Suricata

Given the following rules:

alert tcp any any -> $EXTERNAL_NET 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
alert tcp any any -> $EXTERNAL_NET 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
alert tcp $EXTERNAL_NET 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
alert tcp any any -> $EXTERNAL_NET 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
alert tcp $EXTERNAL_NET 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )

and the attached PCAP, the last alert in the output is for SID 9901033, but with a timestamp of the first packet in the stream. This is a pseudo-packet generated for the purpose of finishing up any transactions on flow end, as it is determined the TLS transaction is not yet complete.

However, the alert, given the timestamp being reported doesn't make much sense and likely shouldn't be triggered.

A SV test to show this behavior has been created: https://github.com/OISF/suricata-verify/pull/2080