From 7876dcaaf6fb5c67bbd274150301efee43328777 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 28 Feb 2023 12:00:31 +0100
Subject: [PATCH] tests: add test for bug 5881 stream overlap issue

---
 tests/bug-5881-01/input.pcap          | Bin 0 -> 15946 bytes
 tests/bug-5881-01/stream-events.rules | 109 ++++++++++++++++++++++++++
 tests/bug-5881-01/test.yaml           |   9 +++
 3 files changed, 118 insertions(+)
 create mode 100644 tests/bug-5881-01/input.pcap
 create mode 100644 tests/bug-5881-01/stream-events.rules
 create mode 100644 tests/bug-5881-01/test.yaml

diff --git a/tests/bug-5881-01/input.pcap b/tests/bug-5881-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a058179dad9d6a51cff4cb22924bf97a3120e1f3
GIT binary patch
literal 15946
zc-rlo1yEeu`sKT6+}+*Xg9H!m?gR)L+$97EE&+lCm*7tDpuvJW0fIx&pg{u!o$ll&
z?<M!X`rlVIQ#Dg_yXrL7=eJjXd)N9_?{k=ZSDg(7fCl{Q0Szz*KXcXGm^!J!14O~!
zLk`JrUqk^Su-fJAMF2L877Wkpd0_K+Hj5PGtV*c6yUdpW02DM#Ef55P0RrI>8+31j
zz7e6m^ESW00|dc83x4MbLU`P;CRGp?gb8fEo}c6omjN@SvoP=OlvBU)%Ald(5yvmt
z-5@+L8-W|lGM4@Cw58SkrcDoM`a>IpN4NFgX=AU2@W{)*Yvb1YcWn~a@BnTwhx<E=
z`wwl6ziE>O^JM+d(Qz#G0f0X=MMGE+h6k9z57q`bBmq$T-x-><f62f{$04u!$%uh4
za6v#Q01yDY27y*KT=WDbw|S6p%<cknSn9Y%qF4FShN!Ew9ndj*PJPHx?(IK6GkzJ1
z#!H{Me}HeTCR9;87GSkfeb3H)8QN_Hz*tg(1;m2F0<|-@GYu8Dv$wMi6}2O_BeY|;
zV*xS%>419xws!b-OaLNy$ng93zbzyR02u&4Z0F`;W$NPk$kok-)ymb)-rR-tk)xxn
zIjgCI9RLpixC5U703ZU80f>5f021)8@Bst>Bmflnx99*=05a5LPWZ>Ju8wRRtQ-Is
z01WUO90mL`TxbwHG&B$f1O<YJfro(s!o$J>!RKK@)-QkwzyJn<Urhoa$DBKjVuo^C
z-h#<GqB+q`f3U0Ay?^^=eIfP1)v-XGFn|R-9uRyA5@Kp92pR+eBY^-S00>+|FE0oL
z2T%?8f9?TUNRLVpep!s5ZpgwmJpFB9%Z_KWDfpoS0$m%wFC_3H3WF>r2%`kdn1lg*
zJ0t-xlb{|5Ls$JjG4SwzW#EE9059-Db_an(_h@&CRvMw@q!f#cgx^P;N~j?(;1T-!
zlnAF4!PVLSkBbot%wYx36ch*=Jjv9M*{w*DI_t?V*PzMNv-50s)Vzq!cUAk;+v)$2
zMY?cM9U2=vJP?Qnex}wmT-&K;xb%q87e#J?#cR>FX5Zv-G_aw4)x)p2L$%W#M#u_&
zAts9u0cni!VmzBXcfXU%_#w+(e7yl&L`nBE^c!e$2~DBf*_zsdM8t5pzPY6NM%h`I
zYTxal>afTIKS>Tjg$-ZL*RkGx#!-S216qT^<vK_?<u#<tRW1=YCzNu+{#9-tlEusT
zM@gRULAxzhQ^#tVT?WA7Aj0y$HpcyYpRSUECi3Rm>8b;WlImy>Zio49kpd^lvYz|u
zv*^bBXOUn<JJ12WjRDo8Hv^o0Doi%%FP~M|iYMgw?NE9tR?}khQ$^%c>*+(ml_~G|
zvrx@g;WZBCA0)zxoA7*?(5dJm)(%AF&{aY{9pg4lsOUsr{DedeI}(yg?%_1PAxuHH
