From f65bf4c7eac75992151b0983ec9a36c7512cb96d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 25 Mar 2020 15:07:39 +0100
Subject: [PATCH] flow/tcp: consider pkts established based on 3whs

---
 src/flow.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/flow.c b/src/flow.c
index ad0001441e..ca42f73be0 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -475,14 +475,17 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
         SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p);
         p->flowflags |= FLOW_PKT_ESTABLISHED;
 
+    } else if (f->proto == IPPROTO_TCP) {
+        TcpSession *ssn = (TcpSession *)f->protoctx;
+        if (ssn != NULL && ssn->state >= TCP_ESTABLISHED) {
+            p->flowflags |= FLOW_PKT_ESTABLISHED;
+        }
     } else if ((f->flags & (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) ==
             (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) {
         SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p);
         p->flowflags |= FLOW_PKT_ESTABLISHED;
 
-        if (f->proto != IPPROTO_TCP) {
-            FlowUpdateState(f, FLOW_STATE_ESTABLISHED);
-        }
+        FlowUpdateState(f, FLOW_STATE_ESTABLISHED);
     }
 
     /*set the detection bypass flags*/