detect: add ldap operation keywords - v4

[AkakiAlice]

Ticket: #7453

Contribution style:

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

• I have updated the User Guide (in doc/userguide/) to reflect the changes made
• I have updated the JSON schema (in etc/schema.json) to reflect all logging changes
  (including schema descriptions)
• I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7453

Description:

• Implement ldap.request.operation , ldap.responses.operation and ldap.responses.count keywords.

Changes:

• rustfmt commit is the first
• add the json schema field that map to the added keywords in the commit message
• fix thread '<unnamed>' panicked at src/ldap/detect.rs:205:17: attempt to add with overflow

SV_BRANCH=OISF/suricata-verify#2248
Previous PR= #12435

[codecov]

Codecov Report

Attention: Patch coverage is 83.11111% with 38 lines in your changes missing coverage. Please review.

Project coverage is 80.63%. Comparing base (95e8427) to head (575ec24).
Report is 30 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff            @@
##           master   #12447    +/-   ##
========================================
  Coverage   80.63%   80.63%            
========================================
  Files         920      921     +1     
  Lines      258704   258928   +224     
========================================
+ Hits       208595   208776   +181     
- Misses      50109    50152    +43     

Flag	Coverage Δ
fuzzcorpus	56.76% <22.66%> (-0.05%)	⬇️
livemode	19.40% <22.66%> (+<0.01%)	⬆️
pcap	44.27% <23.11%> (-0.06%)	⬇️
suricata-verify	63.28% <83.85%> (+0.01%)	⬆️
unittests	58.48% <22.66%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[catenacyber]

Thanks for the work :-)

CI : 🟢
Code : good
Commits segmentation : ok thanks
Commit messages : good
Git ID set : looks fine for me
CLA : you already contributed
Doc update : good, cc @jufajardini
Redmine ticket : ok
Rustfmt : good :-)
Tests : nice, thanks
Dependencies added: none

[catenacyber]

@lukashino what do you think about this ? cf your work on #11951

Especially, is the log field written the correct way ?
Here this is a simple case, but what about the 2 others with arrays : ldap.responses[].operation and len(ldap.responses[])

[catenacyber]

Also should we update schema.json to document the revert mapping ?

[victorjulien]

I think @jasonish had some more thoughts about this.

[jasonish]

Need to document my thoughts more throuroughly somewhere, but I think its just a simplified version of what @lukashino had previous proposed. Looking at LDAP and the schema we see:

        "ldap": {
            "type": "object",
            "optional": true,
            "properties": {
                "request": {
                    "type": "object",
                    "properties": { 
                        "operation": {
                            "type": "string"
                        },
                        "message_id": { 
                            "type": "integer"
                        },

We could extend it out like:

        "ldap": {
            "type": "object",
            "optional": true,
            "properties": {
                "request": {
                    "type": "object",
                    "properties": { 
                        "operation": {
                            "type": "string"
                            "suricata": {
                              // A keyword that is a one to one mapping to this buffer.
                              "keyword": "ldap.operation",
                              // Related keywords that may also cover this field, if any.
                              "related_keywords": ["aaa", "bbb"]
                            }
                        },
                        "message_id": { 
                            "type": "integer"
                        },

[jasonish]

More here: #11951 (comment)

[catenacyber]

So, I understand that the PR is good as is, and we wait for a decision on what needs to be updated in the schema.

[jasonish]

Yeah, I think Victor was just poking me here so I'd write down some thoughts I had on the matter.

[victorjulien]

nit: comment is wrong

[catenacyber]

But rs_detect_u8_free just unboxes :-p

[jasonish]

name: Should be SC...

[catenacyber]

git grep "fn Sc" | wc -l gives 7 functions to fix, including the template

We should do that in a next follow-up PR

[victorjulien]

plus a CI check with this git grep?

[victorjulien]

Merged in #12462, thanks!

[catenacyber]

Great work Alice, waiting on the next one :-)