z>k!rRp5aZ|hy9WMW*eh2`SAU8(l(hexOALPZ0+n}T;&7BE;N3r%c%30z%MC=adIvR
zwY;AbX0{R4Vgw6IYO(c1(v)CrX!+%mm|k7=Jh4^@H<>Vdlz~W(CkZ3lT(5%i)E2cs
zo3Zo3Yj>USv%Y%^!h$t!PBA&xp6l{w4J3O8SlNb6ND(9DM}1r&R7<OoF%M{IN=Uwh
zoJVrxyjG+dl62EWDol7Uo2I<he;)s?m?%0zKAX);t68pB#gOi6vTE2OiKHjC2kT9e
z>0t<u6$Y-k6A|-EW_OL9=(;ELgxjMoqPC;1b#6tO#d{R>aI(hfFJus1S$0=b#E!f)
z8OVK;dUy$&6z|y~bkR^?S3A!@g%VEFH+x^}i*lhl1Y4CF<?W!qyS1gCHEgfOg(bGk
znC(9Zh7p|X=Ct-5Z+-x;DWZ2@o`3VJ&lV@Vv{YsYp^R8Uf^}CBvgeWcRY7vr<kPn*
zZf)auA5pmqgVIoK=Ds$n)YEJaOzO?j*Y2C>dB8Y&W-mSOU%G%EzmVu6`Z_r+yAf&%
zGcpDxb{!(9;Uphyl+|uzoTA+sjo_DI_b&W_l-x#ekY(zf>DgILx|2n!rX8i~sVk$j
z(Qx0a$kV9Pg2?no1*tbRh2nW*XK6W5WrZn)0j=&xY0m1;2z<Lf6}@TIDnOAa*9j)0
zvZ>Q7%jTzW-)}Dr5LrmR*RJ>sZt|0(?vs*;mtM99yjrlCgR<D?{L(At^`Wa>`bAKk
z^%%T05~kKocxC-ki*kIOOQlf3XpiwJ&TL%_Sa@(tbBMC^*lnfvIH>K;k`t@zC10s@
zAzcJKl#dDUw3A91D+({tjcF8Ml|2WZ+#772xVL2RBsL?zUE7C#G>#OVL!e+E8`gZ1
zj0S~(@Iy3e8xjT{7oJnMS+;>Y-i1K%QOc;3kXHp^#zY9W^p~Qb!XpL?OoDMq?KT8B
zamnP3mnS8p2hO5iCk#fq0yxTxQU&pS91ikOGGQk!<wDKgNA4l56H@KAbjRDHU*Sft
zCQvCjOH!vJ1>hcP4XEy^9ugm4yW?Bgmw0?U;~?vQ#2VNzJF0ghxsG$nkV1MZXP8gi
ze!`5VNm|UHRQ;$Xp_NmT?6G<~TOo(xD~6%-gB!i6Qu9f5GB~ofXD!jPz!e2bSRb-9
zca@AY*i|ZCrHqXe8CE`u)bXgY6@3NRvgJu#s?m5WdYVsURk`#8_cVpmn{{zz;w}0H
zFV5?bbh;X;`M)&tZj@9ptezO*BYr+t71I!JUDKkelO9REhZo55^6UA%!b%kxg139D
zg$M5=KDuBrv2)gY&6LTE#;3m_A3iYSVULA){M+9>zW1BQtNrTnFSfsVJU$>$zVKI%
ze@)KwoQg0oN@&S7)Y&RABS<sSG7LWW{^9c30F|C>zUJ5df$Ap%TdiFduuyRf@3^?(
z@!t4)tx+r@s{-wbbXU)uxPwegFdx75Yr$#ieUd_q+s@yJdlTm^dv0DW@iy3BGE&VL
zq)CRG>BA%5Co!9`o^BjDJzx)`1k(@0+kOsn-#AxCUMbZd5s%5SX9({8N>-(u4e3;O
z9#IA-1`Hx&T<^9xi%6?p=qzctp4o)kr?L2i^~8}55uUKF`yL<qaT#j~g%5Ixq1y4I
zI5E4ZgIXQGlqlMhFEd|b<Ps>V1U60&qXYzDun`TZk@sT*=Fl@`>}DDH5tOU>=`#-+
z%0WAsy|op1hLy^Nwq3I+Jw8uav$5T%beAPr`!?6#qsNs5cB_YHqO8;=H{Qcy+843k
z3PLSu09bTc7#Ph;W;|D4oR?5~_D)cKXS!FPW?)WZ+t@U*XV)|K5-)%*TU24&q_n@Y
z2|53yu?-%BLHnga<BD0TklW=)-cbY+WT1-g{cPecH@GJOS|@sF95gRBgZ92cPxEz)
z9K!a;6WZxVR1_~r8P^8WAn<^eQ-z~Qa_~LT0We3oQT=FXiudoa%DNx<zeHlI7;iyy
zM>$o}sf`yOYY@$H%g^h5qvlf~x|DTc_QD=G7q44q>NNqEY2)IIR5cy$nwxWSGW9k<
z+tPrh5(~ZG?*c1eWKgqQL+NPSxcrODvrUt97ZHj}HcP58MJ}zq!Up2?o!xCGRLn)Z
zImG;nX_1=EYoL{T9Q5geW*Kq6YK#YlAp95erWC4+G32ltkHD%Eaav$WW2qWn>4}gl
z1GiVU?J;%qr~QRYX^I}CHy8Rl)6ZufH5Tn%`0xc)8MC>$58)U}K6$s?HXU|3B`GN!
