After a fair bit more investigating with wireshark it seems at least some of these alerts may be somewhat legitimate – there appears to be some kind of OS/client that feels the need to send a RST immediately after or in the middle of the 4-way FIN/ACK shutdown. These two representative examples show what appears to be a RST arriving at the exact same time as a FIN,ACK from the client.
I’m not sure what triggers this behaviour but it seems to happen consistently on a significant percentage of our web traffic that its probably not “anomalous” I’m guessing there isn’t actually much I can do about this other than disable the rules.