<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt">Hi,<br><pre>Someone check this on snort v2.9.3(.0) please?<br><br>ok first test, snort not fire = FN
 alert tcp any any -> any 80 (msg:"test 1 FN"; flow:to_server,established; content:"linux-gnu"; nocase; http_header; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:1; rev:1;)
-> but why ?

ok second test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 2 ok"; flow:to_server,established; content:"linux-gnu"; nocase; pcre:"/Wget/smi"; content:"linux-gnu"; nocase; distance:0; classtype:web-application-activity; sid:2; rev:1;)

ok third test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 3 ok"; flow:to_server,established; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:3; rev:1;)

test with simple wget command:
 wget http://www.kernel.org/abc.html
http request:
 GET /abc.html HTTP/1.0
 User-Agent: Wget/1.12 (linux-gnu)
 ...

Joigned wget example pcap file.

Please Credits to rmkml.
Suricata engine [OISF] fire every times, thx you.
Regards
Rmkml
<br></pre></div></body></html>