zCK`apCJ00u)b>@keqD`3%NyFui>(u;@k~5j$l?-s+~L~(+;Hdpl=YUmTu*NzzTf*%
z3^yUZ02XmyRf&N7SdCWN-DyvC^@pS=3#8)%7p4anPLoi0_?39vRro`wGeiQ7IOeb)
znFhrIyqtDM0lWG!v+N)FB;m{WP^3PK(vDMnw(HLFoZLv8;0@jh(-f{~pP`yyvS)j}
zYp89u`H)l26CRk6!q?ko;g0{7$4PZzmgxdXoStI7W_(8>(KZmlyN(Js{%YPnYvP6A
zt@Rf<g-(-n%Xgyuqv04kU*v}xBEQU4$6oqUlO!=z;RX1-%WY_Tzk?#nr76E6tUZ!F
z2D(}qd(8eIDRCrxyzD}}47oIND{yS<)6NiXl}Z7YGkWeWF8edhn<uLur|YGwvCGMX
zqhOdtrc!-9dNMSaQ)cSuKi!g)sd_e7`hI+;Jysl8Fykc<7hMpUdR=LYiT>hMqpMwK
zwW@Nqj5-xY3AwKtlcDQ?C?NgQqMm-fMy16Cu+TWmib1^Wl)4E33l$@@9%R|Taj2Bk
z$H<z9-7wfXo*4I@b!Ra_b&RJ8r)IXF*3w!IL#V+#)4}+14ma`+i2!BGBWmf5GFDBe
z48{^VWyJiMLkP9iYJr{1ap}sJRv{mufaChA9;C;s-UG;eHg*$N`G%s%g<opC9t_J1
z*j>yhv;<y4pJ_h!9bQnZ(Y!8K#%@iw{j_c@y{jT{fubz+*0ZVtL9{6$CGI{B3uc?B
zIags!9(mN}zB{c<UZ9GRY;prG4ZZxvjg?N7y}x4-Zb`quJ>p?1{tZWUZLZ=i9x4)I
zDk<JG)kY5ttpwTyg>9yxyQuw}0Vt*d;=A)~(V$ws8Sng0JApS0Fx%e37*%^ryGj`&
zt6{ovT}*HnGTCLD{RV+50=Gr*!OXAPxyr8sG#<X5@5UjCa?vPvX&<Dpdx=DM`N~jV
z!fJOg!<&^6|HSP1S=~W}xql`GzSSLCcL0E{`HWVu$AiYf>+_EI414!yR$Yk4_klhB
z6#Q8qa!3N8PeFYUkJsb))#G1=|L}O2mR~&{I@a+kQUCRFh29K2rdKwpMlmotHACU@
z^Q%OJvbt2$kU8-exh4@b8F1{kX-}Bkwk!yh7X|5ygS#_@eH*DUU`9JXO1nWRf;t~+
zBqrf1WUEI-Rn=*&)y$NbjCy=9;S1?A`V#xTPp*e(Utr-rbdX=DMbKuYGBUE2Q0t_X
zDq7T#4E472WF0Y3rSXAKgNQnrToaZZ=8nz%Y8x`#l!!*pTJEhhBA&opELf%H-l4r`
z9BXp#6LXb8dY4KjrgOE-y3EN0$x~(kDm*-a(htTXts|(Db+JAv$1!i(Uk#As^*KDz
zl`Fe$icDc8hemiHj|xJh`5e~zk?eU8Ox1lmr5GV$D!hYPf44<S#>vs4r~S{Zg&5ZA
zQf-+exdNuC5#UnI1y3FbQ(tIPOz_EusTIVo-Ysq2#M1kEsOn6NZATB2Z|4<lSrXlx
zXv0v=UrAe&dWzZCOhJpPIjq;bs5L8MN{ntt_w9`ks0%)jeQ=S|9hxm?TOq#Y>J1;f
zP-@EApsyVlL=|Bh!)#e82D`2MDH-SLlf{<Yqre%ENYx;RNu6~&>X=$>mXv1ggbA;7
z#JYW}RgDMwY?|+@dL9HQ%5WA>m`=uBDr9&ZhahGwi-APfZuF&$Yqlv_<f!}3$7F`$
zW|%eRrb0bfFp=%piIM?E%Hu#wL1y|RxUnXJq>fPMMu$**3+rgdT6xR@zMxc8<kLs?
zh@@igI8hDMFjWB-Y-%?^()fCgA=H3c+oQ0k?M}joN#^rqIz3=%35h0-_Dq4y_;hUX
zt@G`IY&>4aO*E|8=W9czh{n%p0il?~qd_VugN8-Rg_xrrnEArAg=^1_9fW1XXqRah
z6MUW9-YLg7QK)Cio4qKPw~a($Eff<V@$#>SJxs=FrtX7I-6fK?YNq$<f?6f}8mMA?
zR{6;IDppr|lov~dTE-srhSi9$Tyy#saS~*fo_Ud!^(6If`dBxh-@rVoo%re2lJq{J
zX(O}5h+fb+){*`KgE7m6vw(y4`;rs?3~<9E=zkJUX|%Y$!kUY^%haVI@s^iL3(ii}
z09xcm4Liw8S<8;WNst3@%OG)MgE)LkeqfmsnBq1*SNRo=F+3_$Z6;49!acTY+s0bX
z8ix|LP`jf~O}Wmx5D5^H@S-G5TIawMvuD8Pen-?*>HvLO{X6X2`-a_5QskV<jWL@7
z#aKw-y^@T=zSs=gjyCWO;4rXE^3<lCr~s-18p}l;Rw5l(zFOb2CH6(%>TAyxfx|=L
zyYSOoO)L+2T63Y&p0{SxECEN{B(toLYe}jhQS&LmBm6VH0tr9YIp(<|#cuRr!bTuZ
z{fuHnDN2o|?h}X3SV?)!H=k%cdc<Xq0VH$KLqP=kuyTx;t#t2QlR?tP{N*2uC$!;A
zbKek;Cq59bd0LW5EK45OWrd5z=Y_h&8G1yR7Zcq^@B8*5V=Cl{PUFN_=|kaxIKlVT
z`aI6lqNw!(4f=i`;26u25X!Vpd&$!++6$EH652aIgf@pY5J@R8ZrY1bwR@+%^2N@V
zx*6z*#yoIxFo{jOXJ!kcprm4_>Rtu+zb7vo9)3_fBbsq=vl%p=G#PuXxQWz{1HJ#?
