detect/mqtt: add topic inspection limit

We add a new 'mqtt.(un)subscribe-topic-match-limit' option to allow a user to specify the maximum number of topics in a MQTT SUBSCRIBE or UNSUBSCRIBE message to be evaluated in detection.
5 years ago · 4c0ef73bf2
parent 33fa7ab596
commit 4c0ef73bf2
3 changed files with 33 additions and 4 deletions
--- a/src/detect-mqtt-subscribe-topic.c
+++ b/src/detect-mqtt-subscribe-topic.c
@ -58,6 +58,8 @@ static int DetectMQTTSubscribeTopicSetup(DetectEngineCtx *, Signature *, const c

 static int g_mqtt_subscribe_topic_buffer_id = 0;

+static uint32_t subscribe_topic_match_limit = 100;
+
 struct MQTTSubscribeTopicGetDataArgs {
    uint32_t local_id;
    void *txv;
@ -100,7 +102,7 @@ static int DetectEngineInspectMQTTSubscribeTopic(
        transforms = engine->v2.transforms;
    }

-    while(1) {
+    while ((subscribe_topic_match_limit == 0) || local_id < subscribe_topic_match_limit) {
        struct MQTTSubscribeTopicGetDataArgs cbdata = { local_id, txv, };
        InspectionBuffer *buffer = MQTTSubscribeTopicGetData(det_ctx,
            transforms, f, &cbdata, engine->sm_list, false);
@ -151,7 +153,7 @@ static void PrefilterTxMQTTSubscribeTopic(DetectEngineThreadCtx *det_ctx,
    const int list_id = ctx->list_id;

    uint32_t local_id = 0;
-    while(1) {
+    while ((subscribe_topic_match_limit == 0) || local_id < subscribe_topic_match_limit) {
        struct MQTTSubscribeTopicGetDataArgs cbdata = { local_id, txv };
        InspectionBuffer *buffer = MQTTSubscribeTopicGetData(det_ctx, ctx->transforms,
                f, &cbdata, list_id, true);
@ -201,6 +203,16 @@ void DetectMQTTSubscribeTopicRegister (void)
    sigmatch_table[DETECT_AL_MQTT_SUBSCRIBE_TOPIC].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_MQTT_SUBSCRIBE_TOPIC].flags |= SIGMATCH_INFO_STICKY_BUFFER;

+    intmax_t val = 0;
+    if (ConfGetInt("mqtt.subscribe-topic-match-limit", &val)) {
+        subscribe_topic_match_limit = val;
+    }
+    if (subscribe_topic_match_limit <= 0) {
+        SCLogDebug("Using unrestricted MQTT SUBSCRIBE topic matching");
+    } else {
+        SCLogDebug("Using MQTT SUBSCRIBE topic match-limit setting of: %u",
+                subscribe_topic_match_limit);
+    }

    DetectAppLayerMpmRegister2("mqtt.subscribe.topic", SIG_FLAG_TOSERVER, 1,
            PrefilterMpmMQTTSubscribeTopicRegister, NULL,
--- a/src/detect-mqtt-unsubscribe-topic.c
+++ b/src/detect-mqtt-unsubscribe-topic.c
@ -58,6 +58,8 @@ static int DetectMQTTUnsubscribeTopicSetup(DetectEngineCtx *, Signature *, const

 static int g_mqtt_unsubscribe_topic_buffer_id = 0;

+static uint32_t unsubscribe_topic_match_limit = 100;
+
 struct MQTTUnsubscribeTopicGetDataArgs {
    uint32_t local_id;
    void *txv;
@ -100,7 +102,7 @@ static int DetectEngineInspectMQTTUnsubscribeTopic(
        transforms = engine->v2.transforms;
    }

-    while(1) {
+    while ((unsubscribe_topic_match_limit == 0) || local_id < unsubscribe_topic_match_limit) {
        struct MQTTUnsubscribeTopicGetDataArgs cbdata = { local_id, txv, };
        InspectionBuffer *buffer = MQTTUnsubscribeTopicGetData(det_ctx,
            transforms, f, &cbdata, engine->sm_list, false);
@ -151,7 +153,7 @@ static void PrefilterTxMQTTUnsubscribeTopic(DetectEngineThreadCtx *det_ctx,
    const int list_id = ctx->list_id;

    uint32_t local_id = 0;
-    while(1) {
+    while ((unsubscribe_topic_match_limit == 0) || local_id < unsubscribe_topic_match_limit) {
        struct MQTTUnsubscribeTopicGetDataArgs cbdata = { local_id, txv };
        InspectionBuffer *buffer = MQTTUnsubscribeTopicGetData(det_ctx, ctx->transforms,
                f, &cbdata, list_id, true);
@ -201,6 +203,16 @@ void DetectMQTTUnsubscribeTopicRegister (void)
    sigmatch_table[DETECT_AL_MQTT_UNSUBSCRIBE_TOPIC].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_MQTT_UNSUBSCRIBE_TOPIC].flags |= SIGMATCH_INFO_STICKY_BUFFER;

+    intmax_t val = 0;
+    if (ConfGetInt("mqtt.unsubscribe-topic-match-limit", &val)) {
+        unsubscribe_topic_match_limit = val;
+    }
+    if (unsubscribe_topic_match_limit <= 0) {
+        SCLogDebug("Using unrestricted MQTT UNSUBSCRIBE topic matching");
+    } else {
+        SCLogDebug("Using MQTT UNSUBSCRIBE topic match-limit setting of: %i",
+                unsubscribe_topic_match_limit);
+    }

    DetectAppLayerMpmRegister2("mqtt.unsubscribe.topic", SIG_FLAG_TOSERVER, 1,
            PrefilterMpmMQTTUnsubscribeTopicRegister, NULL,
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -1115,6 +1115,11 @@ pcre:
  match-limit: 3500
  match-limit-recursion: 1500

+# MQTT topic detection depth
+#mqtt:
+#  subscribe-topic-match-limit: 100
+#  unsubscribe-topic-match-limit: 100
+
 ##
 ## Advanced Traffic Tracking and Reconstruction Settings
 ##