Suricata

Suricata Version 3.2.1

Trying to detect our own expired certificates with a rule as follows:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"expired certificate found"; flow:established,from_server; tls_cert_expired; tls_cert_subject;content:"mydom"; sid:1;rev:1;)

The idea behind this rule was to detect server certs. Now the alert triggered on a client cert (2-way SSL), and the alert output was mixed (server/client cert data):

...
  "tls": {
    "subject": "<subject_from_SERVER_cert>",
    "issuerdn": "<issuer_from_SERVER_cert>",
    "fingerprint": "<fingerprint_from_SERVER_cert>",
    "version": "TLS 1.2",
    "notbefore": "<date_from_CLIENT_cert>",
    "notafter": "<date_from_CLIENT_cert>" 
  },
...

Given he rule (traffic direction), I would have expected the client cert not to be considered here.
The client certificate DID have a matching tls_cert_subject in this case, though. I still consider it to be a bug (detection and mixed up logging).