Revert "detect: do not store state without flags"

[victorjulien]

This reverts commit 2fb5059.

Logic is incorrect, a shown by failing tests.

Make sure these boxes are signed before submitting your Pull Request -- thank you.

SV_BRANCH=OISF/suricata-verify#1623

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (244a35d) 73.31% compared to head (af263d8) 82.32%.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10286       +/-   ##
===========================================
+ Coverage   73.31%   82.32%    +9.00%     
===========================================
  Files         895      978       +83     
  Lines      148215   272029   +123814     
===========================================
+ Hits       108666   223949   +115283     
- Misses      39549    48080     +8531     

Flag	Coverage Δ
fuzzcorpus	63.49% <100.00%> (+<0.01%)	⬆️
suricata-verify	61.50% <100.00%> (-0.02%)	⬇️
unittests	62.85% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

Information: QA ran without warnings.

Pipeline 17945

[catenacyber]

Also to investigate:

• why the spurious retransmission in SV bug-2576-02 is seen as an error by the dispatch function
• why is the filemd5 keyword a "packet" keyword ?

[victorjulien]

Also to investigate:

* why the spurious retransmission in SV bug-2576-02 is seen as an error by the dispatch function

* why is the `filemd5` keyword a "packet" keyword ?

I don't this it is?

[victorjulien]

I'm not going to take this in, as we feel the commit is correct but instead exposes another issue that we'll address in master and then backport.

[catenacyber]

• why is the filemd5 keyword a "packet" keyword ?

I don't this it is?

Maybe not the right naming, but I mean that a signature with only filemd5 keyword as the one in bug-2576-02 is taken in by DetectRunPrefilterPkt + DetectPrefilterBuildNonPrefilterList (and thus uses scratch alproto) instead of by DetectRunTx and its subfunctions (unless it is stored)

[victorjulien]

• why is the filemd5 keyword a "packet" keyword ?

I don't this it is?

Maybe not the right naming, but I mean that a signature with only filemd5 keyword as the one in bug-2576-02 is taken in by DetectRunPrefilterPkt + DetectPrefilterBuildNonPrefilterList (and thus uses scratch alproto) instead of by DetectRunTx and its subfunctions (unless it is stored)

I have some work that changes this logic, but in short: any sig that doesn't have a prefilter/fast_pattern is handled this way.