Suricata

In Suricata 4.x, a malformed HTTP request/response can cause FN when using http_header_names;

I have included 2 pcaps, one in which the FN is observed, and another in which I generate traffic intended to reproduce the issue, but was unable. I include the second pcap in the hopes that it will aid in understanding what is causing this issue.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 1"; flow:established,to_server; content:"GET"; http_method; http_header_names; classtype:trojan-activity; sid:10003657; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 2"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:"User-Agent"; classtype:trojan-activity; sid:10003658; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 3"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:!"some_such_BS"; classtype:trojan-activity; sid:10003659; rev:2;)

=-= fast.log:
07/18/2018-17:55:53.002762 [**] [1:10003657:2] http_header_names testcase 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.140.10:49160 -> 5.8.88.25:80