I recently notice that the packet provided in the EVE log doesn’t match the signature that was triggered. I assumed it had to do with the stream assembly somehow so I set the signature to flow:no_stream,established,to_server. That corrected the issue and the packet matches what I was looking for. But, I’m not sure why. I understand why no_stream works since it’s based on a per packet basis and not the entire stream but I don’t know why flow:established,to_server; doesn’t work.
Tested on versions 5.0.8 and 6.0.4