zv#t%q1INK0=neKi@9!Sy4eI~qfknT1V2bPy4-C`)>4D)84~$}9S*la=f7CS2WL71&
zxiGVA0^m<%5gK9!b!BEdic<C^i*>D$)Ddt#H-`Iyj{Z3--jFX0XM6aZ*|&lfrvZsh
zBNO3GaJ;chZ!u%ltHH;aQZQ+4-AVXHsU10I&F~KeKXc2za+2I=i&roxvP7t%^r_dP
zw_XL&0qzbL+6BEBID;?Z8uQM55nifMuf2K=g|Hn(NbBrl>|kIoAFbpnMudqOC!HgN
z!BS9{NyCIVw#~`oxF=SY`?!EB0B#s+vd2()Izj+L>n@->;{&@vg!FY>^^0Q7RE3cN
z3QACG=TWtCGM-3{e1xL~8yD)xxx7YQ$WYmb)qU?owOS-&)IIw)8j6zR&s$EJ9S93i
zyW@i5y!ldWtc>*z(46d+6zPe23_K2l+DXt$*mE;>4?|e_AB|q(xOCqQwgDmnU=+6G
zhKO{EXLkKQ+i={N0l59R?TgCP$1i$GmVK0^%<))oJCxpRwXg?fqkdk{NBp2C0`kQ5
zmbBh0<lBIIz8M^)Gtpx(S2rEe8`tWL8^t68FS}M=aN^Wq(gqBqGOKPn+3V1D7eZ|V
z)vQMc5IyY*8=LUuJ4{|H#p<Ej#T3-#2u%DqBzt(lSrVt=P%i39>M;G#q|!^s<|gKo
z`v+OdF(b3^yU*!2t27xOG14C}sYONcqC8L*GK!V+QQZCbd20&W8sD#fSOm@|dR*X`
z#na?8-kqW+;tAbl-;@r1kA&{2f2IkJ!YB`&_K0Q_pZrBDKDp=A8#kv;mW&{VJp4ph
zL&-Y7M89}LGXLH<l)1*5G(s9-5~y`cgh!9kmzAegXaHYn-e$ru5&1$(2fAZpdHYyX
z<>I;mlt6$$3fFO3SsYDj=lw3fr(3t8n(vS9H84EY>im386x@(Fd4~n3Lwa;I3tO3d
zz7T)NwEv*J!va7WV=w!$ebkt5czid@LcP?R!!6oB9frmoXLPV&%Nix<BIZt72n`Pe
z0up3=8W61ioH^IdsNeOLve!pF;=u3>i+wm}u01FYy>n~DJvgzu_2k{&gD>UnX{+@;
zEk&5EeD)%VyPI78*cTS-4r3Q@nr(FMUMoF1lO^d%OP2P!Drn;j811P~ox~*2>Jqv)
z7G*}+SN*KDTaKJ53FENB%4$j7k`FKCaMBKjiL!D24JqFCu{A;`Psr%Yt5<Y}&bwXV
z9c|v@`<Q1`r}6Zu{X4Am-m<yxKRF?Hq>lJdFi%AGJ!0XhflbUHAZ*e_x{(Fqa_S(t
zfL1;s#>4GtB(wABMgTU%(`~q%7ahu6mp$RHir89*WZ7{7uM`yUU!w4pcIY9&mvFlJ
z5%r}ljV@^+(0CqD1s$}}1}5LezGs^1NP=u4N(y^xR9kMGtVpb#PI^ba<F@)ZKpw@v
z#CMM(pVK<;i%id*o>QcaPZmtogbwskH_x!eMazXp4EGqp+V=ScNIf^IEx7{XMT>0+
zf8#;{n*!u>w;wv%mQmo(P5ur@CWA1fd;cyYBi0Wc9iY<olhFn7GzbIP5E%fuQWNx@
z5%dSc>Mt4i=m4kK9}Fl52;*NHtdbR1xP7<kAa#Cx;>QUYGCb{JVXyByPm_menXc#-
z)*YAD`M1PmPLQRyQCaQ#3irt?8HcWcI-8dx6X#mUo1cH_O1TMvXbQ1M1}wk;z8#VP
zn1%0})G&V2l>Xy=75e?u<O0zIRs)ye%%_*yX5(k_<ap@VKFzRkZ9T=(Jg#Z`c3muG
z9=hS6G=yFIQF$Mfu5^Q_USXXdO2M`}*@zN=#YO4#rLFj?z*7apavG(wA-#8qBj+Q<
zaD&Zz>%!-v=^a^y<>XBb6CM5>jBQU<!m2PyWH+|9Um$utvNN+kt=@^Wh+9VsR65qm
zsO;tMGB9?E*gb%H9JpC@anH$AcEw4R`RZ_&w*1wFYis8<E2*B7wxvK4rETsB%F{=F
zZ|#?ExHyZAJT%RbH=;+>)epHdr_Cku_7kdF)&qI(tmxN(4q0-5DG@xPp60PPXgf-B
z^?X%QT6%9k36~mp!pT>L!@Z)6TK#B&o-$$cEboQEo_iv4@j>{TC@4V9QZ-bcM)N2T
zJ(4|oS=lq@j#Z&3G-C)Gx;u}`@sqnIhErHlGBqEnk*X8=`na3`5#1Pd+yMR8kVHC*
zWl@m|Y5vuQMVC9VzIST{`MS?u5NUgbJim!E@YXC|OEoVz7)7QNRGKl^-X~7_IH2Co
