If possible could you post the full rule contents that you are using? It makes it easier to determine if there are any unintentional errors in syntax and such. Thanks!
drop tcp any any → any any ( msg:“Block Content”; flow:to_client,established; content:“Content-Type: application/”; http_header; classtype: policy-violation; sid:1200006; rev:1;metadata: signature_severity Minor;)
drop tcp any any → any any ( msg:“Blocked File Upload”; flow:to_server,established; content:“POST”; http_method; classtype: policy-violation; sid:1200004; rev:1;metadata: signature_severity Minor;)
drop tcp any any → any any ( msg:“Blocked File Upload 2”; flow:to_server,established; content:“POST”; http_method; content:“Content-Disposition:”; http_header; classtype: policy-violation; sid:1200005; rev:1;metadata: signature_severity Minor;)
Thanks for the full signatures, they look good! I would offer some quick notes and updates around the signatures. I would suggest the following updates to use the full features Suricata has to offer from an application layer perspective (HTTP in this case) and keyword functionality.
drop http any any -> any any (msg:"Block Content"; flow:established,to_client; http.content_type; content:"application/"; startswith; fast_pattern; classtype:policy-violation; sid:1200006; rev:1; metadata:signature_severity Minor;)
drop http any any -> any any (msg:"Blocked File Upload"; flow:established,to_server; http.method; content:"POST"; classtype:policy-violation; sid:1200004; rev:1; metadata:signature_severity Minor;)
drop http any any -> any any (msg:"Blocked File Upload 2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Content-Disposition|0d 0a|"; classtype:policy-violation; sid:1200005; rev:1; metadata:signature_severity Minor;)
Ideally instead of any try and use $HOME_NET, $EXTERNAL_NET or any custom network variables to ensure these fire as expected.
Also, you have a bit of overlap with signatures 1200004 and 1200005. With signature 1200004 there is only one content to be matched, the http method POST. This signature will fire before 1200005.
WIth regard to the question of why uploading may still be allowed, there is an order to signature actions, meaning some signature actions, e.g. alert, drop, pass are processed before other actions.