Suricata

I run suricata 3.2.1 using netmap on FreeBSD. I’ve come across an odd issue where a particular file from an http server always stops downloading at 792MB (the file is over 900MB). I’ve narrowed it down to the emerging-current_events ruleset (i.e. disabling that ruleset lets the file download), but:

• There is nothing in drop.log, fast.log or alert-debug.log
• Downloading other large files from the server works fine
• Downloading the identical file from other servers works fine (which is really odd!)

Suricata is running on the internal interface. The pcaps show that when the download hangs, incoming packets from the web server come in the external interface, but never exit the internal interface.

I've attached my suricata.yaml, pcaps of the last few seconds of transfer from ext_if (ag) and int_if (ac), and the specific ruleset that triggers this bug.

The file in question is:
http://cdn2-downloads.ableton.com/channels/9.7.2/ableton_live_lite_9.7.2_64.zip

Is there any more I can do to help diagnose what’s going on, or is that enough info? It's a production router so debug is off, but I could recompile if you really need it.

Many thanks!