zy}tc9J=909#Yk>@UZeS0p10rIG^+;M<Hg8sghufMMP@%ZZFhxPy_koLe$_T$*E-9j
zG&PwPLxJ|xIofM+BcXyB-(L2O*uOMk&7(DzNomn7_9gH$QYZsw{0eV&Y<G^L;}sL2
z48fk%1~0n(s|-n$Envp%T=#;GNduj)E$mTPXv;$l=jH|JvKRR|uDvpw*!f6vya%cc
zk<fg%S>mi4sG_01Mv3#sSB%`R1A6x5XhkD^v;?cT8qi=KpgDeJ8HrT2=(OCVh{kT_
zd-3>jc~LbC+2m0ehH+oyp;l;F2Y~&k)RyygPD%~$47!6e@ykPQI<wqay3NtB(PD9%
zP}l6y$d_kyw&J2RXRwXKrA5~{$#jIyP73?!h!j>9*6AZ^Nl}|wINK`Lhi@MxZ9S-+
z{&Imd_lnw-cuTu@9f8?D<N1)uouOfWR_im;_u^2V*iTcq9Gu|}7@Ug2r!+Cw(_(co
zjH#;V*{Tn8EFPA2un^;=AV~UEt_E`geM)>DBQsU4PEsI{dS}w8t1<IqSaR#r9wLdB
z(J5cqX3Gnq(pA1?>`5yFd~v9+%;V#Hm_V7Zh`A)<*G>9$-Sz2VThPLAkmuLXyY3tT
z(4L=}RDzT#is`l}GEGrVf7`AARMx{N9e;{IJ#$y5nFoM+v8MD_pJs@isu-9<70Axf
zk4Vizk}Jn&?}wvRt$AL?lT##ns?bo`4<nn6u+b-R<+5F<4_6@d?%4*lndUrUJ;L`~
zfe*WfC}?5NZh#)#_-udywsuX>AtTT72FK0=g*fvP^UF-CzDdo{<BtJ16Ie%XVSx;m
zru7wL`UM5vNtig+oo;%MNfhQf$SdjNi1k&U*l({%Te{!S_q@=lWhXHnnxteB!0Dp$
z@@%-~wB)T0rll<DIT~`)>aB=hk(>6N4*Do3DXcxUZfXFPU?OI_H&A;TGdKe;U)^%E
zj^iwgv3eX|%X>H2xyCXjT97gh%3Uj{>w&{BnHucaW73Z-al_<!xoJ*R$s0dUIndR%
zV4fU#kl;L;-EM+c>L;_(5-naVoTHSiyT=Xldg=6~<CqU7pO1qk&ST{MaVm?zep1y!
zE^6tIp$yTFxDxC+i(fESd1gD@uELWvvP=l3tzm~46X>2#DDp|{@XwH$b!u*M&l}02
zvcDPn9GAG2Dv6AA!VcuGBt*^n@T7v>8fBmMd8us}YWX(a!dFQHdJMQ8<Lt<K9wSVN
z270ss>0wbWFR8M)*{L25l4wIR6Tcu8RxEi6-nPU~7j=<@?)kBtCFREHt%FhCw-J$?
zP=4;9*2x=JBlEdVmc!ZCl@8vpYt7xeB?f34r<iEZ-9ExRo}4-R`qD+)I6pIb94=*#
zi;6{Lei7<QB#eG$5$zEXTXyxg9##eRdREAFz3&&hS^v1$-S(^3-;?;!e|GtP_4;dg
zS~*k6Tpzk|&-bV`K}C&9K^brK9fye+(+|_4s>W|XF{-D1wTrtzEq^x(r<{xo6Whoh
zvl%>PU)&*sl2UWkh22+bVkWg9I-wYY5*6uWYm`j-xrgeZQ-W*?UA>!034KHhSo%*Z
z$2G?^vHI69vSCnwgDwlQ$HjJ{*nty7n7pPQ3~W~~rB{yqIRhw>^It4_w`V?C#$sbu
zdnO^QzeYu{Wyff{M0o(~P(Mu(a(oy6%Gqh_a=N=AIWXJpiJ>FDufcN(mZvLL)jU>e
zD^Fj>Ry^>3n_;iBNH6OBpxL-&bn`Zn{n={G>$hZBX@h$CmhS`2hj_)~)!lV+p0du)
zHfYZri0<{`d8f9=S=cxdet~ytk^RtO!u;HxmY;ftXkN{A2;@0w6r>$JoCMX4?8vY@
z!YLx4#N<1~SwyR3jBZtLuyI8reXXxCu#%o;q%pdwZ$d4ss<Som)jgbzti#DHom^r}
z=4*&e{8=|=<7zz0OGn*pa#M`FzKyt#1Sgzg4QrYhoS{woxnBpl%Q3HI%z8A?WUjns
zYE5D?mAYWX3S!b}h0+G31WKCC059^OB*~{%xyv*%mvC{(E~Xgj4P6gFP3?Xkmv`+m
z4^aT9T!UN@ZyuI?a9RL*6!9L;1Le@((k(cM^`bpz7@ST{l|{FLtRC7R<X^5_{E-w0
z{!;=nJot6>{O?XL|0IuplE**E<Dca5PxAQRlRO|EuLkz`5O6vO`JNC${zwRxzj{3P
z-j9T!dH$=%|DQ@P|0Iw9pOZ)a3G%P^)(w2Sx9;HAz2uBo$UX(+zBogRAA8C7%piLw
z5XKsq5ePm%@H-<AH2972>Mt4ifIuvsUm1|xB3BTM;p8GE&sr+am!~?w2}4z(s5y#!
