dns: more keywords; plus some eve/keyword parity tooling - v6

[jasonish]

This PR builds on #12500 and also adds the following keywords:

• dns.additionals.rrname
• dns.authorities.rrname
  It builds on dns: add keyword for dns.response.rrname (feat 7012) - v2 #12500 and it uses functions introduced as part of the work for dns.response.rrname.

To provide consistency and better eve parity the following keywords were renamed:

• dns.query.rrname -> dns.queries.rrname
• dns.answer.rrname -> dns.answers.rrname

And finally, as using DNS as a test protocol for parity, try some tooling for eve parity.

For example, ./scripts/eve-parity.py mapped-keywords:

dns.rcode -> [dns.rcode]
dns.answer.additionals.rdata -> [dns.response.rrname]
dns.answer.additionals.rrname -> [dns.additionals.rrname, dns.response.rrname]
dns.answer.authorities.rdata -> [dns.response.rrname]
dns.answer.authorities.rrname -> [dns.authorities.rrname, dns.response.rrname]
dns.queries.rrname -> [dns.queries.rrname, dns.query]
dns.queries.rrtype -> [dns.rrtype]
dns.queries.opcode -> [dns.opcode]
dns.additionals.rdata -> [dns.response.rrname]
dns.additionals.rrname -> [dns.additionals.rrname, dns.response.rrname]
dns.authorities.rdata -> [dns.response.rrname]
dns.authorities.rrname -> [dns.authorities.rrname, dns.response.rrname]
dns.answers.rdata -> [dns.response.rrname]
dns.answers.rrname -> [dns.answers.rrname, dns.response.rrname]

and ./scripts/eve-parity.py unmapped-fields | grep dns:

dhcp.dns_servers
dns.aa
dns.additionals.opt.code
dns.additionals.opt.data
dns.additionals.rrtype
dns.additionals.ttl
dns.answer.additionals.opt.code
dns.answer.additionals.opt.data
dns.answer.additionals.rrtype
dns.answer.additionals.ttl
dns.answer.authorities.rdata_truncated
dns.answer.authorities.rrname_truncated
dns.answer.authorities.rrtype
dns.answer.authorities.soa.expire

and new in this version: unmapped-keywords to show known keywords that are
not mapped in the eve.json.

Other changes:

• remove unit tests, they should have SV coverage now

SV_BRANCH=OISF/suricata-verify#2311

[jasonish]

Should skip fields that are transform in the 4th column.

[codecov]

Codecov Report

Attention: Patch coverage is 91.39466% with 29 lines in your changes missing coverage. Please review.

Project coverage is 80.77%. Comparing base (3bc2a14) to head (762e73e).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12652      +/-   ##
==========================================
- Coverage   80.77%   80.77%   -0.01%     
==========================================
  Files         932      932              
  Lines      259517   259758     +241     
==========================================
+ Hits       209629   209820     +191     
- Misses      49888    49938      +50     

Flag	Coverage Δ
fuzzcorpus	56.90% <19.58%> (-0.09%)	⬇️
livemode	19.35% <19.58%> (-0.03%)	⬇️
pcap	43.87% <19.58%> (-0.29%)	⬇️
suricata-verify	63.54% <91.39%> (+0.02%)	⬆️
unittests	58.28% <19.58%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[jasonish]

S-V coverage missing.

[jasonish]

S-V coverage missing.

[jasonish]

S-V coverage missing.

[suricata-qa]

Information: QA ran without warnings.

Pipeline 24853

[suricata-qa]

Information: QA ran without warnings.

Pipeline 24856

[catenacyber]

Is it good to have this suricata.keyword that can either be a boolean or an array ?

[jasonish]

I'm ok with it, unless its going into something the hardcodes a schema based on whats first seen., so not in eve. Prevents conflict with another field as well..

"keywords": ["one", "two"],
"no-keywords": "true",

[catenacyber]

Why do we need a specific stuff here ?

Do not we get prefilter for all sticky buffers from the generic engine ?

[jasonish]

Do not we get prefilter for all sticky buffers from the generic engine ?

Are you asking? If so, I'm not sure.

[catenacyber]

Do we need local_id++ if we break right after ?