Suricata

While creating some signatures I stumbled across an odd issue where when the first signature below doesn't allow the second one to detect the traffic in a pcap. The second signature alone can detect and generate an alert as long as the first one is commented out.

alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"Affects the second one!"; flow:established,to_server; content:"/something/else/"; sid:1111111; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"Affected by the 1st one!"; flow:established,to_server; content:"/goform/activate"; http_uri; pcre:"/(?:actserver|akey)=[^&]{500}/"; sid:2222222; rev:1;)

I tried narrowing it down to try and figure out what's going on. These were tested on both Ubuntu 16.04 running 4.0.5 and Ubuntu 18.04 running 4.1rc1.

Changes to sid:111111;

1. Changed the content matches to something completely different - no affect
2. Changed it from tcp to http - no affect
3. Changed the port - Allow the second one to alert
4. Add http_uri; - Allows the second one to alert

Changes to sid:222222;

1. Added U to the pcre modifier - Allows the second one to alert
2. Remove http_uri; from signature - Allows the second one to alert