diff --git a/tests/detection_filter-distinct-dstip-higher-threshold/README.md b/tests/detection_filter-distinct-dstip-higher-threshold/README.md
new file mode 100644
index 000000000..fe6843f57
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip-higher-threshold/README.md
@@ -0,0 +1,20 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_ip using a higher
+threshold (count 3).
+
+Rule uses count 3, meaning it alerts after seeing more than 3 distinct destination IPs
+for the same source host (track by_src). The PCAP contains ICMP traffic from 10.0.0.1
+to 4 different destination IPs (192.168.1.1 through 192.168.1.4), plus one duplicate,
+so the distinct counter exceeds the threshold (4 > 3) and one alert is expected
+(sid 100027).
+
+Why this matters
+---------------
+Complements the count-1 test by verifying that higher thresholds work correctly:
+the engine must accumulate enough distinct IPs before alerting, and duplicates
+must not inflate the count.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-dstip-higher-threshold/input.pcap b/tests/detection_filter-distinct-dstip-higher-threshold/input.pcap
new file mode 100644
index 000000000..e85b45ff7
Binary files /dev/null and b/tests/detection_filter-distinct-dstip-higher-threshold/input.pcap differ
diff --git a/tests/detection_filter-distinct-dstip-higher-threshold/test.rules b/tests/detection_filter-distinct-dstip-higher-threshold/test.rules
new file mode 100644
index 000000000..202eb935a
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip-higher-threshold/test.rules
@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >3 distinct destination IPs (unique_on dst_ip, count 3)
+alert ip any any -> any any (msg:"DF distinct dst_ip higher threshold"; detection_filter: track by_src, count 3, seconds 60, unique_on dst_ip; sid:100027; rev:1;)
diff --git a/tests/detection_filter-distinct-dstip-higher-threshold/test.yaml b/tests/detection_filter-distinct-dstip-higher-threshold/test.yaml
new file mode 100644
index 000000000..2d24e18f6
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip-higher-threshold/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100027
diff --git a/tests/detection_filter-distinct-dstip-no-dups/README.md b/tests/detection_filter-distinct-dstip-no-dups/README.md
new file mode 100644
index 000000000..e08c2b20c
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip-no-dups/README.md
@@ -0,0 +1,17 @@
+Purpose
+-------
+Validate that detection_filter with unique_on dst_ip does not trigger when
+the number of distinct destination IPs stays below the threshold.
+
+Rule requires 3 distinct destination IPs for the same source host (track by_src).
+The PCAP only has 2 distinct destination IPs, so the threshold is not reached
+and no alerts are expected (sid 100022).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of dst IPs do not produce alerts
+when distinct counting (unique_on dst_ip) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-dstip-no-dups/input.pcap b/tests/detection_filter-distinct-dstip-no-dups/input.pcap
new file mode 100644
index 000000000..7e7e7e0cd
Binary files /dev/null and b/tests/detection_filter-distinct-dstip-no-dups/input.pcap differ
diff --git a/tests/detection_filter-distinct-dstip-no-dups/test.rules b/tests/detection_filter-distinct-dstip-no-dups/test.rules
new file mode 100644
index 000000000..1def15074
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip-no-dups/test.rules
@@ -0,0 +1,2 @@
+## Expect 0 alerts: only 2 distinct dst IPs present but threshold is 3
+alert ip any any -> any any (msg:"DF distinct dst_ip no dup"; detection_filter: track by_src, count 3, seconds 60, unique_on dst_ip; sid:100022; rev:1;)
diff --git a/tests/detection_filter-distinct-dstip-no-dups/test.yaml b/tests/detection_filter-distinct-dstip-no-dups/test.yaml
new file mode 100644
index 000000000..4ba21b659
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip-no-dups/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 100022
diff --git a/tests/detection_filter-distinct-dstip/README.md b/tests/detection_filter-distinct-dstip/README.md
new file mode 100644
index 000000000..91cd5d299
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip/README.md
@@ -0,0 +1,19 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_ip.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct destination IP
+for the same source host (track by_src). The PCAP contains ICMP traffic from 10.0.0.1
+to 2 different destination IPs (192.168.1.1 and 192.168.1.2), so the distinct counter
+exceeds the threshold (2 > 1) and one alert is expected (sid 100021).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on dst_ip behavior added in Suricata.
