Suricata

content:!"|38|"; distance:option_len; within:1; //option_len == 7

alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)

content:!"|38|"; distance:7; within:1;

alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)

In theory, the two detection rules mentioned above are identical. However, during detection testing, Rule 1 does not trigger any detections, while only Rule 2 is being detected.

Upon reviewing and analyzing the debug logs, it appears that the following code in 'detect-engine-content-inspection.c' may be the cause:

// Line : 254-256
if (cd->flags & (DETECT_CONTENT_DISTANCE_VAR|DETECT_CONTENT_OFFSET_VAR|DETECT_CONTENT_DEPTH_VAR)) {
    depth += offset;
}

Since the analysis was conducted briefly, it may not be the definitive cause, so please consider this as a reference only.

If you need any further assistance, feel free to ask!

P.S. The tests were conducted on the latest version, 7.0.7, and I have also attached the PCAP file used for the detection test.