Suricata

The version of Suricata is 3.1.1 RELEASE

I can not reproduce your issue with the pcap provided.

I have tried 3.1.1 and latest git master. With the following test rule -

alert http any any -> any any (msg:"http header test";  content:"POST"; http_method; content:"SELECT"; sid:1;)

When I run -

suricata  -S test.rule -r tcp.dump -l log/

I get the following alert -

{"timestamp":"2016-09-14T17:19:03.751812+0200","flow_id":1852470959,"pcap_cnt":7,"event_type":"alert","src_ip":"10.1.1.1","src_port":53455,"dest_ip":"10.1.1.2","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"http header test","category":"","severity":3},"http":{"hostname":"test.test","url":"\/site\/index.php\/admin\/pages\/update\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko\/20100101 Firefox\/43.0","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/test.test\/site\/index.php\/admin\/pages\/view-tree\/\/","length":2535},"payload":"UE9TVCAvc2l0ZS9pbmRleC5waHAvYWRtaW4vcGFnZXMvdXBkYXRlLyBIVFRQLzEuMQ0KSG9zdDogdGVzdC50ZXN0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBydjo0My4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzQzLjANCkFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44DQpBY2NlcHQtTGFuZ3VhZ2U6IHJ1LVJVLHJ1O3E9MC44LGVuLVVTO3E9MC41LGVuO3E9MC4zDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkNvb2tpZTogYmlndHJlZV9hZG1pbltlbWFpbF09dGVzdCU0MHRlc3Q7IGJpZ3RyZWVfYWRtaW5bbG9naW5dPSU1QiUyMnNlc3Npb24tNTdkOTUyYzU5NWEyMzQuMTE3OTA4ODIlMjIlMkMlMjJjaGFpbi01N2Q5MjIyNzdhMmFiOS4zNzQwMDI0NSUyMiU1RDsgUEhQU0VTU0lEPXA2MWMyZXR0azFndWo5Y3NzNGJuMXZ2cm4zOyBoaWRlX2JpZ3RyZWVfYmFyPTsgYmlndHJlZV9hZG1pbiU1QnBhZ2VfcHJvcGVydGllc19vcGVuJTVEPW9uDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGE7IGJvdW5kYXJ5PWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LUxlbmd0aDogMjE2MA0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ik1BWF9GSUxFX1NJWkUiDQoNCjIwOTcxNTINCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iX2JpZ3RyZWVfcG9zdF9jaGVjayINCg0Kc3VjY2Vzcw0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJwYWdlIg0KDQotMScgT1IgKFNFTEVDVCBDT1VOVCgqKSBGUk9NIChTRUxFQ1QgMSBVTklPTiBTRUxFQ1QgMiBVTklPTiBTRUxFQ1QgMyl4IEdST1VQIEJZIENPTkNBVCh1c2VyKCksJ3wnLHZlcnNpb24oKSwnfCcsZGFUYWJhc2UoKSwnfCcsIEZMT09SKFJBTkQoMCkqMikpKSAtLSAgDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Im5hdl90aXRsZSINCg0KVGhlIFRyZWVzDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InRpdGxlIg0KDQpUaGUgVHJlZXMNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0icHVibGlzaF9hdCINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImV4cGlyZV9hdCINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImluX25hdiINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InJlZGlyZWN0X2xvd2VyIg0KDQoNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idHJ1bmsiDQoNCg0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJleHRlcm5hbCINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Im5ld193aW5kb3ciDQoNClllcw0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJyZXNvdXJjZXNbcGFnZV9oZWFkZXJdIg0KDQpUaGUgVHJlZXMNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idGFnX2VudHJ5Ig0KDQoNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0icm91dGUiDQoNCnRyZWVzDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InNlb19pbnZpc2libGUiDQoNCg0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJwdHlwZSINCg0KU2F2ZQ0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJtYXhfYWdlIg0KDQozDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InRlbXBsYXRlIg0KDQoNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ibWV0YV9rZXl3b3JkcyINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Im1ldGFfZGVzY3JpcHRpb24iDQoNCg0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNi0tDQoNCg0KDQo=","payload_printable":"POST \/site\/index.php\/admin\/pages\/update\/ HTTP\/1.1\r\nHost: test.test\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko\/20100101 Firefox\/43.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=p61c2ettk1guj9css4bn1vvrn3; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on\r\nContent-Type: multipart\/form-data; boundary=b788b047b8e345b792cdc1f81fef2106\r\nContent-Length: 2160\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"_bigtree_post_check\"\r\n\r\nsuccess\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"page\"\r\n\r\n-1' OR (SELECT COUNT(*) FROM (SELECT 1 UNION SELECT 2 UNION SELECT 3)x GROUP BY CONCAT(user(),'|',version(),'|',daTabase(),'|', FLOOR(RAND(0)*2))) --  \r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"nav_title\"\r\n\r\nThe Trees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"title\"\r\n\r\nThe Trees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"publish_at\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"expire_at\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"in_nav\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"redirect_lower\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"trunk\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"external\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"new_window\"\r\n\r\nYes\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"resources[page_header]\"\r\n\r\nThe Trees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"tag_entry\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"route\"\r\n\r\ntrees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"seo_invisible\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"ptype\"\r\n\r\nSave\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"max_age\"\r\n\r\n3\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"template\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"meta_keywords\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"meta_description\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106--\r\n\r\n\r\n\r\n","stream":1,"packet":"CAAn+lcqCgAnAAAZCABFAAAoPHtAAIAGqFAKAQEBCgEBAtDPAFA0uVwItBARO1AQAQBxowAAAAAAAAAA"}

Missed to update as well - it also works with the provided test rule in your case (both pcaps) -

alert tcp any any -> $HOME_NET any (msg:"TCP test333"; content:"POST"; sid:10000004; rev:001;)

cmd line:

/opt/suricataqa/suri311/bin/suricata -c /etc/suricata/suricata.yaml  -S test.rule -r provided-from-user/ok.pcapng -l log/  -k none

{"timestamp":"2016-09-19T15:21:01.519338+0200","flow_id":45595232,"pcap_cnt":8,"event_type":"alert","src_ip":"10.1.1.1","src_port":59565,"dest_ip":"10.1.1.2","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":10000004,"rev":1,"signature":"TCP test333","category":"","severity":3},"http":{"hostname":"test.test","url":"\/site\/index.php\/admin\/pages\/update\/","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":306},"payload":"UE9TVCAvc2l0ZS9pbmRleC5waHAvYWRtaW4vcGFnZXMvdXBkYXRlLyBIVFRQLzEuMQ0KSG9zdDogdGVzdC50ZXN0DQpDb250ZW50LUxlbmd0aDogMTM3NA0KDQoxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExDQoxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExDQoNCg0KDQo=","payload_printable":"POST \/site\/index.php\/admin\/pages\/update\/ HTTP\/1.1\r\nHost: test.test\r\nContent-Length: 1374\r\n\r\n1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n\r\n\r\n\r\n","stream":1,"packet":"CAAn+lcqCgAnAAAMCABFAAAoQABAAIAGpMsKAQEBCgEBAuitAFBnr+l4IQsLqlARAP4x9gAAAAAAAAAA"}

Andreas Herz wrote:

Could you describe your system in more detail as well as your configuration?

The system is Ubuntu 1404 wich was installed on VirtualBox 5.1.6.

I resolved my problem by configurating the conf-file. Sorry for you time!