rule: Don't drop flow if rule matches on packet properties.

[jlucovsky]

Continuation of #9632
This commit modifies the logic used to determine the disposition of a flow/packet.

If the rule contains packet match properties, the flow shouldn't be dropped.

Link to redmine ticket: 5578

Describe changes:

• When deciding how to handle the drop action, check if the rule applies to packet properties.

Updates:

• Rebase

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the
pull request number.

Alternatively, SV_BRANCH may also be a link to an
OISF/suricata-verify pull-request.

SV_BRANCH=OISF/suricata-verify#1424

[suricata-qa]

Information:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

field	baseline	test	%
	SURI_TLPR1_stats_chk
.uptime	874	949	108.58%

Pipeline 16268

[victorjulien]

I would like to see more explanation in the commit. It's unclear to me why this check in this location fixes it. Explanation should include a analysis of how we can end up doing the wrong thing.

[catenacyber]

Victor requested changes ;-)

[catenacyber]

@jlucovsky closing this one PR (to have something clear for master6), waiting for the next version

[victorjulien]

@jlucovsky closing this one PR (to have something clear for master6), waiting for the next version

I don't understand why it was closed?

[catenacyber]

I don't understand why it was closed?

You requested changes long time ago ?
cf https://github.com/OISF/suricata/blob/master/doc/userguide/devguide/contributing/github-pr-workflow.rst

A PR may be closed as stale if it has not been updated in two months after changes were requested.

[victorjulien]

@jlucovsky can you bring this effort back?

[jlucovsky]

@jlucovsky can you bring this effort back?

For 6.0.x? Yes

[jlucovsky]

Continued in #10946