Add Setting for pointing at local Suricata rules

[philrz]

We've had a couple community issues recently where users mistakenly thought Zui's Brimcap YAML Config File setting may have been intended for loading additional local Suricata rules (#3047, #2949). We've never intended to expose UX in Zui to control all the possible customizations in bundled tools like Suricata and instead of tried to maintain a set of sensible defaults to which we've added modest enhancements over time when resources allow. When users ask for customizations that are more ambitious than we can easily offer, our catch-all/fallback answer is to refer them to the Custom Brimcap Config article that guides them through how they can point Zui at their own installs of pcap analyzers like Suricata that they've customized as much as they'd like.

All that said, I recognize that following the Custom Brimcap Config steps could be seen as fairly heavyweight by a user that wants to do something simple such as loading additional Suricata rules. Furthermore, for that specific use case, I already put in most of the hard work via brimdata/build-suricata#63 to make sure that the Suricata rules updater that ships with Brimcap is capable of loading additional rule sets if they're specified on the command line. The user that spawned the inquiry that led to that Brimcap PR only seemed to be interested in standalone Brimcap, so at the time I did not pursue exposing the functionality at the Zui layer. But now that we've established that some Zui users are looking for this functionality, I figure our time is better spent delivering the enhancement rather than repeatedly pointing them at heavyweight docs and hoping for the best.

As described in the suricata-update docs, loading such additional rules is accomplished by appending --local and a pathname to a file or directory of rule files to include. This PR leverages this by exposing a new Local Suricata Rules Folder setting in Zui that allows the user to select a directory that may contain any number of Suricata rules files. The end result is that the additional rules will be included in the final set used by Zui alongside the default Emerging Threats Open rule set that's always present by default.

The following video taken on macOS shows the feature working as intended using a Dev build based on commit c75e955 from this PR's branch. It uses the attached test data in example.pcap.gz which is a capture of me pinging one of the IP addresses associated with the "stalkerware" rules requested in #3047.

First I baseline by loading the pcap with the default Emerging Threats Open rules and we see no Suricata alert is generated. Then I use the new setting to point at the folder on my desktop that contains the additional stalkerware rules. Changing the setting triggers the re-run of the Suricata rules updater, and we can see the size of the assembled suricata.rules file increase as a result. I then re-import the pcap and we can see the expected alert now appears. Finally, I delete the setting such that the Suricata rules updater re-runs to bring me back to just the default Emerging Threats Open rule set again. Re-processing the pcap one last time, we see the alert is once again gone.

Demo.mp4

I re-ran this same set of steps with the Windows build and saw the same successful outcome there.

If this merges, what I'll likely do right after is write a new article in the Features section of the Zui docs that covers both this new feature and the existing Brimcap YAML Config File setting. Regarding the latter, up to now its "docs" link in Settings has pointed directly at the Custom Brimcap Config article in the Brimcap wiki. That's been fine, but I feel like a standalone Zui doc that covers pcap processing (maybe reference the plugin system, etc.) in addition to these other topics would be more user-friendly.

Closes #3047

[jameskerr]

This turned out nice.