From e6895b835a76a96a18c5e9c33f46c89687eceab9 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 17 Apr 2024 13:39:39 +0200 Subject: [PATCH] detect/http-server-body: avoid FP on toserver direction Ticket: 6948 http.response_body keyword did not enforce a direction, and thus could match on files sent with POST requests --- src/detect-http-server-body.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index 98f0ec581e..28833a8a75 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -124,6 +124,9 @@ static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s return -1; if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0) return -1; + // file data is on both directions, but we only take the one to client here + s->flags |= SIG_FLAG_TOCLIENT; + s->flags &= ~SIG_FLAG_TOSERVER; return 0; } -- 2.47.2