Suricata

I'm running into an issue with one sided traffic and the stream.async-oneside and midstream options.

suricata.yaml and build info is attached. It's the suricata 4.0.4 build from the OISF PPA on Ubuntu 16.04 on AWS EC2.

Also attached is "async-oneside-test.rules", two simple rules designed to trigger on a single packet contained in the two sample PCAPs.

CASE 1:
Testing these rules against the onesided.pcap file, we get a hit on one rule, but not the other:

$ sudo rm /var/log/suricata/fast.log; sudo suricata -c /etc/suricata/suricata.yaml -r simple_http_download.onesided.pcap -S async-oneside-test.rules --set "stream.async-oneside=true" --set "stream.midstream=true" && sudo cat /var/log/suricata/fast.log
17/4/2018 -- 12:00:24 - <Notice> - This is Suricata version 4.0.4 RELEASE
17/4/2018 -- 12:00:24 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
17/4/2018 -- 12:00:24 - <Notice> - Signal Received.  Stopping engine.
17/4/2018 -- 12:00:24 - <Notice> - Pcap-file module read 12 packets, 1853 bytes
01/25/2011-18:52:33.268459  [**] [1:1:1] ALERT http to_server [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.3.131:55963 -> 65.54.95.140:80

CASE 2:
If we remove the syn packet (onesided.nosyn.pcap), we get the same output:

$ sudo rm /var/log/suricata/fast.log; sudo suricata -c /etc/suricata/suricata.yaml -r simple_http_download.onesided.nosyn.pcap -S async-oneside-test.rules --set "stream.async-oneside=true" --set "stream.midstream=true" && sudo cat /var/log/suricata/fast.log
17/4/2018 -- 12:03:47 - <Notice> - This is Suricata version 4.0.4 RELEASE
17/4/2018 -- 12:03:47 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
17/4/2018 -- 12:03:47 - <Notice> - Signal Received.  Stopping engine.
17/4/2018 -- 12:03:47 - <Notice> - Pcap-file module read 11 packets, 1787 bytes
01/25/2011-18:52:33.268459  [**] [1:1:1] ALERT http to_server [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.3.131:55963 -> 65.54.95.140:80

CASE 3:

However, now using the onesided.nosyn.pcap AND turn off async-oneside, we get hits on both signatures

$ sudo rm /var/log/suricata/fast.log; sudo suricata -c /etc/suricata/suricata.yaml -r simple_http_download.onesided.nosyn.pcap -S async-oneside-test.rules --set "stream.async-oneside=false" --set "stream.midstream=true" && sudo cat /var/log/suricata/fast.log
17/4/2018 -- 12:01:49 - <Notice> - This is Suricata version 4.0.4 RELEASE
17/4/2018 -- 12:01:50 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
17/4/2018 -- 12:01:50 - <Notice> - Signal Received.  Stopping engine.
17/4/2018 -- 12:01:50 - <Notice> - Pcap-file module read 11 packets, 1787 bytes
01/25/2011-18:52:33.268459  [**] [1:1:1] ALERT http to_server [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.3.131:55963 -> 65.54.95.140:80
01/25/2011-18:52:33.268459  [**] [1:2:1] ALERT http established and to_server [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.3.131:55963 -> 65.54.95.140:80

CASE 4:

If we leave async-oneside turned off and go back to the original onesided.pcap that includes the syn packet, we get NO output:

$ sudo rm /var/log/suricata/fast.log; sudo suricata -c /etc/suricata/suricata.yaml -r simple_http_download.onesided.pcap -S async-oneside-test.rules --set "stream.async-oneside=false" --set "stream.midstream=true" && sudo cat /var/log/suricata/fast.log
17/4/2018 -- 12:10:36 - <Notice> - This is Suricata version 4.0.4 RELEASE
17/4/2018 -- 12:10:36 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
17/4/2018 -- 12:10:36 - <Notice> - Signal Received.  Stopping engine.
17/4/2018 -- 12:10:36 - <Notice> - Pcap-file module read 12 packets, 1853 bytes

EXPECTED BEHAVIOUR:
Based on my understanding of the manual and these options, I expect to get hits on both example signatures with async-oneside=true and midstream=true (case 1 & 2). I don't expect any hits in case 3, but I get both hits. But given the hits in case 3, I would expect to get the same hits in case 4, but get no hits.