diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 13712fb9e7..88be52abc2 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -251,14 +251,14 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
             /* set verdict on packet */
             p->action |= p->alerts.alerts[i].action;
 
-            if (p->alerts.alerts[i].action & ACTION_PASS) {
+            if (p->action & ACTION_PASS) {
                 /* Ok, reset the alert cnt to end in the previous of pass
                  * so we ignore the rest with less prio */
                 p->alerts.cnt = i;
                 break;
             /* if the signature wants to drop, check if the
              * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
-            } else if (p->alerts.alerts[i].action & ACTION_DROP &&
+            } else if (p->action & ACTION_DROP &&
                     ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
                          (s->flags & SIG_FLAG_APPLAYER))
                        && p->flow != NULL)
diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index f6721577c0..6d136083c9 100644
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -360,6 +360,8 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
         {
             SCLogDebug("rate_filter");
 
+            ret = 1;
+
             if (lookup_tsh != NULL) {
                 /* Check if we have a timeout enabled, if so,
                  * we still matching (and enabling the new_action) */
@@ -392,7 +394,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
                 /* Update the matching state with the timeout interval */
                 if ( (p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
                     lookup_tsh->current_count++;
-                    if (lookup_tsh->current_count >= td->count) {
+                    if (lookup_tsh->current_count > td->count) {
                         /* Then we must enable the new action by setting a
                          * timeout */
                         lookup_tsh->tv_timeout = p->ts.tv_sec;
diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index 5df793e554..c4d238a08e 100644
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -481,6 +481,10 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
             if (ByteExtractStringUint32(&parsed_count, 10, strlen(th_count), th_count) <= 0) {
                 goto error;
             }
+            if (parsed_count == 0) {
+                SCLogError(SC_ERR_INVALID_VALUE, "rate filter count should be > 0");
+                goto error;
+            }
 
             if (ByteExtractStringUint32(&parsed_seconds, 10, strlen(th_seconds), th_seconds) <= 0) {
                 goto error;