Tls extra alert/v2

[victorjulien]

As #12095, but now also includes SIG_TYPE_APPLAYER. Still not sure if this is the correct approach.

SV_BRANCH=OISF/suricata-verify#2148

The above SV PR shows the effects on the existing tests.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.83%. Comparing base (bd7d38e) to head (e80a559).
Report is 42 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12169      +/-   ##
==========================================
+ Coverage   49.81%   49.83%   +0.02%     
==========================================
  Files         909      909              
  Lines      257904   257906       +2     
==========================================
+ Hits       128467   128539      +72     
+ Misses     129437   129367      -70     

Flag	Coverage Δ
fuzzcorpus	60.99% <100.00%> (+0.04%)	⬆️
livemode	19.43% <50.00%> (+<0.01%)	⬆️
pcap	43.60% <100.00%> (-0.82%)	⬇️
suricata-verify	62.75% <100.00%> (+<0.01%)	⬆️
unittests	8.98% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

Information: QA ran without warnings.

Pipeline 23613

[catenacyber]

I rather feel #12095

[victorjulien]

I rather feel #12095

Why is that?

[catenacyber]

Because I think app-layer detection may happen at the pseudo packet

[victorjulien]

Because I think app-layer detection may happen at the pseudo packet

Right, ya. It's a bit inconsistent either way, it feels. The whole SIG_TYPE_APPLAYER is a bit of a weird one. I believe it did more in the past, but it seems now the only way to do it is alert http .... (sid:1;). As soon as other matches are added, the type changes.

[catenacyber]

And #12095 is a minimal behavior change responding to initial demand

[catenacyber]

I think this should get closed in favor of the other PR

[victorjulien]

replaced by #12258