Suricata v7 frame-support error

suricatalfon · January 27, 2022, 10:32am

Hi,

Suricata version 7.0.0-dev (dff7e7d34 2022-01-25)
I’m testing the new frame-support feature. But with a simple rule, it returns an error:

ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - unknown app proto 'smb1' for 'frame

rule:

alert tcp any any -> any any (frame:smb1.data; content:"DATA"; sid:1001; rev:1;)

yaml:

        # app layer frames
        - frame:
            # disabled by default as this is very verbose.
            enabled: yes
        - smb

If I modify the rule and change “smb1” to “telnet” then it works. It doesn’t give an error at first. But when I run a telnet:…

suricata: detect-engine-frame.c:345: DetectEngineInspectFrameBufferGeneric: Assertion !((int64_t)data_len > frame->len)’ failed.`

…

Topic		Replies	Views
Http2.frametype not support detect RST_STREAM Help rules , suricata	3	179	October 11, 2023
Help to disable http protocol in suricata 7.0.2 Help	1	153	November 16, 2023
Ssh and http protocol rule not work Help suricata	2	108	April 25, 2024
Testing ssh related rules Rules rules	1	67	April 4, 2024
SMB rule, but exclusion needed Rules suricata	2	355	November 7, 2023