How to make suricata alert per packet when it is matched

Rules
1

How to make suricata alert per packet when it is matched

I try this
alert ip any any → any any (msg:“ICMP Packet”; ip_proto:1;sid:1100000000;rev:1;)
and this
alert icmp any any → any any (msg:“ICMP Packet”;sid:1100000000;rev:1;)
then I ping a server
But it is only generarte 2 alerts.(1 for client-server and 1 for server-client)
If there is anyway to generate alert for per packet?

alerts:

{"timestamp":"2022-03-11T11:00:32.409519+0800","flow_id":596011459297199,"in_iface":"ens1f1","event_type":"alert","vlan":[3],"src_ip":"192.168.2.16","src_port":0,"dest_ip":"36.152.44.95","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":1100000000,"rev":1,"signature":"ICMP Packet","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":98,"bytes_toclient":0,"start":"2022-03-11T11:00:32.409519+0800"},"payload":"ULsqYgAAAACiPwYAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=","stream":0,"packet":"WAC7UeoS7PS7wnQQCABFAABU/aNAAEABKVbAqAIQJJgsXwgA928eXwABULsqYgAAAACiPwYAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=","packet_info":{"linktype":1}}
{"timestamp":"2022-03-11T11:00:32.424100+0800","flow_id":596011459297199,"in_iface":"ens5f1","event_type":"alert","vlan":[3],"src_ip":"36.152.44.95","src_port":0,"dest_ip":"192.168.2.16","dest_port":0,"proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":1100000000,"rev":1,"signature":"ICMP Packet","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":98,"bytes_toclient":98,"start":"2022-03-11T11:00:32.409519+0800"},"payload":"ULsqYgAAAACiPwYAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=","stream":0,"packet":"7PS7wnQQWAC7UeoSCABFBABU/aNAADcBMlIkmCxfwKgCEAAA/28eXwABULsqYgAAAACiPwYAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=","packet_info":{"linktype":1}}
2

It did, you get 1 alert for the icmp echo request and 1 alert for the icmp echo reply, so in total 2 packets have been seen and also matched. What other packets would you expect for a pure ping?

3

I ping it many times but only get these 2 alerts.
I expect get a alert every packet
such as 18 alerts for below ping attempt

64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=1 ttl=55 time=14.7 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=2 ttl=55 time=14.8 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=3 ttl=55 time=14.7 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=4 ttl=55 time=14.7 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=5 ttl=55 time=14.8 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=6 ttl=55 time=14.8 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=7 ttl=55 time=14.7 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=8 ttl=55 time=14.6 ms
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=9 ttl=55 time=14.6 ms
4

Could you try to add flow: to_server; and flow: to_client; keywords to your rules?
I believe it has helped me to get per-packet alert.