From 6dde3eea4feca957f8033d589a0f488d7fc716bf Mon Sep 17 00:00:00 2001
From: Sascha Steinbiss <satta@debian.org>
Date: Sun, 20 Oct 2024 11:27:51 +0200
Subject: [PATCH 1/2] mqtt: add reason code support for SUBACK

Ticket: #7323
(cherry picked from commit 377d4705e15aa54ae26176822b23eec0a98bbc59)
---
 rust/src/mqtt/detect.rs | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs
index b47a84f74409..a34bc7da3906 100644
--- a/rust/src/mqtt/detect.rs
+++ b/rust/src/mqtt/detect.rs
@@ -373,6 +373,27 @@ pub unsafe extern "C" fn rs_mqtt_tx_get_reason_code(tx: &MQTTTransaction, result
 
 #[no_mangle]
 pub extern "C" fn rs_mqtt_tx_unsuback_has_reason_code(tx: &MQTTTransaction, code: u8) -> u8 {
+    for msg in tx.msg.iter() {
+        match msg.op {
+            MQTTOperation::UNSUBACK(ref unsuback) => {
+                if let Some(ref reason_codes) = unsuback.reason_codes {
+                    for rc in reason_codes.iter() {
+                        if *rc == code {
+                            return 1;
+                        }
+                    }
+                }
+            }
+            MQTTOperation::SUBACK(ref suback) => {
+                for rc in suback.qoss.iter() {
+                    if *rc == code {
+                        return 1;
+                    }
+                }
+            }
+            _ => {}
+        }
+    }
     for msg in tx.msg.iter() {
         if let MQTTOperation::UNSUBACK(ref unsuback) = msg.op {
             if let Some(ref reason_codes) = unsuback.reason_codes {

From d474393a89fd6018e4e97a310706a2299a4a4824 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 26 Nov 2024 17:16:58 -0600
Subject: [PATCH 2/2] mqtt: double-check detection directions

Backport of commit 5d8252117f3a6643be5867c6f1f19caa316fd76d.

Ticket: 7323
---
 src/detect-mqtt-connack-sessionpresent.c | 2 +-
 src/detect-mqtt-publish-topic.c          | 4 ++++
 src/detect-mqtt-reason-code.c            | 2 ++
 src/detect-mqtt-subscribe-topic.c        | 4 ++++
 src/detect-mqtt-type.c                   | 2 ++
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/detect-mqtt-connack-sessionpresent.c b/src/detect-mqtt-connack-sessionpresent.c
index 7ec902f1172c..d713e6edffdf 100644
--- a/src/detect-mqtt-connack-sessionpresent.c
+++ b/src/detect-mqtt-connack-sessionpresent.c
@@ -63,7 +63,7 @@ void DetectMQTTConnackSessionPresentRegister (void)
     DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
 
     DetectAppLayerInspectEngineRegister2("mqtt.connack.session_present", ALPROTO_MQTT,
-            SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);
+            SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL);
 
     mqtt_connack_session_present_id = DetectBufferTypeGetByName("mqtt.connack.session_present");
 }
diff --git a/src/detect-mqtt-publish-topic.c b/src/detect-mqtt-publish-topic.c
index c03a47b5eda7..045a2b4c550c 100644
--- a/src/detect-mqtt-publish-topic.c
+++ b/src/detect-mqtt-publish-topic.c
@@ -81,10 +81,14 @@ void DetectMQTTPublishTopicRegister(void)
     DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT,
             SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectBufferGeneric, GetData);
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 0,
+            DetectEngineInspectBufferGeneric, GetData);
 
     DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
             PrefilterGenericMpmRegister, GetData, ALPROTO_MQTT,
 	        1);
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
+            GetData, ALPROTO_MQTT, 1);
 
     DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
 
diff --git a/src/detect-mqtt-reason-code.c b/src/detect-mqtt-reason-code.c
index 085c9c047c9f..b193190849c6 100644
--- a/src/detect-mqtt-reason-code.c
+++ b/src/detect-mqtt-reason-code.c
@@ -66,6 +66,8 @@ void DetectMQTTReasonCodeRegister (void)
 
     DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1,
             DetectEngineInspectGenericList, NULL);
+    DetectAppLayerInspectEngineRegister2("mqtt.reason_code", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1,
+            DetectEngineInspectGenericList, NULL);
 
     mqtt_reason_code_id = DetectBufferTypeGetByName("mqtt.reason_code");
 }
diff --git a/src/detect-mqtt-subscribe-topic.c b/src/detect-mqtt-subscribe-topic.c
index c2793bb13a80..7a977dddd6ad 100644
--- a/src/detect-mqtt-subscribe-topic.c
+++ b/src/detect-mqtt-subscribe-topic.c
@@ -214,10 +214,14 @@ void DetectMQTTSubscribeTopicRegister (void)
     DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOSERVER, 1,
             PrefilterMpmMQTTSubscribeTopicRegister, NULL,
             ALPROTO_MQTT, 1);
+    DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOCLIENT, 1,
+            PrefilterMpmMQTTSubscribeTopicRegister, NULL, ALPROTO_MQTT, 1);
 
     DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic",
             ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1,
             DetectEngineInspectMQTTSubscribeTopic, NULL);
+    DetectAppLayerInspectEngineRegister2("mqtt.subscribe.topic", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1,
+            DetectEngineInspectMQTTSubscribeTopic, NULL);
 
     DetectBufferTypeSetDescriptionByName("mqtt.subscribe.topic",
             "subscribe topic query");
diff --git a/src/detect-mqtt-type.c b/src/detect-mqtt-type.c
index 3bc7f1e4f593..fc5713a4cd0b 100644
--- a/src/detect-mqtt-type.c
+++ b/src/detect-mqtt-type.c
@@ -57,6 +57,8 @@ void DetectMQTTTypeRegister (void)
     sigmatch_table[DETECT_AL_MQTT_TYPE].RegisterTests = MQTTTypeRegisterTests;
 #endif
 
+    DetectAppLayerInspectEngineRegister2(
+            "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL);
     DetectAppLayerInspectEngineRegister2(
             "mqtt.type", ALPROTO_MQTT, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);