From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 24 Aug 2022 20:22:53 +0000 (+0200)
Subject: detect: support file.data for HTTP1 to server
X-Git-Tag: suricata-7.0.0-beta1~264
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e587f6792afdb863cbe57e972bd395443f23d9d9;p=thirdparty%2Fsuricata.git

detect: support file.data for HTTP1 to server

That is file sent with POST or PUT

Ticket: #4144
---

diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index 0904b7c527..a8096067f9 100644
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -97,6 +97,8 @@ void DetectFiledataRegister(void)
             ALPROTO_SMTP, 0);
     DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmHTTPFiledataRegister,
             NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY);
+    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
+            NULL, ALPROTO_HTTP1, HTP_REQUEST_BODY);
     DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2,
             PrefilterMpmFiledataRegister, NULL,
             ALPROTO_SMB, 0);
@@ -124,6 +126,8 @@ void DetectFiledataRegister(void)
 
     DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
             HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
+    DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
+            HTP_REQUEST_BODY, DetectEngineInspectFiledata, NULL);
     DetectAppLayerInspectEngineRegister2("file_data",
             ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectFiledata, NULL);
@@ -210,14 +214,6 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha
         return -1;
     }
 
-    if ((s->alproto == ALPROTO_HTTP1 || s->alproto == ALPROTO_HTTP) &&
-            (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) && (s->flags & SIG_FLAG_TOSERVER) &&
-            !(s->flags & SIG_FLAG_TOCLIENT)) {
-        SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
-                "flow:to_server or flow:from_client with http.");
-        return -1;
-    }
-
     if (s->alproto == ALPROTO_SMTP && (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) &&
         !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
diff --git a/src/tests/detect-file-data.c b/src/tests/detect-file-data.c
index 444a1f026d..e96b3418a3 100644
--- a/src/tests/detect-file-data.c
+++ b/src/tests/detect-file-data.c
@@ -106,22 +106,6 @@ static int DetectFiledataParseTest04(void)
     PASS;
 }
 
-/**
- * \test Test the file_data fails with flow:to_server.
- */
-static int DetectFiledataParseTest05(void)
-{
-    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
-    FAIL_IF_NULL(de_ctx);
-    de_ctx->flags |= DE_QUIET;
-    Signature *s = DetectEngineAppendSig(de_ctx,
-            "alert http any any -> any any "
-            "(msg:\"test\"; flow:to_server,established; file_data; content:\"abc\"; sid:1;)");
-    FAIL_IF_NOT_NULL(s);
-    DetectEngineCtxFree(de_ctx);
-    PASS;
-}
-
 static int DetectFiledataIsdataatParseTest1(void)
 {
     DetectEngineCtx *de_ctx = DetectEngineCtxInit();
@@ -184,7 +168,6 @@ void DetectFiledataRegisterTests(void)
     UtRegisterTest("DetectFiledataParseTest02", DetectFiledataParseTest02);
     UtRegisterTest("DetectFiledataParseTest03", DetectFiledataParseTest03);
     UtRegisterTest("DetectFiledataParseTest04", DetectFiledataParseTest04);
-    UtRegisterTest("DetectFiledataParseTest05", DetectFiledataParseTest05);
 
     UtRegisterTest("DetectFiledataIsdataatParseTest1",
             DetectFiledataIsdataatParseTest1);