diff --git a/src/decode-events.h b/src/decode-events.h
index 96810e3241..69ea27d7d2 100644
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -171,6 +171,7 @@ enum {
     STREAM_TIMEWAIT_INVALID_ACK,
     STREAM_PKT_INVALID_TIMESTAMP,
     STREAM_PKT_INVALID_ACK,
+    STREAM_RST_INVALID_ACK,
 
     /* should always be last! */
     DECODE_EVENT_MAX,
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 540746ad5a..1cd9e6aa48 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -3399,11 +3399,24 @@ static int ValidReset(TcpSession *ssn, Packet *p)
             StreamTcpSetOSPolicy(&ssn->server, p);
 
         os_policy = ssn->server.os_policy;
+
+        if (StreamTcpValidateAck(&ssn->server, p) == -1) {
+            SCLogDebug("ssn %p: rejecting because of invalid ack value", ssn);
+            StreamTcpSetEvent(p, STREAM_RST_INVALID_ACK);
+            SCReturnInt(-1);
+        }
+
     } else {
         if (ssn->client.os_policy == 0)
             StreamTcpSetOSPolicy(&ssn->client, p);
 
         os_policy = ssn->client.os_policy;
+
+        if (StreamTcpValidateAck(&ssn->client, p) == -1) {
+            SCLogDebug("ssn %p: rejecting because of invalid ack value", ssn);
+            StreamTcpSetEvent(p, STREAM_RST_INVALID_ACK);
+            SCReturnInt(-1);
+        }
     }
 
     switch (os_policy) {