z4iKpbnrN88V~x-T4f?w%%)KVkgc~0ac6<`JoZ@kRuOTdWFaO<K6<<bK1+Ex-7}d=V
zMAE_Ul7_xX%KS~z#~+ejz5WYH9PdLdikHb!FSes{GOgAYrbO$Lr3SS)pGQYVj`4D)
zEvFlou<5eiK8Vkg7rzIkYt9^3&`D#R!As#|w8rK5)gPN*{nk!vm*)l|=?hqrGgyxE
zcS+8m;ct>&|0*ey?T4fw$3IKrkNuFX;TnoPFX&OyL5fZoNwtv1$Rj}3#P`%VtasPF
zgvlA!w!U>V(i!%ZoWHP7%Zp*Y%hVSCxMYX|l{@6WvCqaU3@MBsI@*oY`=1V!3{e4L
zGy+imCL_}h%(#-0{xd@n8U>&ZK41MiL;Vj%>R&RzPDtkblaT^pKq^5fkhXa;0i?V%
z{vz=(z-D7;;sun*ww6zy*a2jS3wV@Y?yUxmd@J_yZ^gEQ6uS}~5R6ywv)ERUVgrFN
zh>(wK5E&5OCI-si3FztH-!?j+`(Ngr0b%|VsQ(Gn{{-rP0`)(E`v1<YJc!3*V50o#
z|7XB$sp_{aJi#9xPq+B1$N&3wAU@`Q+2XAJ)Gz+078gy30+0dYWxfv~0~-C-;y(Pj
z#c}VAp#z>DBK>S}_K?pM;1-7o*;9hFt$%NIZG^wI&arRY#Xoa-g~6>e2JPS{*WnND
zFRk+f*{`Jljeq0y{}m6Mdtx{q{mT1RikS{(MMkV_y#-mIY?$&&c#|!jmTb*DIj19J
zhzZ*Nvf73}tDOTG=5JIRkKu3So`>KeBEh-mPV!$nbh(frAdKylUm2kH-zxFxw@O4p
zIN+=uqbc*V648+C17RqX|28`l-xza$#emEX9>PyXJcRLmcD~OzglGRdZ}J;&_CN7Z
z<bL60eCP2BL;eoor8fP>oBGC^`HwuYpS&c<bo@K-9+>yi003}@`F?<dmpkagw|ly?
z|FUM_)ieF{2ag96QhV^!!U*lurwo~AUO4rmxgKi*9^yNqDb@LLynLZ*#r+rx2eZ%%
zK0Vm_=s@edmkx@PVWkt1bHU&Dmb)l?A{-rCq`v@{t3#O;REtJ3<V^U8j~7<(LQYn*
zo1;LrdYFZ!VA{<<WyuSd<$hEXL4ZjFjpxm^$rsL9wyP-ik|z%01k}l8G`3+k0?ixj
z(tA$V&aUS`Ak)kZ<|}zis#)8^dT(Yp@_RWvN(vb;DYNI^xjgUIrd;^5iHEIyP?E3_
zIb@Hd4abipm0RANhZhU_P5=_KC_&W=ecT({*YDrVYi+R{sl0cG7UNmj%JtWN$7_|h
z7<WrmoGXDJ^*XkgSQmO?DE`^JIGWZ;>~I5RS2#K;8UM?`XV14^J|1o?eF%;8fLeZ)
z0m(UmBQoy>uUx+t!3K-gin@u{1XUhjDQ;8daI;6hp+8;rT64Q)G;00%+594)5!dq7
zcy-A(La-!`W+GMF1bSicDap;q@;>8P7S4^8%AS55i_)Cfnt*uoo_M<)Z{j86J?S?#
z2ijlf9;)g)(M8kguCLw3>V-k8%ot-WBT>Vi+8=caIn0vF;}l8*hmi~mcHT7wR=RYE
z&&d#L6kXcJkl@j9-5;yT1k_`j-zwe*MD{w%;5wIn7+heG6?&8OrRgh>5ixJ#gAzsf
zJ9BAK1ag^6M|#$;9O1;yy$gn<iyEZPjs93I2%kMlbJX0ay=sfHz9Mn(N74fr`)-(}
z<9+j?$k#Iwcg+-1Fq(6c2X(EC!`%s_=c0wkvld0VHYa6p+K1meJe+mBW^vwZ;tZFU
z#S~>N&l9jK^rn^!A081be5$t^(o1<__q@<M(A(Gulqzy0NA@{Jaz1D)5)EVU5;LUr
z49bGm@oLA$>wv7ut>GzaIr@%bZFG&|M!WIyo~e9jKb|hyq#VYIQoJWu^bTo@6VzJ{
zr7DhH!M*cc2Qppzdas_uq(1tzIoB3Uon$Lvms?NmOr+Wvuhjad6ch?N2hXy)qYwPU
ziFW!-yMgXhE2YMa17vNQxVK$<chkO~mNe3EXr=13#HlgMp(ja`KOnSOEZ_ec<U3)Z
zdOjH<YNTUhwyksL$<{=J#A|SY3$q}ik?Bup#5N=8mold_bv5InLlnH8!v`(#q3QAy
z(~|BD>5FkS{CV}gVuIt@H_FI7_Lk-YRcA(G6VIWU0cb>x6_10cFY}7>nGh`0HE8mN
zCK%U+qE#F$>YocrG+2&3Yrn4yWz^U>p=LMGsb|L)rH%XG@%GZXVofbmD67Yzbk}I+
z)a2SLTu+pQkyuN&+g67L{n=-aRGClo#&_Pvv!(8yoSud*XH5Vj&khlybmN87B{JXQ
zr0h1`<lw5Gy!4sAOJsep)=M!=WM5nz7(z8Xs!+{%j!3lN-*-UfN$B{vs2Y72NhlA!
zc2OY%F+pzKgX5hqouZNOP7GC92Rb#zLu`)hI}cKQpSX~Q7Nwl~5!mL(PkpZ%h~Bgl
zQ!buuY9l<$GP&>A_L$afR|gwUN0J!*K4M;?36s1)=$sz<#=UyDty+e*B=_nIer+#g
zAA|YmTGDaU=jrK-Yq!01k-Od}iy@Q;3cRgx2?S<FyecN`1E_nt*}V@_6W`tFDQ_YY
z9A<j%zYeL?v6g$%ojW#NLEUM^OoT0Gve@<3OcAZbfYCU?t^JxnUMgG`Nk&Y3j5Go2
z(T?RbUW@{FaWbgcNWxHkUK``f+69+;W^$hSGgAwaZ4|qYu-&oYaEO<$8An<W4S^XQ
zdQWW@g!{+gl`bgq<d|R$`5`VmVgUHHhfjZV^>@FzaPG(t7rv1ElM4d~SJDH$tITCs
z&fl#Lj@_7n0u?^S3avpWoW6hzL178_n+-O11l(Y!L}Gq4SdcVi7zks~=5I6hAx&CD
K>L)`6!uVfU3j#9$

literal 0
Hc-jL100001

diff --git a/tests/bug-5881-01/stream-events.rules b/tests/bug-5881-01/stream-events.rules
new file mode 100644
index 000000000..4e034baee
--- /dev/null
+++ b/tests/bug-5881-01/stream-events.rules
@@ -0,0 +1,109 @@
+# Stream events -- rules for matching on TCP stream engine events.
