From 9c90d0171759a810bba4d634de1da2f46ef36ecf Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Sat, 5 Aug 2023 11:46:20 +0200
Subject: [PATCH] detect/file: correct registration for HTTP

Register file.name and file.magic at correct progress values.
In HTTP1, the files are (part of) the body, so make sure the file
detection logic only runs when the parser has started processing
the body.
---
 src/detect-filemagic.c | 17 +++++++++++++----
 src/detect-filename.c  | 15 ++++++++++++---
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c
index 2af09b48ef4b..607f650cd803 100644
--- a/src/detect-filemagic.c
+++ b/src/detect-filemagic.c
@@ -112,10 +112,19 @@ void DetectFilemagicRegister(void)
     sigmatch_table[DETECT_FILE_MAGIC].Setup = DetectFilemagicSetupSticky;
     sigmatch_table[DETECT_FILE_MAGIC].flags = SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
 
-    AppProto protos_ts[] = {
-        ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
-    AppProto protos_tc[] = {
-        ALPROTO_HTTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
+    AppProto protos_ts[] = { ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2,
+        0 };
+    AppProto protos_tc[] = { ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
+
+    DetectAppLayerInspectEngineRegister2("file.magic", ALPROTO_HTTP, SIG_FLAG_TOSERVER,
+            HTP_REQUEST_BODY, DetectEngineInspectFilemagic, NULL);
+    DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilemagicRegister,
+            NULL, ALPROTO_HTTP, HTP_REQUEST_BODY);
+
+    DetectAppLayerInspectEngineRegister2("file.magic", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
+            HTP_RESPONSE_BODY, DetectEngineInspectFilemagic, NULL);
+    DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilemagicRegister,
+            NULL, ALPROTO_HTTP, HTP_RESPONSE_BODY);
 
     for (int i = 0; protos_ts[i] != 0; i++) {
         DetectAppLayerInspectEngineRegister2("file.magic", protos_ts[i],
diff --git a/src/detect-filename.c b/src/detect-filename.c
index 6cd111ceffbd..4848d22ed9d2 100644
--- a/src/detect-filename.c
+++ b/src/detect-filename.c
@@ -142,10 +142,19 @@ void DetectFilenameRegister(void)
 
     g_file_match_list_id = DetectBufferTypeGetByName("files");
 
-    AppProto protos_ts[] = { ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB,
-        ALPROTO_NFS, 0 };
-    AppProto protos_tc[] = { ALPROTO_HTTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
+    AppProto protos_ts[] = { ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
         0 };
+    AppProto protos_tc[] = { ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS, 0 };
+
+    DetectAppLayerInspectEngineRegister2("file.name", ALPROTO_HTTP, SIG_FLAG_TOSERVER,
+            HTP_REQUEST_BODY, DetectEngineInspectFilename, NULL);
+    DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilenameRegister,
+            NULL, ALPROTO_HTTP, HTP_REQUEST_BODY);
+
+    DetectAppLayerInspectEngineRegister2("file.name", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
+            HTP_RESPONSE_BODY, DetectEngineInspectFilename, NULL);
+    DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilenameRegister,
+            NULL, ALPROTO_HTTP, HTP_RESPONSE_BODY);
 
     for (int i = 0; protos_ts[i] != 0; i++) {
         DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i],