diff --git a/CHANGES b/CHANGES
index 87254a38a9..058da63d7a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5.1.0-dev.56 | 2022-06-16 15:57:19 -0700
+
+  * flip connections that begin with SYN-ACKs if subsequent acks or data seen (Vern Paxson, Corelight)
+
 5.1.0-dev.53 | 2022-06-16 14:27:54 -0700
 
   * Revert "Merge remote-tracking branch 'turrisxyz/Dependabot-GitHub-Actions'" (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index 4ac9d04461..cab51aaf59 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.1.0-dev.53
+5.1.0-dev.56
diff --git a/src/Conn.h b/src/Conn.h
index 960df18129..9abfefa331 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -230,6 +230,9 @@ public:
 
 	void AddHistory(char code) { history += code; }
 
+	const std::string& GetHistory() const { return history; }
+	void ReplaceHistory(std::string new_h) { history = std::move(new_h); }
+
 	// Sets the root of the analyzer tree as well as the primary PIA.
 	void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia);
 	packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; }
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index d0a50d862f..67c40e9d2c 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -257,6 +257,29 @@ void TCP_Endpoint::SetContentsFile(FilePtr f)
 
 bool TCP_Endpoint::CheckHistory(uint32_t mask, char code)
 	{
+	auto conn = Conn();
+
+	if ( (code == 'A' || code == 'D') && conn->GetHistory() == "H" )
+		{
+		// This is a connection that began with a SYN-ACK rather
+		// than a SYN.  Those don't get flipped (unless they have
+		// the right combination of likely-server ports) because
+		// they can arise from stealth scans, and for those the
+		// SYN-ACK sender *is* the originator.
+		//
+		// In addition, we're now seeing productive TCP traffic
+		// (either a pure ack or a data segment).  Regardless of
+		// whether it's coming from the nominal originator or the
+		// nominal responder, its presence makes it a lot less likely
+		// that the initial SYN-ACK represented a stealth scan,
+		// since if those elicit anything, it should be a RST.
+		//
+		// Thus, at this stage we go ahead and flip the connection.
+		// We then fix up the history (which will initially be "H^").
+		conn->FlipRoles();
+		conn->ReplaceHistory("^h");
+		}
+
 	if ( ! IsOrig() )
 		{
 		mask <<= 16;
diff --git a/testing/btest/Baseline/core.tcp.truncated-header/out b/testing/btest/Baseline/core.tcp.truncated-header/out
index 9e3abe82d0..ed29ac6e7a 100644
--- a/testing/btest/Baseline/core.tcp.truncated-header/out
+++ b/testing/btest/Baseline/core.tcp.truncated-header/out
@@ -1,24 +1,24 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 569fc23187..db3b63b2c7 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-76a9ffd27c15ff1603216ee77f59cc9d515747c6
+d8088ba741389aa092b5fb284d0849401234809f