detect/absent: Add error_or, must_error, and must_succeed options

[jlucovsky]

Continuation of #15739

Add error_or and must_error options to the absent keyword, enabling
rules to detect when a transform operation (such as base64 decoding or
pcre matching) fails on an inspection buffer.

The five absent modes:

• absent — matches only when the buffer is absent (existing behavior)
• absent: or_else — matches when absent OR subsequent keywords match (existing behavior, renamed)
• absent: error_or — matches when a transform error occurs OR subsequent keywords match
• absent: must_error — matches only when a transform error occurs; no other keywords allowed on the same buffer
• must_succeed — requires the transform to succeed; produces no match if the transform fails.
  Prevents false positives by ensuring content inspection only runs on successfully transformed data.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7114

Describe changes:

• Add SCInspectionBufferSetError() to flag when a transform cannot complete with the DETECT_CI_FLAGS_ERROR flag. When this is set, the buffer data is not modified.
• from_base64 and pcrexform signal errors when the transform cannot complete.
• The engine analyzer validates that 1error_or/must_error/must_succeedare paired with a can-fail transform; thator_elseis not paired with a can-fail transform (use error_or instead); thatmust_erroris not combined with other content keywords; thatabsentandfast_pattern` are not used on the same buffer; and that only one absent keyword appears per buffer.
• Update engine analyzer to output absent.mode string
• Document all modes with examples and list error-signaling transforms

Updates:

• See detect/absent: Add error_or and must_error options for transform error detection #15312 for prev updates
• Added must_succeed -- matches on transform success only.
• Fixed issue with failing s-v tests -- updated dcerpc to set endian flag after applying transform.
• Rebase of suri and s-v branches
• Formatting fix up, rebase
• Updated bindgen for DETECT_CI_FLAGS change
• Address review comments from detect/absent: Add error_or and must_error and must_succeed options #15514, rebase
• Fixed commit-check issues reported in detect/absent: Add error_or and must_error and must_succeed options #15682
• Split dcerpc fix into its own first commit
• Addressed review comments from detect/absent: Add error_or and must_error and must_succeed options #15698
• Formatting fix up, rebase

Provide values to any of the below to override the defaults.

• To use a Suricata-Verify or Suricata-Update pull request,
  link to the pull request in the respective _BRANCH variable.
• Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2982
SU_REPO=
SU_BRANCH=

[codecov]

Codecov Report

❌ Patch coverage is 96.62577% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.97%. Comparing base (17dc065) to head (3eefe43).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15745      +/-   ##
==========================================
+ Coverage   82.95%   82.97%   +0.01%     
==========================================
  Files        1003     1002       -1     
  Lines      275096   275371     +275     
==========================================
+ Hits       228217   228494     +277     
+ Misses      46879    46877       -2     

Flag	Coverage Δ
fuzzcorpus	61.47% <61.11%> (-0.01%)	⬇️
livemode	18.36% <9.02%> (+<0.01%)	⬆️
netns	22.68% <9.72%> (-0.03%)	⬇️
pcap	45.31% <13.19%> (-0.07%)	⬇️
suricata-verify	66.94% <87.50%> (-0.02%)	⬇️
unittests	58.49% <82.82%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.app_layer.flow.ftp_data	604	663	109.77%
.app_layer.error.ftp.parser	17	0	-

Pipeline = 32287