Hi,
I tried looking at some of the http streams and I cannot see the SYN packets for most of them. Looks like the pcap has http coming over long running, reused, TCP sessions.
I would assume that midstream: yes would pick it up but seems like that is not the case.
Are you testing on live traffic or packet capture?
Is the traffic sent from some other TLS inspection box for instance that might mangle it a bit?
There are some streams with SYN packets (for instance tcp.stream eq 74 in wireshark), but the first packets in the stream do not look like http at all.
You might also need to change the http port variables since non-standard ones are in use in the pcap.