ b/src/detect-mqtt-reason-code.c @@ -64,7 +64,9 @@ void DetectMQTTReasonCodeRegister (void) DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); - DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, + DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 0, + DetectEngineInspectGenericList, NULL); + DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectGenericList, NULL); mqtt_reason_code_id = DetectBufferTypeGetByName("mqtt.reason_code"); diff --git a/src/detect-mqtt-subscribe-topic.c b/src/detect-mqtt-subscribe-topic.c index c2793bb13a80..7a977dddd6ad 100644 --- a/src/detect-mqtt-subscribe-topic.c +++ b/src/detect-mqtt-subscribe-topic.c @@ -214,10 +214,14 @@ void DetectMQTTSubscribeTopicRegister (void) DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOSERVER, 1, PrefilterMpmMQTTSubscribeTopicRegister, NULL, ALPROTO_MQTT, 1); + DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOCLIENT, 1, + PrefilterMpmMQTTSubscribeTopicRegister, NULL, ALPROTO_MQTT, 1); DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, DetectEngineInspectMQTTSubscribeTopic, NULL); + DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1, + DetectEngineInspectMQTTSubscribeTopic, NULL); DetectBufferTypeSetDescriptionByName("mqtt.subscribe.topic", "subscribe topic query"); diff --git a/src/detect-mqtt-type.c b/src/detect-mqtt-type.c index 3bc7f1e4f593..4d4fae8f25c2 100644 --- a/src/detect-mqtt-type.c +++ b/src/detect-mqtt-type.c @@ -58,7 +58,9 @@ void DetectMQTTTypeRegister (void) #endif DetectAppLayerInspectEngineRegister2( - "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); + "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectGenericList, NULL); + DetectAppLayerInspectEngineRegister2( + "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); mqtt_type_id = DetectBufferTypeGetByName("mqtt.type"); }