Hello guys,
I am trying to make a rule which will drop traffic IF ICMP traffic is more than 5 ICMP req per 10 seconds
I am using this, but it drops ICMP traffic immediately:
drop icmp any any -> $HOME_NET any (threshold: type limit, track by_src, count 5, seconds 10; msg: "ICMP Request Blocked"; sid:2; rev:1;)
Is there something that I am doing wrong ?
Thank you for any hint/help 
I think you might be looking for the threshold: type threshold option.
https://docs.suricata.io/en/latest/rules/thresholding.html#type-threshold
I tried that too but difference is that nothing is blocked 
Well, if you’re using type limit, I would expect it to start dropping ICMP traffic immediately.
My only guess is that you’re not meeting the threshold. At first glance I don’t see anything wrong with the rule (assuming using type threshold).
Are you able to collect a pcap of the traffic for offline testing?