From 255c6cab7a9e2405f5b27ea166ba672b41d3c75b Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Thu, 5 Jul 2012 10:07:16 +0530
Subject: [PATCH 1/2] Update SigValidate() to allow http keywords to be specified in the right flow direction

---
 src/detect-parse.c |   39 ++++++++++++++++++++++++++++-----------
 1 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/src/detect-parse.c b/src/detect-parse.c
index c62ec86..62eada8 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -999,17 +999,34 @@ static int SigValidate(Signature *s) {
         SCReturnInt(0);
     }
 
-    /* check for uricontent + from_server/to_client */
-    if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
-        SigMatch *sm;
-        for (sm = s->sm_lists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) {
-            if (sm->type == DETECT_FLOW) {
-                DetectFlowData *fd = (DetectFlowData *)sm->ctx;
-                if (fd == NULL)
-                    continue;
+    SigMatch *sm;
+    for (sm = s->sm_lists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) {
+        if (sm->type == DETECT_FLOW) {
+            DetectFlowData *fd = (DetectFlowData *)sm->ctx;
+            if (fd == NULL)
+                continue;
 
-                if (fd->flags & FLOW_PKT_TOCLIENT) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent / http_uri with flow:to_client or flow:from_server");
+            if (fd->flags & FLOW_PKT_TOCLIENT) {
+                /* check for uricontent + from_server/to_client */
+                if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL ||
+                    s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
+                    s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
+                    s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL ||
+                    s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
+                               "/http_uri , raw_uri, http_client_body, "
+                               "http_method, http_user_agent keywords "
+                               "with flow:to_client or flow:from_server");
+                    SCReturnInt(0);
+                }
+            } else if (fd->flags & FLOW_PKT_TOSERVER) {
+                /* check for uricontent + from_server/to_client */
+                if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL ||
+                    s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
+                    s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use http_"
+                               "server_body, http_stat_msg, http_stat_code "
+                               "with flow:to_server or flow:from_client");
                     SCReturnInt(0);
                 }
             }
-- 
1.7.1