--- /dev/null
+# Description
+
+Created when a bug was found - pseudopackets were assigned with ACK flag
+and that falsely turned SYN flows to SYN/ACK flows.
+This only happened when content-matching rules were in the ruleset.
+
+https://redmine.openinfosecfoundation.org/issues/6733
+
+# PCAP
+
+The PCAP files comes from a private capture, free to share.
--- /dev/null
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ dest_ip: "155.166.235.43"
+ dest_port: 25
+ flow.age: 0
+ flow.alerted: false
+ flow.bytes_toclient: 0
+ flow.bytes_toserver: 66
+ flow.pkts_toclient: 0
+ flow.pkts_toserver: 1
+ flow.reason: shutdown
+ flow.state: new
+ proto: TCP
+ src_ip: "147.183.77.73"
+ src_port: 38212
+ tcp.state: syn_sent
+ tcp.syn: true
+ tcp.tcp_flags: "02"
+ tcp.tcp_flags_tc: '00'
+ tcp.tcp_flags_ts: '02'