From: Eileen Donlon <emdonlo@gmail.com>
Date: Mon, 30 Apr 2012 15:56:09 +0000 (-0400)
Subject: disallow http_server_body with flow:to_server
X-Git-Tag: suricata-1.3beta2~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7807a21b6f6f72ce3897147530c729446e66cde;p=thirdparty%2Fsuricata.git

disallow http_server_body with flow:to_server

disallow http_server_body with flow:to_server or from_client
---

diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
index 0b049c83e9..32e1e435b0 100644
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -122,7 +122,10 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
                    "be used with the rawbytes rule keyword");
         return -1;
     }
-
+    if (s->init_flags & SIG_FLAG_INIT_FLOW && s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body cannot be used with flow:to_server or from_client");
+        return -1;
+    }
     if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
         SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
                    "alproto set");