From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 17 Apr 2024 11:39:39 +0000 (+0200)
Subject: detect/http-server-body: avoid FP on toserver direction
X-Git-Tag: suricata-8.0.0-beta1~1450
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6895b835a76a96a18c5e9c33f46c89687eceab9;p=thirdparty%2Fsuricata.git

detect/http-server-body: avoid FP on toserver direction

Ticket: 6948

http.response_body keyword did not enforce a direction, and thus
could match on files sent with POST requests
---

diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
index 98f0ec581e..28833a8a75 100644
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -124,6 +124,9 @@ static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s
         return -1;
     if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
         return -1;
+    // file data is on both directions, but we only take the one to client here
+    s->flags |= SIG_FLAG_TOCLIENT;
+    s->flags &= ~SIG_FLAG_TOSERVER;
     return 0;
 }