Detect integers 6644 v9

[catenacyber]

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6644 and all subtickets
https://redmine.openinfosecfoundation.org/issues/6645
https://redmine.openinfosecfoundation.org/issues/6646
https://redmine.openinfosecfoundation.org/issues/6647
https://redmine.openinfosecfoundation.org/issues/6648
https://redmine.openinfosecfoundation.org/issues/6628

Describe changes:

• detect/integers: support hexadecimal notation for parsing
• detect/integers: add mode for negated range
• detect/integers: rust derive for enumerations
• detect/integers: keywords now accept bitmasks
• doc: detect/integers

#10175 with derive enumstring for u16 and u32 as well (as needed by the ENIP rust PR)

[suricata-qa]

ERROR:

ERROR: QA failed on TREX_GENERIC_rule_time.

Pipeline 17552

[catenacyber]

ERROR:

ERROR: QA failed on TREX_GENERIC_rule_time.

Pipeline 17552

@ct0br0 would you have a profile for this ?

[catenacyber]

And other PRs using this one do not show this deviation...

[ct0br0]

What do you mean by 'profile' ?

[ct0br0]

fwiw, did another run and the rule load time only took 1 more second instead of 3. (19 vs 20, or previously 22)

[catenacyber]

What do you mean by 'profile' ?

Some perf report where I can get a flame graph to see where the time is spent ? Do you see what I mean ?

[zoomequipd]

Continuing convo from #10176 (comment) on correct PR

the integer-keyword.rst contains the following

Examples::

    bsize:integer value; # equality
    bsize:=integer value; # equality
    bsize:!integer value; # inequality
    bsize:!=integer value; # inequality
    bsize:>integer value; # greater than
    bsize:>=integer value; # greater than or equal
    bsize:<integer value; # lesser than
    bsize:<=integer value; # lesser than or equal
    bsize:integer value1-integer value2; # range between value1 and value2
    bsize:!integer value1-integer value2; # negated range between value1 and value2
    bsize:&mask=value; # bitmask mask is compared to value for equality
    bsize:&mask!=value; # bitmask mask is compared to value for inequality

Upon reading this, I thought that integer supporting keywords (bsize, dsize, urilen, etc) which currently use equality, inequality, greater than, etc would need to be updated/changed to support this new format.

My assumption is/was that equality would need to be rewritten from
bsize:10; to bsize:integer 10

based on comments in #10176 (comment), my thought was incorrect and I was misunderstanding the examples.

I would propose that example be rewritten to include more specific examples

Examples::

    bsize:19; # equality check of 19
    bsize:=19; # equality check of 19
    bsize:!20; # inequality check of 20
    bsize:!=20; # inequality check of 20
    bsize:>21; # greater than check of 21
    bsize:>=21; # greater than or equal 21
    bsize:<22; # lesser than check of 22
    bsize:<=22; # lesser than or equal 22
    bsize:19-22; # range between 19 and 2
    bsize:!19-22; # negated range between 19 and 22
    bsize:&0x40=0; # bitmask mask is compared to value for equality
    bsize:&0x40!=1; # bitmask mask is compared to value for inequality

current bitmaskly supported by byte_test, byte_match, byte_jump (maybe not byte_jump??) does a right shift by the number of trailing 0 (zeros) after the AND operation. Does this bitmask option perform the same behavior?

[catenacyber]

Does this bitmask option perform the same behavior?

You can do bsize:&0xc0=0x80.

You should not do bsize:&0xc0=2.

And thanks for bringing this, now I will make the parser failing for bsize:&0xc0=2 as something that could never match

[catenacyber]

Feedback incorporated in #10197