Suricata

A negated match is matching if the tested field is NULL. But as it
is not set, nor negated nor normal test must match.

A rule like:

 alert tls any any -> any any (msg:"negated match"; tls.subject:!"CN=home.regit.org"; sid:1; rev:1;)

is alerting for all connections. Even if they are done on a certificate
with matching subject.