+#
+# SID's fall in the 2210000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+#
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake with ack in wrong dir"; stream-event:3whs_ack_in_wrong_dir; classtype:protocol-command-decode; sid:2210000; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake async wrong sequence"; stream-event:3whs_async_wrong_seq; classtype:protocol-command-decode; sid:2210001; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake right seq wrong ack evasion"; stream-event:3whs_right_seq_wrong_ack_evasion; classtype:protocol-command-decode; sid:2210002; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK in wrong direction"; stream-event:3whs_synack_in_wrong_direction; classtype:protocol-command-decode; sid:2210003; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend with different ack"; stream-event:3whs_synack_resend_with_different_ack; classtype:protocol-command-decode; sid:2210004; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend with different seq"; stream-event:3whs_synack_resend_with_diff_seq; classtype:protocol-command-decode; sid:2210005; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK to server on SYN recv"; stream-event:3whs_synack_toserver_on_syn_recv; classtype:protocol-command-decode; sid:2210006; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK with wrong ack"; stream-event:3whs_synack_with_wrong_ack; classtype:protocol-command-decode; sid:2210007; rev:2;)
+# Excessive SYNs or SYN/ACKs within a session. Limit is set in stream engine, "stream.max-synack-queued".
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake excessive different SYN/ACKs"; stream-event:3whs_synack_flood; classtype:protocol-command-decode; sid:2210055; rev:2;)
+# Client sent an SYN packet with TCP fast open and data, but the server only ACK'd
+# the SYN, not the data, while still supporting TFO.
+#alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN/ACK ignored TFO data"; stream-event:3whs_synack_tfo_data_ignored; classtype:protocol-command-decode; sid:2210064; rev:1;)
+#alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake excessive different SYNs"; stream-event:3whs_syn_flood; classtype:protocol-command-decode; sid:2210063; rev:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN resend different seq on SYN recv"; stream-event:3whs_syn_resend_diff_seq_on_syn_recv; classtype:protocol-command-decode; sid:2210008; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN to client on SYN recv"; stream-event:3whs_syn_toclient_on_syn_recv; classtype:protocol-command-decode; sid:2210009; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; classtype:protocol-command-decode; sid:2210010; rev:2;)
+# suspected data injection by sending data packet right after the SYN/ACK,
+# this to make sure network inspection reject tools reject it as it's
+# before the 3whs is complete. Only set in IPS mode. Drops unconditionally
+# in the code, so can't be made not to drop.
+drop tcp any any -> any any (msg:"SURICATA STREAM 3way handshake toclient data injection suspected"; flow:to_client; stream-event:3whs_ack_data_inject; classtype:protocol-command-decode; sid:2210057; rev:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong ACK"; stream-event:4whs_synack_with_wrong_ack; classtype:protocol-command-decode; sid:2210011; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong SYN"; stream-event:4whs_synack_with_wrong_syn; classtype:protocol-command-decode; sid:2210012; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake wrong seq"; stream-event:4whs_wrong_seq; classtype:protocol-command-decode; sid:2210013; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake invalid ack"; stream-event:4whs_invalid_ack; classtype:protocol-command-decode; sid:2210014; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT ACK out of window"; stream-event:closewait_ack_out_of_window; classtype:protocol-command-decode; sid:2210015; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT FIN out of window"; stream-event:closewait_fin_out_of_window; classtype:protocol-command-decode; sid:2210016; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT invalid ACK"; stream-event:closewait_invalid_ack; classtype:protocol-command-decode; sid:2210017; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING ACK wrong seq"; stream-event:closing_ack_wrong_seq; classtype:protocol-command-decode; sid:2210018; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING invalid ACK"; stream-event:closing_invalid_ack; classtype:protocol-command-decode; sid:2210019; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED packet out of window"; stream-event:est_packet_out_of_window; classtype:protocol-command-decode; sid:2210020; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend"; stream-event:est_synack_resend; classtype:protocol-command-decode; sid:2210022; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend with different ACK"; stream-event:est_synack_resend_with_different_ack; classtype:protocol-command-decode; sid:2210023; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend with different seq"; stream-event:est_synack_resend_with_diff_seq; classtype:protocol-command-decode; sid:2210024; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK to server"; stream-event:est_synack_toserver; classtype:protocol-command-decode; sid:2210025; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend"; stream-event:est_syn_resend; classtype:protocol-command-decode; sid:2210026; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend with different seq"; stream-event:est_syn_resend_diff_seq; classtype:protocol-command-decode; sid:2210027; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN to client"; stream-event:est_syn_toclient; classtype:protocol-command-decode; sid:2210028; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED invalid ack"; stream-event:est_invalid_ack; classtype:protocol-command-decode; sid:2210029; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN invalid ack"; stream-event:fin_invalid_ack; classtype:protocol-command-decode; sid:2210030; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 ack with wrong seq"; stream-event:fin1_ack_wrong_seq; classtype:protocol-command-decode; sid:2210031; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 FIN with wrong seq"; stream-event:fin1_fin_wrong_seq; classtype:protocol-command-decode; sid:2210032; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 invalid ack"; stream-event:fin1_invalid_ack; classtype:protocol-command-decode; sid:2210033; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 ack with wrong seq"; stream-event:fin2_ack_wrong_seq; classtype:protocol-command-decode; sid:2210034; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 FIN with wrong seq"; stream-event:fin2_fin_wrong_seq; classtype:protocol-command-decode; sid:2210035; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 invalid ack"; stream-event:fin2_invalid_ack; classtype:protocol-command-decode; sid:2210036; rev:2;)
