detect/http-server-body: avoid FP on toserver direction

Ticket: 6948 http.response_body keyword did not enforce a direction, and thus could match on files sent with POST requests
victorjulien · Apr 19, 2024 · e6895b8 · e6895b8
1 parent 08841f2
commit e6895b8
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
@@ -124,6 +124,9 @@ static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s
         return -1;
     if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
         return -1;
+    // file data is on both directions, but we only take the one to client here
+    s->flags |= SIG_FLAG_TOCLIENT;
+    s->flags &= ~SIG_FLAG_TOSERVER;
     return 0;
 }