[draft] dns: dns.response.answer.name sticky buffer - v1

[jasonish]

This implements the sticky buffer dns.response.answer.name to match on names on DNS response answers.

The idea is to fill this out with more keywords like:

• dns.response.answer.data.a
• dns.response.answer.data.txt
• dns.response.answer.data.sshfp.fingerprint
  and so on.

But before I continue on I want to make sure this is the good example of a stick buffer, with prefiltering and multi-buffer support, as it looks like our template is out of date. After this is given an OK, I'll apply the changes to the template.

Then I'd also like to isolate the common patterns of the sticky buffers and abstract the boilerplate away.

SV_BRANCH=OISF/suricata-verify#1444

[codecov]

Codecov Report

Merging #9686 (06b877d) into master (2fe2d82) will decrease coverage by 0.04%.
The diff coverage is 85.99%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9686      +/-   ##
==========================================
- Coverage   82.39%   82.36%   -0.04%     
==========================================
  Files         968      969       +1     
  Lines      274337   274326      -11     
==========================================
- Hits       226047   225937     -110     
- Misses      48290    48389      +99     

Flag	Coverage Δ
fuzzcorpus	64.62% <85.99%> (-0.07%)	⬇️
suricata-verify	60.85% <85.60%> (-0.07%)	⬇️
unittests	62.83% <85.60%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

Information: QA ran without warnings.

Pipeline 16305

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.memcap_pressure_max	88	97	110.23%

Pipeline 16306

[suricata-qa]

Information: QA ran without warnings.

Pipeline 16307

[suricata-qa]

Information: QA ran without warnings.

Pipeline 16309

[suricata-qa]

Information: QA ran without warnings.

Pipeline 16314

[suricata-qa]

Information: QA ran without warnings.

Pipeline 16320

[victorjulien]

Think it makes sense. Not finding the commit separation entirely logical, I would just squash them all together (the keyword commits, not talking about the API rename)

[jasonish]

Think it makes sense. Not finding the commit separation entirely logical, I would just squash them all together (the keyword commits, not talking about the API rename)

Yeah, its more for review of the individual items that were applied over and above the current template for sticky buffers.

[catenacyber]

Continued in #9813 right ?