From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 17 Apr 2024 11:39:39 +0000 (+0200)
Subject: detect/http-server-body: avoid FP on toserver direction
X-Git-Tag: suricata-7.0.5~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93ac371fe849eefcdc7970f0f3ccda4b66332895;p=thirdparty%2Fsuricata.git

detect/http-server-body: avoid FP on toserver direction

Ticket: 6948

http.response_body keyword did not enforce a direction, and thus
could match on files sent with POST requests

(cherry picked from commit e6895b835a76a96a18c5e9c33f46c89687eceab9)
---

diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
index 98f0ec581e..28833a8a75 100644
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -124,6 +124,9 @@ static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s
         return -1;
     if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
         return -1;
+    // file data is on both directions, but we only take the one to client here
+    s->flags |= SIG_FLAG_TOCLIENT;
+    s->flags &= ~SIG_FLAG_TOSERVER;
     return 0;
 }