Hello. We use the IDS 4.1 suricata to test the rules and are faced with a problem where suricata does not detect a simple web-attack. The problem only appears when the rule is loaded as part of a set (test.rules). If you only load one test rule (_test.rules), then suricata detects a Web-attack. The problem was reproduced on the versions 4.1.0-beta1 RELEASE and 4.0.5 RELEASE. The problem is not reproduced on version 3.1 of RELEASE, that is, suricata detects an attack under any conditions. Used OS Ubuntu 18.04 LTS. Installing suricata: ./configure --prefix = / usr / --sysconfdir = / etc --disable-gccmarch-native -disable-coccinelle -enable-af-packet -enable-gccprotect -enable-jansson - enable-geoip --enable-luajit --enable-profiling The configuration file was used the same for different versions of suricata. If the test rule changes the protocol to tcp and removes http_uri, then the attack is detected under any conditions and on all versions. Pcap with the attack was recorded using Breakigpoint. Initially, the tests were conducted using this tool. Suricata was started with the option -af-packet. Further tests were continued by playing pcap with the -r option. Test rule sid: 4000334