Issues getting alerting from TOS 34 & 46

I am having trouble getting ip tos to fire an alert. In the pcap below, I have AF41 (34) and EF (46) DSCP tagged traffic.

I can filter this traffic in wireshark:
ip.dsfield.dscp == 34 or ip.dsfield.dscp == 46

I have tried several rule permutations (see below) to try and get an alert to fire. Can anyone point me in the right direction?

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:to_server; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:established; classtype:not-suspicious; sid:202004; rev:1;)

I can reproduce the issue. Can you fill a bug report in our redmine issue tracker?

Thanks for look at this and issues created. https://redmine.openinfosecfoundation.org/issues/3638

Hi Brian,

Can you try different values? For 34 use 136; for 46 use 184.

These values are derived from the values you’re using right-shifted by 2 bits.

We will be improving our documentation for the tos keyword; for now, try these values and let us know how it works.

Thanks

Hi Jeff,

Thanks for looking into this and using the right-shifted values works for me. Thanks!

Brian