From c90f481248d0bf1571aaf5586d5de454d26b0882 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 22 Jan 2026 12:45:49 -0300
Subject: [PATCH 1/3] detect: minor - typo fix

---
 src/detect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/detect.c b/src/detect.c
index f2f9b227f230..c10b30991188 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -2269,7 +2269,7 @@ static void DetectFlow(ThreadVars *tv,
         skip = (p->flags & PKT_NOPACKET_INSPECTION || f->flags & (FLOW_ACTION_PASS));
     }
     if (skip) {
-        /* enfore prior accept:flow */
+        /* enforce prior accept:flow */
         if (f->flags & FLOW_ACTION_ACCEPT) {
             p->action |= ACTION_ACCEPT;
         }

From 8df8eaa3c85913f59501ca7a670599f9e22c189d Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 22 Jan 2026 12:46:12 -0300
Subject: [PATCH 2/3] detect: account for midstream sessions

In corner case scenarios of the engine seeing a single-packet flow
started midstream, it would skip certain inspections for the packet due
to TCP connection not being established yet.

This led to the possibility of a real packet not being blocked, in iPS,
or matched against rules, as the corresponding portion of the stream
was only inspected later, as part of the stream/flow-timeout logic.

Checking if midstream is enabled allows the engine to inspect that
traffic earlier, and block the corresponding packet, if need be.

Related to
Bug #5180
---
 src/detect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/detect.c b/src/detect.c
index c10b30991188..cb80579129d5 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -157,7 +157,7 @@ static void DetectRun(ThreadVars *th_v,
     /* run tx/state inspection. Don't call for ICMP error msgs. */
     if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) {
         if (p->proto == IPPROTO_TCP) {
-            if ((p->flags & PKT_STREAM_EST) == 0) {
+            if ((p->flags & PKT_STREAM_EST) == 0 && !stream_config.midstream) {
                 SCLogDebug("packet %" PRIu64 ": skip tcp non-established", p->pcap_cnt);
                 DetectRunAppendDefaultAccept(det_ctx, p);
                 goto end;

From 59d6c4910974ad2233e4bdea9d3e8168ced90eb5 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 22 Jan 2026 12:51:09 -0300
Subject: [PATCH 3/3] detect/build: add more rule types to init report

During initialization, the engine reports how many rules were loaded, as
well as which types. Pkt-only or stream-pkt rules would cause a "hole"
in such stats, as they're not counted.
---
 src/detect-engine-build.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 4c6278bce459..a217f566f8ad 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1724,6 +1724,8 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx)
 {
     uint32_t cnt_iponly = 0;
     uint32_t cnt_payload = 0;
+    uint32_t cnt_packet = 0;
+    uint32_t cnt_packet_stream = 0;
     uint32_t cnt_applayer = 0;
     uint32_t cnt_deonly = 0;
 
@@ -1752,6 +1754,12 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx)
         } else if (SignatureIsInspectingPayload(de_ctx, s) == 1) {
             SCLogDebug("Signature %"PRIu32" is considered \"Payload inspecting\"", s->id);
             cnt_payload++;
+        } else if (s->type == SIG_TYPE_PKT) {
+            SCLogDebug("Signature %" PRIu32 " is considered \"Packet inspecting\"", s->id);
+            cnt_packet++;
+        } else if (s->type == SIG_TYPE_PKT_STREAM) {
+            SCLogDebug("Signature %" PRIu32 " is considered \"Packet-stream inspecting\"", s->id);
+            cnt_packet_stream++;
         } else if (s->type == SIG_TYPE_DEONLY) {
             SCLogDebug("Signature %"PRIu32" is considered \"Decoder Event only\"", s->id);
             cnt_deonly++;
@@ -1812,14 +1820,19 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx)
         if (strlen(de_ctx->config_prefix) > 0)
             SCLogInfo("tenant id %d: %" PRIu32 " signatures processed. %" PRIu32 " are IP-only "
                       "rules, %" PRIu32 " are inspecting packet payload, %" PRIu32
-                      " inspect application layer, %" PRIu32 " are decoder event only",
+                      " inspect application layer, %" PRIu32 " are decoder event only, %" PRIu32
+                      " are packet inspecting,"
+                      " %" PRIu32 " are packet-stream inspecting",
                     de_ctx->tenant_id, de_ctx->sig_cnt, cnt_iponly, cnt_payload, cnt_applayer,
-                    cnt_deonly);
+                    cnt_deonly, cnt_packet, cnt_packet_stream);
         else
             SCLogInfo("%" PRIu32 " signatures processed. %" PRIu32 " are IP-only "
                       "rules, %" PRIu32 " are inspecting packet payload, %" PRIu32
-                      " inspect application layer, %" PRIu32 " are decoder event only",
-                    de_ctx->sig_cnt, cnt_iponly, cnt_payload, cnt_applayer, cnt_deonly);
+                      " inspect application layer, %" PRIu32 " are decoder event only %" PRIu32
+                      " are packet inspecting,"
+                      " %" PRIu32 " are packet-stream inspecting",
+                    de_ctx->sig_cnt, cnt_iponly, cnt_payload, cnt_applayer, cnt_deonly, cnt_packet,
+                    cnt_packet_stream);
 
         SCLogConfig("building signature grouping structure, stage 1: "
                "preprocessing rules... complete");