The last session has not ended, and a new session comes in, causing the source ip and destination ip to be reversed.(suricata is to get the flow of the switch in mirror mode。)
Can the residual message not be read in the configuration file?
Is this being observed in the eve log? If so, what event type within the eve log is the “reversed” src/dst ips appearing in? Are you able to provide a screenshot, or the output demonstrating the issue?
I don’t think the output is wrong, you match on the fileinfo that is sent from the HTTP server (12.27.19.156) to the requesting client.