+This test ensures that different dst IPs contribute separately toward the threshold
+while duplicate IPs do not. Uses ICMP to demonstrate that IP-based unique_on works
+with any protocol (unlike port-based unique_on which requires tcp/udp/sctp).
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-dstip/input.pcap b/tests/detection_filter-distinct-dstip/input.pcap
new file mode 100644
index 000000000..7fffcd1c5
Binary files /dev/null and b/tests/detection_filter-distinct-dstip/input.pcap differ
diff --git a/tests/detection_filter-distinct-dstip/test.rules b/tests/detection_filter-distinct-dstip/test.rules
new file mode 100644
index 000000000..e0e7504df
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip/test.rules
@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct destination IPs (unique_on dst_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct dst_ip"; detection_filter: track by_src, count 1, seconds 60, unique_on dst_ip; sid:100021; rev:1;)
diff --git a/tests/detection_filter-distinct-dstip/test.yaml b/tests/detection_filter-distinct-dstip/test.yaml
new file mode 100644
index 000000000..23433c20d
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100021
diff --git a/tests/detection_filter-distinct-dstip6/README.md b/tests/detection_filter-distinct-dstip6/README.md
new file mode 100644
index 000000000..dbed72df5
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip6/README.md
@@ -0,0 +1,18 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_ip for IPv6 addresses.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct destination IPv6
+address for the same source host (track by_src). The PCAP contains ICMPv6 traffic from
+2001:db8::1 to 2 different destination IPs (2001:db8::100 and 2001:db8::101), so the
+distinct counter exceeds the threshold (2 > 1) and one alert is expected (sid 100025).
+
+Why this matters
+---------------
+Ensures that the unique_on dst_ip feature works correctly with IPv6 addresses.
+This validates that the hash table tracking mechanism handles 128-bit IPv6 addresses
+properly.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-dstip6/input.pcap b/tests/detection_filter-distinct-dstip6/input.pcap
new file mode 100644
index 000000000..e5e635b3e
Binary files /dev/null and b/tests/detection_filter-distinct-dstip6/input.pcap differ
diff --git a/tests/detection_filter-distinct-dstip6/test.rules b/tests/detection_filter-distinct-dstip6/test.rules
new file mode 100644
index 000000000..c5dcb1646
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip6/test.rules
@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct destination IPv6 addresses (unique_on dst_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct dst_ip IPv6"; detection_filter: track by_src, count 1, seconds 60, unique_on dst_ip; sid:100025; rev:1;)
diff --git a/tests/detection_filter-distinct-dstip6/test.yaml b/tests/detection_filter-distinct-dstip6/test.yaml
new file mode 100644
index 000000000..0062e9fcf
--- /dev/null
+++ b/tests/detection_filter-distinct-dstip6/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100025
diff --git a/tests/detection_filter-distinct-srcip-no-dups/README.md b/tests/detection_filter-distinct-srcip-no-dups/README.md
new file mode 100644
index 000000000..d70813fde
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip-no-dups/README.md
@@ -0,0 +1,17 @@
+Purpose
+-------
+Validate that detection_filter with unique_on src_ip does not trigger when
+the number of distinct source IPs stays below the threshold.
+
+Rule requires 3 distinct source IPs for the same destination host (track by_dst).
