Suricata

sid 2010504 should fire here. simply removing the '$' anchor from the pcre will cause the sig to match, the flowbit will be set and thus the second sig will fire. The anchored pcre is valid for this pcap, this should fire in suricata but doesn't. These rules fire fine in snort. I should also note that I tested anchors with normal pcre and it appears to work fine.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".txt"; nocase; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010500; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potential Palevo executable download, executable purporting to be different file"; flowbits:isset,ET.hidden.exe; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; content:"This program"; within:120; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa; sid:2010504; rev:2;)