Fixed the typo of the buffer name for sip.stat_code

[starrysec]

Fixed the typo of the buffer name for sip.stat_code, The correct name is sip.stat_code, not sip.method.

SV_BRANCH=OISF/suricata-verify#2072

[github-actions]

NOTE: This PR may contain new authors.

[catenacyber]

Thanks for this.

Question for the team: can this lead to wrong detection when using sip.stat_codeand sip.method keywords ?

Note: this was fixed in master by moving the code to rust

[inashivb]

Question for the team: can this lead to wrong detection when using sip.stat_codeand sip.method keywords ?

Don't know anything about sip but we do have s-v tests for this which pass in master, main-7.0.x and this PR:

1. sip-stat-code which passes. I can confirm that it passes correctly. Wireshark filter sip.Status-Code==100 shows exactly the number of matches expected.
2. sip-method which passes. I can confirm that this passes correctly too. Wireshark filter sip.Method==REGISTER shows exactly the number of matches expected.

I haven't tried to look how the BUFFER_NAME impacts the parsing and storage of the respective fields..

[catenacyber]

Don't know anything about sip but we do have s-v tests for this which pass in master, main-7.0.x and this PR:

What we would want to test here I guess is a test with at the same time both sip.stat_code and sip.method rules

Maybe we are only safe because these are not in the same direction

[catenacyber]

I think that rule alert sip any any -> any any (sip.stat_code; content:"REGISTER"; sid:2;) will trigger an alert in sip-method SV test

and alert sip any any -> any any (sip.method; content:"100"; sid:2;) in sip-stat-code test

[catenacyber]

Created https://redmine.openinfosecfoundation.org/issues/7295 for this

[catenacyber]

And I created OISF/suricata-verify#2072 as a test

[inashivb]

Thank you for your first contribution to Suricata! :)
Could you please:

1. make commit message as follows:

sip/stat_code: fix buffer name

Bug #7295

2. change the commit author to the format FirstName LastName <[email protected]>. This name should match the name you sign contribution agreement with.
3. rebase on latest main-7.0.x.
4. submit a new PR w the changes asked above. Please do not remove the PR body and tick all the boxes that apply.

[catenacyber]

I was doing it in #11857

[glongo]

I apologize :'-)

[catenacyber]

I apologize :'-)

I thank you for having fixed this in master already Giuseppe ;-)

[victorjulien]

@starrysec can you please rework this in a next PR:

1. make sure to review the entries from the PR template
2. review & sign the CLA
3. use a real name commit author setting.
   Thanks!