Suricata

Hi,
I have a signature that uses the xbits keyword. Running a pcap file that should raise an alert gives inconsistent results (sometimes the alert is raised, sometimes not).
The rules are:
alert http any 80 -> any any (msg:"rule1"; flow: to_client, established; http.response_body; content:"activationToken"; xbits:set,xbits_flag,track ip_pair,expire 2; noalert; sid:1;)
alert http any any -> any 80 (msg:"rule2"; flow: to_server, established; http.uri; content:"/SAAS/API/1.0/REST/oauth2/activate"; xbits:isset,xbits_flag,track ip_pair; sid:2;)

I am attaching the pcap file. The first rule should match packet #6 and the second rule should match packet #12. The inconsistent alert is generated by the rule with sid 2.
I removed the expiry option from the xbits in the first rule and still had inconsistent results.

Thanks in advance,
Paz.