rust/sip: register parser for tcp v13

[glongo]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html
• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3351

Describe changes:

• PDU frame is created for each SIP message when it is successfully parsed.

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the
pull request number.

Alternatively, SV_BRANCH may also be a link to an
OISF/suricata-verify pull-request.

SV_REPO=
SV_BRANCH=pr/1538
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

[codecov]

Codecov Report

Merging #10058 (488f0bf) into master (7d95c4c) will decrease coverage by 0.18%.
The diff coverage is 90.87%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10058      +/-   ##
==========================================
- Coverage   82.45%   82.27%   -0.18%     
==========================================
  Files         972      972              
  Lines      271461   271622     +161     
==========================================
- Hits       223822   223474     -348     
- Misses      47639    48148     +509     

Flag	Coverage Δ
fuzzcorpus	64.10% <66.94%> (-0.22%)	⬇️
suricata-verify	61.24% <91.10%> (-0.14%)	⬇️
unittests	62.82% <31.34%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

Information: QA ran without warnings.

Pipeline 17109

[victorjulien]

the frame should be created earlier, and not depend on the parser returning ok. It should be created as soon as we start parsing the data, and then be updated with the length when it's complete

[catenacyber]

Sorry for the confusion, I was the one who asked this.

What should the length be updated to when the parser errors (incomplete or not) ?

Why does it have to be so ?
On the S-V test, a frame was created before returning incomplete, and suricata did not match on it...
So, why should we create a frame if we cannot match on it ? (or how can we match on it)

[glongo]

As it is done for telnet? https://github.com/OISF/suricata/blob/master/rust/src/telnet/telnet.rs#L201-L204

[victorjulien]

Indeed, the telnet code seems to do it well.

We need this so we can start matching immediately for large frames. Also if we have malformed data we can still do frame based content matching.

[catenacyber]

We need this so we can start matching immediately for large frames. Also if we have malformed data we can still do frame based content matching.

This does not seem to work cf #10037 CI is green with SV OISF/suricata-verify#1538 where there is only one alert for https://github.com/OISF/suricata-verify/pull/1538/files#diff-efc7fbd99eb9389e40b2f9f16aa9eca8d58a80ea88324756b8a5d4b476cf69cfR18 alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:2;) after the frame is created on packet 6 (and no alert for the frame created on packet 4, as can be checked adding a bsize keyword to the rule)

[victorjulien]

frame should not depend on the parser returning ok

[catenacyber]

see above

[glongo]

Replaced by #10098