This can’t be done in a single rule, instead you’ll need an alert
rule that matches on the SYN
pkts and then a rate_filter
threshold rule (in threshold.config) that dynamically changes it to a drop
rule: https://suricata.readthedocs.io/en/suricata-5.0.3/configuration/global-thresholds.html#rate-filter
See also Rules - limiting traffic to a specific time
The http
protocol shouldn’t be used in such a rule btw, in a SYN
packet we normally don’t know what the protocol will be yet.