Negated http_* match returns false if buffer not populated
If a rule has a negated content match for 'http_user_agent' buffer but the http_user_agent buffer isn't populated (i.e. the HTTP traffic doesn't have a "User-Agent" header), the negated content match will return false when it should be true. Example:
GET /nouser-agent.html HTTP/1.1 Accept: */*
alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_user_agent; priority:2; sid:8675309;)
The above traffic does not have a User-Agent buffer so any negated content match in the http_user_agent buffer should return true. However, the above rule does not alert (unless the http_user_agent content match is removed).
Tested on Suricata 4.0.0, 3.2.3, 2.9.0, etc. This behavior applies to other http_* buffers too. e.g. http_host:
alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_host; priority:2; sid:8675308;)
Maybe this behavior is "as designed" ... if so, can this bug report be turned in to a feature request?