+# very common when looking at midstream traffic after IDS started
+#alert tcp any any -> any any (msg:"SURICATA STREAM FIN recv but no session"; stream-event:fin_but_no_session; classtype:protocol-command-decode; sid:2210037; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN out of window"; stream-event:fin_out_of_window; classtype:protocol-command-decode; sid:2210038; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK with wrong seq"; stream-event:lastack_ack_wrong_seq; classtype:protocol-command-decode; sid:2210039; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK invalid ACK"; stream-event:lastack_invalid_ack; classtype:protocol-command-decode; sid:2210040; rev:2;)
+# very common when looking at midstream traffic after IDS started
+#alert tcp any any -> any any (msg:"SURICATA STREAM RST recv but no session"; stream-event:rst_but_no_session; classtype:protocol-command-decode; sid:2210041; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT invalid ack"; stream-event:timewait_invalid_ack; classtype:protocol-command-decode; sid:2210043; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid timestamp"; stream-event:pkt_invalid_timestamp; classtype:protocol-command-decode; sid:2210044; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid ack"; stream-event:pkt_invalid_ack; classtype:protocol-command-decode; sid:2210045; rev:2;)
+# Broken TCP: ack field non 0, but ACK flag not set. http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set
+# Often result of broken load balancers, firewalls and such.
+#alert tcp any any -> any any (msg:"SURICATA STREAM Packet with broken ack"; stream-event:pkt_broken_ack; classtype:protocol-command-decode; sid:2210051; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM SHUTDOWN RST invalid ack"; stream-event:rst_invalid_ack; classtype:protocol-command-decode; sid:2210046; rev:2;)
+# SYN (re)send during shutdown (closing, closewait, finwait1, finwait2, lastack, timewait states)
+#alert tcp any any -> any any (msg:"SURICATA STREAM SYN resend"; stream-event:shutdown_syn_resend; classtype:protocol-command-decode; sid:2210049; rev:2;)
+# Sequence gap: missing data in the reassembly engine. Usually due to packet loss. Will be very noisy on a overloaded link / sensor.
+#alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; classtype:protocol-command-decode; sid:2210048; rev:2;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly overlap with different data"; stream-event:reassembly_overlap_different_data; classtype:protocol-command-decode; sid:2210050; rev:2;)
+# Bad Window Update: see bug 1238 for an explanation
+alert tcp any any -> any any (msg:"SURICATA STREAM bad window update"; stream-event:pkt_bad_window_update; classtype:protocol-command-decode; sid:2210056; rev:1;)
+# RST injection suspected. Alerts on packets *after* the RST, as these indicate the target
+# rejected/ignored the RST.
+alert tcp any any -> any any (msg:"SURICATA STREAM suspected RST injection"; stream-event:suspected_rst_inject; classtype:protocol-command-decode; sid:2210058; rev:1;)
+
+# retransmission detection
+#
+# The rules below match on retransmissions detected in various stages of the
+# stream engine. They are all "noalert" rules that increment the counter
+# tcp.retransmission.count. The last rule sid:2210054 matches if the counter
+# reaches 10. Increase this number if the rule is too noisy.
+#
+# "regular" retransmissions, only count
+alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED retransmission packet before last ack"; stream-event:est_pkt_before_last_ack; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210021; rev:3;)
+# retransmission, only count
+alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT retransmission packet before last ack"; stream-event:closewait_pkt_before_last_ack; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210052; rev:3;)
+# retransmission of pkt before reassembly window, only count
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly segment before base seq (retransmission)"; stream-event:reassembly_segment_before_base_seq; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210047; rev:2;)
+# count "general" retransmissions
+alert tcp any any -> any any (msg:"SURICATA STREAM Packet is retransmission"; stream-event:pkt_retransmission; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210053; rev:1;)
+# rule to alert if a stream has excessive retransmissions
+alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
+# Packet on wrong thread. Fires at most once per flow.
+alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
+
+# Packet with FIN+SYN set
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)
+
+# Packet is a spurious retransmission, so a retransmission of already ACK'd data.
+# Disabled by default as this quite common and not malicious.
+#alert tcp any any -> any any (msg:"SURICATA STREAM spurious retransmission"; stream-event:pkt_spurious_retransmission; classtype:protocol-command-decode; sid:2210061; rev:1;)
+
+# Depth setting reached for a stream. Very common in normal traffic, so disable by default.
+#alert tcp any any -> any any (msg:"SURICATA STREAM reassembly depth reached"; stream-event:reassembly_depth_reached; classtype:protocol-command-decode; sid:2210062; rev:1;)
+
+# next sid 2210065
+
diff --git a/tests/bug-5881-01/test.yaml b/tests/bug-5881-01/test.yaml
new file mode 100644
index 000000000..39fc55d57
--- /dev/null
+++ b/tests/bug-5881-01/test.yaml
@@ -0,0 +1,9 @@
+args:
+- -k none
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
-- 
2.47.2