Suricata

another example:

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns_query; content:".core.windows.net"; isdataat:!1,relative; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; content:!"onedriveclubproddm20007.blob.core.windows.net"; metadata: former_category POLICY; classtype:policy-violation; sid:2026486; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_10_15, updated_at 2018_10_16;)
    App layer protocol is dns.
    Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern ".core.windows.net" on "dns request query (dns_query)" buffer.
    Warning: Rule uses pcre without a content option present.
             -Consider adding a content to improve performance of this rule.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

another example on sid 2834428 using 4.1.0-dev (rev b51e4a3):

    App layer protocol is tls.
    Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "blablablalalal" on "TLS Server Name Indication (SNI) extension (tls_sni)" buffer.
    Warning: Rule uses pcre without a content option present.
             -Consider adding a content to improve performance of this rule.

But tls_sni is sticky buffer - https://suricata.readthedocs.io/en/latest/rules/tls-keywords.html#tls-sni

https://github.com/OISF/suricata/pull/3618

Another example with 5.0.0-dev (rev e710b06) , sig 2834668