+The PCAP only has 2 distinct source IPs, so the threshold is not reached
+and no alerts are expected (sid 100024).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of src IPs do not produce alerts
+when distinct counting (unique_on src_ip) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-srcip-no-dups/input.pcap b/tests/detection_filter-distinct-srcip-no-dups/input.pcap
new file mode 100644
index 000000000..7e1234d10
Binary files /dev/null and b/tests/detection_filter-distinct-srcip-no-dups/input.pcap differ
diff --git a/tests/detection_filter-distinct-srcip-no-dups/test.rules b/tests/detection_filter-distinct-srcip-no-dups/test.rules
new file mode 100644
index 000000000..87c6d5bc8
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip-no-dups/test.rules
@@ -0,0 +1,2 @@
+## Expect 0 alerts: only 2 distinct src IPs present but threshold is 3
+alert ip any any -> any any (msg:"DF distinct src_ip no dup"; detection_filter: track by_dst, count 3, seconds 60, unique_on src_ip; sid:100024; rev:1;)
diff --git a/tests/detection_filter-distinct-srcip-no-dups/test.yaml b/tests/detection_filter-distinct-srcip-no-dups/test.yaml
new file mode 100644
index 000000000..f55c89d31
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip-no-dups/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 100024
diff --git a/tests/detection_filter-distinct-srcip/README.md b/tests/detection_filter-distinct-srcip/README.md
new file mode 100644
index 000000000..3f0225405
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip/README.md
@@ -0,0 +1,19 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on src_ip.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct source IP
+for the same destination host (track by_dst). The PCAP contains ICMP traffic from
+2 different source IPs (10.0.0.1 and 10.0.0.2) to 192.168.1.100, so the distinct
+counter exceeds the threshold (2 > 1) and one alert is expected (sid 100023).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on src_ip behavior added in Suricata.
+This test ensures that different src IPs contribute separately toward the threshold
+while duplicate IPs do not. Uses ICMP to demonstrate that IP-based unique_on works
+with any protocol (unlike port-based unique_on which requires tcp/udp/sctp).
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-srcip/input.pcap b/tests/detection_filter-distinct-srcip/input.pcap
new file mode 100644
index 000000000..ce321e816
Binary files /dev/null and b/tests/detection_filter-distinct-srcip/input.pcap differ
diff --git a/tests/detection_filter-distinct-srcip/test.rules b/tests/detection_filter-distinct-srcip/test.rules
new file mode 100644
index 000000000..b05819269
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip/test.rules
@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct source IPs (unique_on src_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct src_ip"; detection_filter: track by_dst, count 1, seconds 60, unique_on src_ip; sid:100023; rev:1;)
diff --git a/tests/detection_filter-distinct-srcip/test.yaml b/tests/detection_filter-distinct-srcip/test.yaml
new file mode 100644
index 000000000..4e63cfb1a
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100023
diff --git a/tests/detection_filter-distinct-srcip6/README.md b/tests/detection_filter-distinct-srcip6/README.md
new file mode 100644
index 000000000..8704ce966
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip6/README.md
@@ -0,0 +1,18 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on src_ip for IPv6 addresses.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct source IPv6
+address for the same destination host (track by_dst). The PCAP contains ICMPv6 traffic
+from 2 different source IPs (2001:db8::1 and 2001:db8::2) to 2001:db8::100, so the
+distinct counter exceeds the threshold (2 > 1) and one alert is expected (sid 100026).
+
+Why this matters
+---------------
+Ensures that the unique_on src_ip feature works correctly with IPv6 addresses.
+This validates that the hash table tracking mechanism handles 128-bit IPv6 addresses
+properly.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-srcip6/input.pcap b/tests/detection_filter-distinct-srcip6/input.pcap
new file mode 100644
index 000000000..4d8f14bda
Binary files /dev/null and b/tests/detection_filter-distinct-srcip6/input.pcap differ
diff --git a/tests/detection_filter-distinct-srcip6/test.rules b/tests/detection_filter-distinct-srcip6/test.rules
new file mode 100644
index 000000000..b16f1c563
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip6/test.rules
@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct source IPv6 addresses (unique_on src_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct src_ip IPv6"; detection_filter: track by_dst, count 1, seconds 60, unique_on src_ip; sid:100026; rev:1;)
diff --git a/tests/detection_filter-distinct-srcip6/test.yaml b/tests/detection_filter-distinct-srcip6/test.yaml
new file mode 100644
index 000000000..c217a2d00
--- /dev/null
+++ b/tests/detection_filter-distinct-srcip6/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100026