detect/http-server-body: avoid FP on toserver direction

Ticket: 6948

http.response_body keyword did not enforce a direction, and thus
could match on files sent with POST requests

diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
index 98f0ec581e9488c3f02b0cdb343938af8f389488..28833a8a75bf1dd04ff560bc9253214faddf1aef 100644 (file)
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -124,6 +124,9 @@ static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s
         return -1;
     if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
         return -1;
+    // file data is on both directions, but we only take the one to client here
+    s->flags |= SIG_FLAG_TOCLIENT;
+    s->flags &= ~SIG_FLAG_TOSERVER;
     return 0;
 }