detect: log app-layer metadata in alert with single tx v5

[catenacyber]

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7199

May also solve https://redmine.openinfosecfoundation.org/issues/7406 and https://redmine.openinfosecfoundation.org/issues/7350

Describe changes:

• detect: log app-layer metadata in alert with single tx

SV_BRANCH=OISF/suricata-verify#2146

#12166 with big changes

• Uses a suricata.yaml config option detect.force-applayer-findtx
• output alert with tx_id_forced: true in such cases
• documentation !
• removes the check PACKET_ALERT_FLAG_STREAM_MATCH as overridden by the new one : one live tx + config ok

Answering #12166 (comment) :

I would like to see a per protocol analysis of how we can be sure that this condition provides us with a relevant tx.

I think/fear that for every protocol, there does not exist a condition robust enough to provide the relevant tx for all use cases = set of rules + people expectations

Do you have such a condition ?

We've decided it's worse to log the wrong one, than to log none.

I think there is quite a demand to log something, and since I think we cannot be always right, we can ask the user to turn on some configuration parameter to ask for it

[codecov]

Codecov Report

Attention: Patch coverage is 73.33333% with 4 lines in your changes missing coverage. Please review.

Project coverage is 45.33%. Comparing base (bd7d38e) to head (e5d50ce).
Report is 25 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12168      +/-   ##
==========================================
- Coverage   49.81%   45.33%   -4.49%     
==========================================
  Files         909      909              
  Lines      257904   257736     -168     
==========================================
- Hits       128467   116832   -11635     
- Misses     129437   140904   +11467     

Flag	Coverage Δ
fuzzcorpus	60.97% <73.33%> (+0.02%)	⬆️
livemode	19.43% <33.33%> (+<0.01%)	⬆️
pcap	44.41% <73.33%> (-0.01%)	⬇️
suricata-verify	?
unittests	8.98% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.http.byterange.memuse	99602115	104195456	104.61%

Pipeline 23591

[jufajardini]

I do hope we find something we can agree upon with this work :)

Left a couple of comments for the docs/ expressions used part.

[jufajardini]

Pondering on the name here (as it will be used in the log output).
tx_match_forced? tx_logged_forced?

[jasonish]

match has too much meaning with rule matching in Suricata-language, so I'd avoid that.

[jasonish]

Are we only logging in the case there is one TX? findtx doesn't match that very well, as we're not finding one. Its a simpler check than that. I fear findtx implies too much we're finding the correct one.

[catenacyber]

Are we only logging in the case there is one TX? findtx doesn't match that very well, as we're not finding one. Its a simpler check than that. I fear findtx implies too much we're finding the correct one.

Yes logging if one tx and config parameter set

Please give me better names :-)

[jasonish]

force-tx-log?

[catenacyber]

Yeah... I am not sure.
This is the detect engine doing the work here, not the logging...

[catenacyber]

Next in #12195