HTTP host matching not working across TCP packet boundaries?

Suricata checks to see if the header is terminated with CRLF(0d0a0d0a) before checking the HTTP header values. If the packet lengthens with a cookie or other value, the CRLF is identified after the first packet. suricata checks that the HTTP header is terminated. It then compares the loaded rule with the stream and alerts if it matches.

Through the drop http ~ and pass http ~ rules mentioned above, we hope that example.com will pass and the rest of the request will be blocked. However, if the method and space are identified, such as GET + Space (0x20), it is considered as http. The header termination of an HTTP request with two or more packets split is checked after the first packet. Eventually, all HTTP requests are blocked as method and space are already checked before the rule where http.host is used is checked.

You can consider using it like this rule.

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"Excluding example.com"; http.host; content:!"example.com"; )