detect/http-server-body: avoid FP on toserver direction

Ticket: 6948 http.response_body keyword did not enforce a direction, and thus could match on files sent with POST requests
1 year ago · e6895b835a
parent 08841f27ff
commit e6895b835a
1 changed files with 3 additions and 0 deletions
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@ -124,6 +124,9 @@ static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s
        return -1;
    if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
        return -1;
+    // file data is on both directions, but we only take the one to client here
+    s->flags |= SIG_FLAG_TOCLIENT;
+    s->flags &= ~SIG_FLAG_TOSERVER;
    return 0;
 }