diff --git a/rules/stream-events.rules b/rules/stream-events.rules
index fe4c6cb00e..21feab9dc8 100644
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@@ -15,6 +15,11 @@ alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake excessive diff
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN resend different seq on SYN recv"; stream-event:3whs_syn_resend_diff_seq_on_syn_recv; classtype:protocol-command-decode; sid:2210008; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN to client on SYN recv"; stream-event:3whs_syn_toclient_on_syn_recv; classtype:protocol-command-decode; sid:2210009; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; classtype:protocol-command-decode; sid:2210010; rev:2;)
+# suspected data injection by sending data packet right after the SYN/ACK,
+# this to make sure network inspection reject tools reject it as it's
+# before the 3whs is complete. Only set in IPS mode. Drops unconditionally
+# in the code, so can't be made not to drop.
+drop tcp any any -> any any (msg:"SURICATA STREAM 3way handshake toclient data injection suspected"; flow:to_client; stream-event:3whs_ack_data_inject; classtype:protocol-command-decode; sid:2210057; rev:1;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong ACK"; stream-event:4whs_synack_with_wrong_ack; classtype:protocol-command-decode; sid:2210011; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong SYN"; stream-event:4whs_synack_with_wrong_syn; classtype:protocol-command-decode; sid:2210012; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake wrong seq"; stream-event:4whs_wrong_seq; classtype:protocol-command-decode; sid:2210013; rev:2;)
@@ -81,5 +86,5 @@ alert tcp any any -> any any (msg:"SURICATA STREAM Packet is retransmission"; st
 # rule to alert if a stream has excessive retransmissions
 alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
 
-# next sid 2210057
+# next sid 2210058
 
diff --git a/src/decode-events.c b/src/decode-events.c
index 9d08284f5f..51548f1867 100644
--- a/src/decode-events.c
+++ b/src/decode-events.c
@@ -196,6 +196,7 @@ const struct DecodeEvents_ DEvents[] = {
     { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, },
     { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, },
     { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, },
+    { "stream.3whs_ack_data_inject", STREAM_3WHS_ACK_DATA_INJECT, },
     { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, },
     { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, },
     { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, },
diff --git a/src/decode-events.h b/src/decode-events.h
index c899c901f0..70afbd7a28 100644
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -206,6 +206,7 @@ enum {
     STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV,
     STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV,
     STREAM_3WHS_WRONG_SEQ_WRONG_ACK,
+    STREAM_3WHS_ACK_DATA_INJECT,
     STREAM_4WHS_SYNACK_WITH_WRONG_ACK,
     STREAM_4WHS_SYNACK_WITH_WRONG_SYN,
     STREAM_4WHS_WRONG_SEQ,
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 34a833e6c8..03e16d48ec 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -1854,9 +1854,17 @@ static int StreamTcpPacketStateSynRecv(ThreadVars *tv, Packet *p,
                  * careful.
                  */
                 if (StreamTcpInlineMode()) {
+                    if (p->payload_len > 0 &&
+                            SEQ_EQ(TCP_GET_ACK(p), ssn->client.last_ack) &&
+                            SEQ_EQ(TCP_GET_SEQ(p), ssn->server.next_seq)) {
+                        /* packet loss is possible but unlikely here */
+                        SCLogDebug("ssn %p: possible data injection", ssn);
+                        StreamTcpSetEvent(p, STREAM_3WHS_ACK_DATA_INJECT);
+                        return -1;
+                    }
+
                     SCLogDebug("ssn %p: ACK received in the wrong direction",
                             ssn);
-
                     StreamTcpSetEvent(p, STREAM_3WHS_ACK_IN_WRONG_DIR);
                     return -1;
                 }