detect: add test for ldap.request.operation - draft v2

[AkakiAlice]

Ticket: 7453

Description:

• Add S-V test for ldap.request.operation keyword

test.rules changes:

• Add tests for str arguments
• Add tests for ldap.responses.operation

test.yaml changes:

• Reuse pcap from ../ldap-search/ldap.pcap
• Test pcap_cnt

README.md changes:

• Change description

Not included yet:

• Tests for arguments all any count when using ldap.responses.operation

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7453
Suricata PR: OISF/suricata#12321
Previous PR: #2206

[AkakiAlice]

I included eve.json because I don't understand why I can´t match pcap_cnt: 9 for search_result_done

[catenacyber]

I included eve.json because I don't understand why I can´t match pcap_cnt: 9 for search_result_done

Suricata acts on acked data, unless used in inline mode.
You can use --set stream.inline=true for this.

Is it your problem ?

[catenacyber]

And the signatures are inspected for the packet in the right direction

[catenacyber]

so, search_result_entry is only at packet 8 because it is the first packet in the good direction after having asked the data

In the end, a pseudo-packet is created to timeout flows and process what is remaining in them