Suricata

Processing the attached pcap and the following rule should generate an alert. However it does not and no http requests are logged, this fails across all platforms.

alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)

suricata -r /pcaps/tests/suricata200.pcap -s /testscripts/suricata200.rules -l /testresults/2010-11-02-09-49-22/Ubuntu-10.04-LTS-64-bit/oisf/src/ -c /testresults/2010-11-02-09-49-22/Ubuntu-10.04-LTS-64-bit/oisf/suricata.yaml

[14838] 2/11/2010 -- 11:18:54 - (stream-tcp.c:2882) <Info> (StreamTcpExitPrintStats) -- (Decode & Stream) Packets 9
[14842] 2/11/2010 -- 11:18:54 - (alert-fastlog.c:304) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
[14842] 2/11/2010 -- 11:18:54 - (alert-unified2-alert.c:603) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
[14842] 2/11/2010 -- 11:18:54 - (log-httplog.c:396) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0

Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
[Message: HTTP/1.1 200 OK\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Version: HTTP/1.1
Response Code: 200
Date: Mon, 21 Sep 2009 13:48:50 GMT\r\n
Server: Apache\r\n
Last-Modified: Mon, 15 Jan 2007 23:11:55 GMT\r\n
ETag: "9b30607-27-45ac0a3b"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 39\r\n
[Content length: 39]
Keep-Alive: timeout=2, max=200\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html\r\n
\r\n
Line-based text data: text/html
uid=0(root) gid=0(root) groups=0(root)\n