detect-flowbits: add details for flowbits v7

[hadiqaalamdar]

Task #6309

• I have read the contributing guide lines at https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html
• I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6309
Previous PR: #10008

Describe changes:

• added the recommended changes from the last PR. The operator string is working correctly for or operator
• did get rebase appropriately.

SV_BRANCH=OISF/suricata-verify#1529

[jufajardini]

Kudos for the progress! :)

I'm still considering what should be the approach for the noalert case - might be we're missing documentation, maybe it's a case where we need a warning - like we have for the flowbits that haven't been set...

I think this has to be discussed with more mentors, for us to understand what approach to follow, here.

[jufajardini]

As it's being used as a bool, let's declare it as such ;)
We can also use a more descriptive name, maybe is_or?
Could we move it into the if noalert context?

[inashivb]

+1 to everything

[jufajardini]

And now wondering if we need this noalert if, here.

[inashivb]

I don't think we do. I think we should also remove this constant though bc it gives me an impression that this is a valid flowbit specific command and while it is used w flowbits, it is never really used to set cmd.

[inashivb]

wrt I have made #10021
If it gets accepted, please rebase your code on that PR and remove all usages of DETECT_FLOWBITS_CMD_NOALERT.
If it gets rejected, maybe just add some notes like Juliana mentioned about noalert control never getting to this part.

[jufajardini]

Now, we know from our discussions elsewhere that we can't ever have this one here, so we can probably skip the jb call, maybe just add a comment that noalert doesn't lead to calling DumpMatches? 🤔

[jufajardini]

I saw that this is working! :) Do you think we can move on to thinking about the and case implementation now, @inashivb ?

[inashivb]

Indeed. We don't define it as a specific operator anyway like we do for or. It's only fair. 😛

[inashivb]

Kudos for the progress! :)

I'm still considering what should be the approach for the noalert case - might be we're missing documentation, maybe it's a case where we need a warning - like we have for the flowbits that haven't been set...

I think it is fine as-is. We do mention in our docs that it is identical to standalone noalert;: https://docs.suricata.io/en/latest/rules/differences-from-snort.html#flowbits-noalert
If you'd also want to have this in flowbits section of docs, I'll support that. :)

[hadiqaalamdar]

New PR: #10026