diff --git a/tests/detect-negated-content-absent-buffer/README.md b/tests/detect-negated-content-absent-buffer/README.md
new file mode 100644
index 000000000..a5b9b8e39
--- /dev/null
+++ b/tests/detect-negated-content-absent-buffer/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test rules with negated content on buffers that are absent
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224
diff --git a/tests/detect-negated-content-absent-buffer/no_referer.pcap b/tests/detect-negated-content-absent-buffer/no_referer.pcap
new file mode 100644
index 000000000..0ef6c2e98
Binary files /dev/null and b/tests/detect-negated-content-absent-buffer/no_referer.pcap differ
diff --git a/tests/detect-negated-content-absent-buffer/test.rules b/tests/detect-negated-content-absent-buffer/test.rules
new file mode 100644
index 000000000..e4e8a29d7
--- /dev/null
+++ b/tests/detect-negated-content-absent-buffer/test.rules
@@ -0,0 +1,6 @@
+# Test to ensure it works without a negated content
+# This signature should alert with _any_  pcap
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
+
+# Test to prove FN when Referer is not included
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FN test for Referer"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:6;)
diff --git a/tests/detect-negated-content-absent-buffer/test.yaml b/tests/detect-negated-content-absent-buffer/test.yaml
new file mode 100644
index 000000000..a5dbf4fae
--- /dev/null
+++ b/tests/detect-negated-content-absent-buffer/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6