IMAP protocol parser, logger and sticky buffers

[glongo]

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8276

Describe changes:

• IMAP parser/logger added

This is how an IMAP event looks like:

{
  "timestamp": "2013-08-22T21:17:57.795777+0200",
  "flow_id": 1602741626236470,
  "pcap_cnt": 18,
  "event_type": "imap",
  "src_ip": "192.168.0.4",
  "src_port": 23465,
  "dest_ip": "212.227.15.171",
  "dest_port": 143,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "imap": {
    "requests": [
      "4 APPEND Sent (\\Seen) {452+}"
    ],
    "responses": [
      "4 OK [APPENDUID 1377199071 1] APPEND completed"
    ],
    "email": {
      "direction": "to_server",
      "headers": {
        "content_transfer_encoding": "7bit",
        "to": "w.buchanan@napier.ac.uk",
        "cc": "w_j_buchanan@hotmail.com",
        "user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8",
        "message_id": "<521663E3.7090401@networksims.com>",
        "content_type": "text/plain; charset=ISO-8859-1; format=flowed",
        "date": "Thu, 22 Aug 2013 20:17:55 +0100",
        "from": "DI <digitalinvestigator@networksims.com>",
        "mime_version": "1.0",
        "subject": "Testing"
      },
      "body": "Hello ... how are you?\r\n\r\nBill.\r\n"
    }
  }
}

• Sticky buffers added:

  • imap.request
  • imap.response
  • imap.email.direction
  • imap.email.header
  • imap.email.header.name
  • imap.email.header.value
  • imap.email.body

• Doc updated

SV_BRANCH=OISF/suricata-verify#2908

[github-actions]

NOTE: This PR may contain new authors.

[codecov]

Codecov Report

❌ Patch coverage is 83.01698% with 340 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.17%. Comparing base (571681b) to head (b7cf4c6).
⚠️ Report is 40 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14792      +/-   ##
==========================================
+ Coverage   82.15%   82.17%   +0.02%     
==========================================
  Files        1003     1006       +3     
  Lines      263674   265642    +1968     
==========================================
+ Hits       216610   218292    +1682     
- Misses      47064    47350     +286     

Flag	Coverage Δ
fuzzcorpus	59.75% <11.04%> (-0.44%)	⬇️
livemode	18.66% <11.04%> (-0.24%)	⬇️
netns	18.84% <11.14%> (-0.05%)	⬇️
pcap	44.80% <65.98%> (+0.16%)	⬆️
suricata-verify	65.56% <77.21%> (+0.09%)	⬆️
unittests	59.21% <57.14%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[suricata-qa]

Information: QA ran without warnings.

Pipeline = 29540

[jasonish]

I sent you some pcaps the other day that showed an issue with the body.

I also think we need to align as much as we can with the email object we already have at the top level. Something like...

If its generic to smtp, imap, etc.. It should go in the email object. If its specific to imap, then it goes in the imap object.

[glongo]

Replaced with #14822

[glongo]

I sent you some pcaps the other day that showed an issue with the body.

I also think we need to align as much as we can with the email object we already have at the top level. Something like...

If its generic to smtp, imap, etc.. It should go in the email object. If its specific to imap, then it goes in the imap object.

Should imap.email.body be renamed to email.body ?

[catenacyber]

Should imap.email.body be renamed to email.body ?

Maybe indeed