FN occurs when using negated isdataat with http_cookie keyword
Given a sample of traffic such as:
GET /somestuff HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0000; Windows NT 5.1; SV1)
We would expect the following to work:
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"id="; depth:3; isdataat:!13,relative; http_cookie;)
However, the rule does not fire as expected in any of the 4.0.x, 4.1.x, 5.x versions I tested on.
If we switch the rule to use http.cookie, the rule works as expected.