Thank you @jmtaylor90 and @jufajardini ,
Is there anyway or any rules to prevent such behavior, someone fuzzing the network may get 200 OK and it may be because of pass action we defined.
Any rules you recommend to stop threat going through same TCP session?
I tried making use of flowbits but still working on it to understand how I can implement this.
Also @jmtaylor90 do you think the docs should be updated to something like this
If a signature matches and contains pass, Suricata stops scanning the packet(s) and skips to the end of all rules (Any further packets will not be evaluated for the flow).
Many Thanks