Suricata

Given a rule like:

alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;)

Test what is the behavior for when there's a protocol updagrade (for https or tls, for instance).

Ideally, the rule should still match, as with what happens for a rule like:

alert http any any -> any any (msg:"tcp, pd in the protocol field"; sid:403;)