Suricata

While updating some old tls signatures I noticed some strange behavior while using tls.random_time where it looks like the flow isn't being interpreted correctly. In the attached pcap there is a Client/Server Hello that exibits this behavior.

The random time in the CLIENT HELLO is 54 b4 c9 7b and is observered going from 10.10.1.1 -> 200.87.8.4. The following rules match on the CLIENT HELLO data with the only difference being to_client/to_server, based on the network traffic we would expect that CLIENT HELLO DATA - to_server (sid:1) would alert; instead CLIENT HELLO DATA - to_client (sid:2) triggers.

alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;)
alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;)

Eve.json:

    "event_type": "alert",
    "src_ip": "200.87.8.4",
    "src_port": 443,
    "dest_ip": "10.10.1.1",
    "dest_port": 1117,
    "signature": "CLIENT HELLO DATA - to_client",

Conversely the random time in the SERVER HELLO is 54 b8 f7 73 and traffic flows 200.87.8.4 -> 10.10.1.1. My signature SERVER HELLO DATA - to_client (sid:4) does not alert; SERVER HELLO DATA - to_server (sid:3) alerts instead.

alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;)
alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;)

Eve.json

    "event_type": "alert",
    "src_ip": "10.10.1.1",
    "src_port": 1117,
    "dest_ip": "200.87.8.4",
    "dest_port": 443,
    "signature": "SERVER HELLO DATA - to_server",

Thanks,
Isaac