smb: fix SMB_COM_WRITE_ANDX record parser - v4

[b1tg]

Bug: #6008

• I have read the contributing guide lines at https://suricata.readthedocs.io/en/latest/devguide/codebase/contributing/contribution-process.html
• I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

ticket:
https://redmine.openinfosecfoundation.org/issues/6008

Previous PR: #8889

Changes from last PR:

• split into two commit and add tests
• update SV

SV_BRANCH=pr/1211

[codecov]

Codecov Report

Merging #8905 (1445f07) into master (ebe0a7b) will increase coverage by 0.03%.
The diff coverage is 100.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8905      +/-   ##
==========================================
+ Coverage   82.30%   82.33%   +0.03%     
==========================================
  Files         969      969              
  Lines      273335   273376      +41     
==========================================
+ Hits       224961   225084     +123     
+ Misses      48374    48292      -82     

Flag	Coverage Δ
fuzzcorpus	64.73% <100.00%> (+0.07%)	⬆️
suricata-verify	60.47% <88.88%> (+0.01%)	⬆️
unittests	62.96% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[victorjulien]

Can you look into why some of the SV tests fail?

Also, could you give the git commits unique subjects?

[b1tg]

Can you look into why some of the SV tests fail?

Why Fedora 37 show error about filestore-filecontainer-smb1-padding which is not in SV master?

[victorjulien]

Can you look into why some of the SV tests fail?

Why Fedora 37 show error about filestore-filecontainer-smb1-padding which is not in SV master?

It uses the tests from SV PR 1211, since that is what the PR body specifies.

[b1tg]

Seems the num before .json is not fixed between runs, i am not familiar with SV, any suggestions on how to troubleshoot this? Thanks.

checks:
  - filter:
      filename: "filestore/04/04f93fbae50680991af90eb8a5a447d7b353d9c09097b3a905745d285d7ba634.1684287875.1.json"
      count: 1
      match:
        fileinfo.sha256: 04f93fbae50680991af90eb8a5a447d7b353d9c09097b3a905745d285d7ba634
  - filter:
      filename: "filestore/81/81ef17f513f4959ba2a8243fa1412fa11b7d8f2c064da1f7ae98429188b6229c.1684287889.2.json"
      count: 1
      match:
        fileinfo.sha256: 81ef17f513f4959ba2a8243fa1412fa11b7d8f2c064da1f7ae98429188b6229c

[b1tg]

I just push a new commit in SV, could you re-run the failed tests？
OISF/suricata-verify@f8537ba

[victorjulien]

I just push a new commit in SV, could you re-run the failed tests？ OISF/suricata-verify@f8537ba

I've restarted all "build" runs.

[b1tg]

All tests passed now.

[catenacyber]

Thanks for these fixes

CI : 🟢
Code : 🟢
Commits segmentation : 🟢
Commit messages : could you give the git commits unique subjects?
I also think you can just write Bug: #6008 simpler than Bug: OISF#6008
Git ID set : 🟢
CLA : 🟢 already some merged commits
Doc update : 🟢 none needed
Redmine ticket : 🟢 I updated
Rustfmt : rust is not formatted before this PR
Tests : Are the unit tests duplicating the S-V ones ? I think we prefer S-V
Dependencies added: 🟢 none

[catenacyber]

So, almost all green, just the commit messages to reword a bit, and a questions about the testing...

[b1tg]

use #8938