Suricata

The check for the "ttl" option when a range is specified is very non-intuitive.

Example:
ttl:33-64 A packet with TTL of 64 does NOT match. The check in the code (src/detect-ttl.c around line 87) is:

else if (mode == DETECT_TTL_RA && (pttl > dttl1 && pttl < dttl2))

Using ">=" and "<=", respectively -- the inclusive range -- would be much more intuitive (and compatible with snort).