From bc6c679bbe8c65d6e9c2c87e8c732df422d48229 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 15 Jul 2025 10:14:13 +0200
Subject: [PATCH] tcp: fast open detection on first packet when inline

Ticket: 6744
---
 tests/tcp-fastopen-13/README.md  |  11 +++++++++++
 tests/tcp-fastopen-13/test.rules |   1 +
 tests/tcp-fastopen-13/test.yaml  |  13 +++++++++++++
 tests/tcp-fastopen-13/tfo.pcap   | Bin 0 -> 2101 bytes
 4 files changed, 25 insertions(+)
 create mode 100644 tests/tcp-fastopen-13/README.md
 create mode 100644 tests/tcp-fastopen-13/test.rules
 create mode 100644 tests/tcp-fastopen-13/test.yaml
 create mode 100644 tests/tcp-fastopen-13/tfo.pcap

diff --git a/tests/tcp-fastopen-13/README.md b/tests/tcp-fastopen-13/README.md
new file mode 100644
index 000000000..d2c7e7f14
--- /dev/null
+++ b/tests/tcp-fastopen-13/README.md
@@ -0,0 +1,11 @@
+# Test
+
+Test fast-open with stream.inline to test detection on first packet
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/6744
+
+# Pcap
+
+part of tcp-fastopen-03/tfo.pcap
diff --git a/tests/tcp-fastopen-13/test.rules b/tests/tcp-fastopen-13/test.rules
new file mode 100644
index 000000000..bc92c5ee6
--- /dev/null
+++ b/tests/tcp-fastopen-13/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.uri; content:"/index.php"; sid:1;)
diff --git a/tests/tcp-fastopen-13/test.yaml b/tests/tcp-fastopen-13/test.yaml
new file mode 100644
index 000000000..c343439cb
--- /dev/null
+++ b/tests/tcp-fastopen-13/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 9
+
+args:
+  - --set stream.inline=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 1
diff --git a/tests/tcp-fastopen-13/tfo.pcap b/tests/tcp-fastopen-13/tfo.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ce1cee8611fb73d82feaf9e0af48c44b156321a3
GIT binary patch
literal 2101
zc-nncO>7%Q6dtEZsn)efIdNl8h*Ys>*FQ-!0@1pyQnf_2NQ#gUg7xmyUSZE}c6Q@+
zPPuTX_-QU6PW&8*ii8jfsN#r(Dj^P~5*&)el^e~0OIsl&yf@?2zr-`MdT-{NZ@ztR
z_WAdpcE6Y+)1?2KCK-6%_~E0~kLy|THP|@F$+`CJO;UU9N0K=~E)w$TgZ;DQ?D6%6
z;kp?Z`TKjM_V@m~Zy@;IR5ZJ}PRP{s%=gn%Ck*mO^Glr196R>Z{>jHTo`3G!x9|RP
zdwcofnn|fIJf0T9X83aGH26z}0@a<zE)5+iJDz!IZLLP_f|WC_Ngn0THMoeG>29WR
zQRa+uuFFI4Pt(&mBWIv??q<nlI1z_dt=~Xte~}Q>{?^Z^8}*ag{k<#oe<bMN{rs7A
z^Xbp}+7AvMJwpAU{Wvmz0?bt)txk$c`N4sT%Ds`O>;ikdHB0{b2I7#(=!hUQGG>!3
zd2@!SF{*Xus_{ND*5*dE#>l$$Z062yS<MJ+kCC+(D%&htmU;C`&RFHq29KC28oo$j
zWdXx@!HGFDSDkp?v=+_Fi2%4=Hf@^~E6iFlmsi$u#`!?R5a|3`Hw19Z)0j5nc1tY?
z?#6x~APKEN@|^K{z7}+N#JzmA%goxP8m$y61-qCpVoIVQh*`=kXv(DeS@#94JF;nb
z4sQcl%4}#ohbA(j5+Hqxil7z1YZy42vLZCKJ{cst5<n$rXi<-EOauuRP-V7Isg%l0
zx%7~fqH8pqHb<rkTd<gR6wiP;MA>#w+yb+U3{AS>MAUWMCa20B!?!|!FG2%Dfn^v3
zE!qmbiR69@;AfyIQ*F@J7*_BO>Ry7T%mH%kkL^ej7sc2XcI6E0(f-(;FbdKxZYp8d
z-v4Bz)9K_rCw4F`CG1Zo)G^>q%C+OZlb|X{5A>d^HfVd&i?n=+7p`;$`wE1|7Y*|j
zm^4=$0aYf_1PV63+mG;0l$NlA?P+k72&%oY4GrPM80xZ(eHlHonl$pS@-T>EJbSe(
zW8OAjaJ;rJ<_=G<Q@wLS?t*&YVOaIO)X&}|fCNuLI#$6+?_N(5-&1+SMB1!>+~JzO
z-A&^HultV316y0+;rp}7Y%uG%RMz<GPD^q_#!jrsi#=I=dU0J2LgD+65bSy)6&@~#
zwaEIx^l)JSo<MEasxAG%iTU|?Mw>yKQ?=Z$8B#X2jPj5SBvwn~fx%+?UUF3V-cx@J
z>%Wed?}s;`eE<7Z^rU?6V8KPkKL;5{|7yy{2grEs{BZexcvF?{Q<*!rZVi`jWVAa+
pYRo8&cPD7v-Z}*u!*PvKdZfk=mB#9b#%*BzZfh1a?hI+%`43^huw(!L

literal 0
Hc-jL100001

-- 
2.47.3