Usual difference comes from the fact that Suricata by default acts on “acked data”
So if you have a signature like alert http any any -> any any (http.uri; content: "toto";)
And have a pcap with
- p1 from client : GET /toto HTTP/1.1
- p2 from server : ack p1
- p3 from client : new request
You will get alert on p3 :
- on p1 Suricata does not process the data because it has not been acked, so no alert
- on p2 Suricata does the processing, but there is no match as p2 is from server to client and
http.urikeyword will only match on client to server - on p3, Suricata has processed the data, and the direction is right, so there is a match