transform/subslice: Add subslice transform

[jlucovsky]

Continuation of #14366

The subslice transform creates a slice of the input buffer.

Specify the subslice desired -- nbytes is optional:
subslice: offset <,nbytes>

offset: Specifies the starting offset for the new subslice. When negative, it expresses how far from the end of the input buffer to begin.

nbytes: Specifies the size of the subslice. When negative, specifies the byte count preceding the offset to include.

When nbytes is not specified, the size of the subslice will be the size of the input buffer - offset.

Examples:
subslice: 1; - The subslice will be a copy of the input
buffer but omit the input buffer's first byte
"This is Suricata" -> "his is Suricata"
subslice: 0, 13; - The slice is created from the first 13 bytes
of the input buffer
"This is Suricata" -> "This is Suric"
subslice: 10, -5; - This is the same as subslice[5, 5]
"This is Suricata" -> "is Su"
subslice: -3; - The subslice will be the last 3 bytes of the
input buffer.
"This is Suricata" -> "ata"

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7672

Describe changes:

• Add subslice transform and unit tests
• Document subslice transform, with examples

Updates:

• Removed support for bracketed values, e.g., [3], [3, 8]`
• Changed function DetectTransformSubsliceData to be attributed with repr(C)
• Modified handling of negative nbyte values to mean "bytes from the end" .
• start=0 is an error unless nbytes is specified
• end=0 is always an error.
• Corrected clippy issues.

Provide values to any of the below to override the defaults.

• To use a Suricata-Verify or Suricata-Update pull request,
  link to the pull request in the respective _BRANCH variable.
• Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2749
SU_REPO=
SU_BRANCH=

[victorjulien]

What is the behavior if offset > the end of the buffer? Will absent match?

What is the behavior if offset+nbytes > end of buffer, so we get data but not nbytes?

Can you update the SV tests to cover both scenarios?

[codecov]

Codecov Report

❌ Patch coverage is 94.23077% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.21%. Comparing base (459e259) to head (6910c18).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14372      +/-   ##
==========================================
+ Coverage   84.19%   84.21%   +0.02%     
==========================================
  Files        1012     1013       +1     
  Lines      261796   262056     +260     
==========================================
+ Hits       220414   220687     +273     
+ Misses      41382    41369      -13     

Flag	Coverage Δ
fuzzcorpus	63.25% <13.11%> (-0.03%)	⬇️
livemode	18.75% <13.11%> (+<0.01%)	⬆️
pcap	44.62% <13.11%> (+0.01%)	⬆️
suricata-verify	64.97% <84.29%> (+<0.01%)	⬆️
unittests	59.25% <78.37%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[suricata-qa]

Information: QA ran without warnings.

Pipeline = 28533

[jlucovsky]

What is the behavior if offset > the end of the buffer? Will absent match?

No -- absent will not match but bsize:0 will.

What is the behavior if offset+nbytes > end of buffer, so we get data but not nbytes?

Can you update the SV tests to cover both scenarios?

Yes.

[jlucovsky]

What is the behavior if offset+nbytes > end of buffer, so we get data but not nbytes?

With a buffer like curl/7.64.1" [11 bytes] and subslice: 0, 13, the transform would not be applied. Is that behavior ok? Alternatively, it could be treated as subslice: 0, 11`

Thoughts?

[catenacyber]

What is the behavior if offset > the end of the buffer? Will absent match?

There is a generic open ticket about transforms error (like base64) https://redmine.openinfosecfoundation.org/issues/7313

[catenacyber]

Need to document the out of bounds cases behavior

[catenacyber]

As per Victor's point

[jlucovsky]

Continued in #14428

[victorjulien]

What is the behavior if offset+nbytes > end of buffer, so we get data but not nbytes?

With a buffer like curl/7.64.1" [11 bytes] and subslice: 0, 13, the transform would not be applied. Is that behavior ok? Alternatively, it could be treated as subslice: 0, 11`

Thoughts?

I think I'd prefer to be a bit permissive, but I don't really have a use case in mind.