ICMP Drop threshold for Suricata IPS

Hello guys,

I am trying to make a rule which will drop traffic IF ICMP traffic is more than 5 ICMP req per 10 seconds

I am using this, but it drops ICMP traffic immediately:

drop icmp any any -> $HOME_NET any (threshold: type limit, track by_src, count 5, seconds 10; msg: "ICMP Request Blocked"; sid:2; rev:1;)

Is there something that I am doing wrong ?

Thank you for any hint/help :slight_smile:

1 Like

I think you might be looking for the threshold: type threshold option.

I tried that too but difference is that nothing is blocked :frowning:

Well, if you’re using type limit, I would expect it to start dropping ICMP traffic immediately.

My only guess is that you’re not meeting the threshold. At first glance I don’t see anything wrong with the rule (assuming using type threshold).

Are you able to collect a pcap of the traffic for offline testing?