detect/analyzer: add more details for icmp_id - v1

[AkakiAlice]

Ticket: #6360

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

• I have updated the User Guide (in doc/userguide/) to reflect the changes made
• I have updated the JSON schema (in etc/schema.json) to reflect all logging changes
  (including schema descriptions)
• I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/6360

Describe changes:

• Add more details for the icmp_id keyword

SV_BRANCH=OISF/suricata-verify#2088

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.

Project coverage is 79.19%. Comparing base (d5dd549) to head (8016a32).
Report is 5 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11924      +/-   ##
==========================================
- Coverage   82.70%   79.19%   -3.51%     
==========================================
  Files         912      912              
  Lines      249102   248931     -171     
==========================================
- Hits       206018   197150    -8868     
- Misses      43084    51781    +8697     

Flag	Coverage Δ
fuzzcorpus	60.72% <0.00%> (+0.04%)	⬆️
livemode	18.72% <0.00%> (-0.01%)	⬇️
pcap	44.12% <0.00%> (+0.01%)	⬆️
suricata-verify	?
unittests	58.99% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[inashivb]

Nice job, Alice! We need this little patch here to get this going w your s-v PR:

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index a5e8e293b..3d4d8991a 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -928,7 +928,7 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
             case DETECT_ICMP_ID: {
                 const DetectIcmpIdData *cd = (const DetectIcmpIdData *)smd->ctx;
                 jb_open_object(js, "id");
-                jb_set_uint(js, "number", cd->id);
+                jb_set_uint(js, "number", SCNtohs(cd->id));
                 jb_close(js);
                 break;
             }

This is because we store ICMP IDs in network byte order. I do not know the protocol well enough to explain why but saw that what we expect in the output is actually host byte order. SCNtohs does that conversion for you. :)

[inashivb]

One change requested inline. Keep up the good work! :)