flow/tcp: consider pkts established based on 3whs

diff --git a/src/flow.c b/src/flow.c
index ad0001441ec681abc7d64d35dd404613bf39c847..ca42f73be066c3ac8979915c47a39c2e5779b343 100644 (file)
--- a/src/flow.c
+++ b/src/flow.c
@@ -475,14 +475,17 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
         SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p);
         p->flowflags |= FLOW_PKT_ESTABLISHED;
 
+    } else if (f->proto == IPPROTO_TCP) {
+        TcpSession *ssn = (TcpSession *)f->protoctx;
+        if (ssn != NULL && ssn->state >= TCP_ESTABLISHED) {
+            p->flowflags |= FLOW_PKT_ESTABLISHED;
+        }
     } else if ((f->flags & (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) ==
             (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) {
         SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p);
         p->flowflags |= FLOW_PKT_ESTABLISHED;
 
-        if (f->proto != IPPROTO_TCP) {
-            FlowUpdateState(f, FLOW_STATE_ESTABLISHED);
-        }
+        FlowUpdateState(f, FLOW_STATE_ESTABLISHED);
     }
 
     /*set the detection bypass flags*/