detect: add ldap.request.option keyword - v1

[AkakiAlice]

Ticket: #7453

Contribution style:

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

• I have updated the User Guide (in doc/userguide/) to reflect the changes made
• I have updated the JSON schema (in etc/schema.json) to reflect all logging changes
  (including schema descriptions)
• I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7453

Description:

• Add ldap.request.operation keyword

ldap.rs

• Change static mut to pub(super) static mut so I can use ALPROTO_LDAP on file ldap/detect.rs

mod.rs

• Include detect

types.rs

• Implement function to convert enum to u8. I used the existing ldap pcaps in S-V and RFC 4511 to set the values

detect-engine-register.c

• Include ScDetectLdapRegister()

detect.rs

• Create new file to implement ldap keywords

ldap-keywords.rst

• Create new file to document ldap keywords

index.rst

• Include ldap-keywords

SV_BRANCH=OISF/suricata-verify#2206

[codecov]

Codecov Report

Attention: Patch coverage is 77.02703% with 17 lines in your changes missing coverage. Please review.

Project coverage is 83.24%. Comparing base (6f937c7) to head (68fbc10).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12321      +/-   ##
==========================================
- Coverage   83.26%   83.24%   -0.03%     
==========================================
  Files         912      913       +1     
  Lines      257643   257717      +74     
==========================================
+ Hits       214521   214528       +7     
- Misses      43122    43189      +67     

Flag	Coverage Δ
fuzzcorpus	61.19% <24.32%> (+0.05%)	⬆️
livemode	19.40% <24.32%> (+<0.01%)	⬆️
pcap	44.39% <24.32%> (-0.03%)	⬇️
suricata-verify	62.88% <77.02%> (+0.02%)	⬆️
unittests	59.18% <24.32%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[inashivb]

Looking good from a brief overview! Would like other opinions on the name of the keyword. This looks good to me but perhaps too long?

[catenacyber]

For info, this name comes from json schema

[catenacyber]

rustfmt rust/src/ldap/mod.rs does a little change ;-)

[catenacyber]

Please put the full clickable link to redmine ticket https://redmine.openinfosecfoundation.org/issues/7453 ;-)

[catenacyber]

When you implement ldap.response.operation, the same table should be used for both

[catenacyber]

Do you know why is there a hole for 16, 17... ?

Maybe something that was implement in LDAP v1 and is obsolete in LDAP v3 but we should still recognize ?

[catenacyber]

This is not ideal
There should be some documentation at least
Or even better, we should have ProtocolOp::Unknown(u) => u.opcode, but this may require big changes...

[catenacyber]

@jasonish what do you think about this rust code that works ?

[catenacyber]

Please comment meaning of these true/false values

[catenacyber]

We should return 0, instead of having option=0

Otherwise, we match on ldap.request.operation: 0 for responses

[catenacyber]

Better call rs_detect_u8_match(option, ctx) only if let Some(request) = &tx.request{ and return 0 by default at the end of function

[catenacyber]

You can implement a protocol_op from_str and call it there if rs_detect_u8_parse fails

[catenacyber]

Really good, you have a first code working :-)

Design seems good, a few bugs to fix, and you can expand on it with ldap.response.operation