Ping rule to detect

Hello!I use a rule to detect ping, how can I make it work not from the first packet, let’s say from 4?
alert icmp any any → $HOME_NET any (msg:“ICMP detected”; flow: to_server; GID:1; sid:10000001; rev:001; classtype:attempted-recon;)

I suppose one way could be flowint: 8.11. Flow Keywords — Suricata 7.0.2-dev documentation

It doesn’t work, I tried many options
alert icmp any any → $HOME_NET any (msg:“ICMP detected”; flow: to_server; GID:1; sid:10000001; rev:001; classtype:attempted-recon; \
flowint:icmp_count, +, 1; flowint:icmp_count, >, 5;)

tell me what’s wrong?

It doesn’t work, I tried many options

What does it do? Does it not alert at all? Does it alert on every ping anyway?

I would try to also split it in multiple rules like this (from docs):

alert tcp any any → any any (msg:“Start a login count”; content:“login failed”;
flowint:loginfail, notset; flowint:loginfail, =, 1; noalert;)
So we detect the initial fail if the variable is not yet set and set it to 1 if so. Our first hit.
alert tcp any any → any any (msg:“Counting Logins”; content:“login failed”;
flowint:loginfail, isset; flowint:loginfail, +, 1; noalert;)
We are now incrementing the counter if it’s set.
alert tcp any any → any any (msg:“More than Five login fails in a Stream”;
content:“login failed”; flowint:loginfail, isset; flowint:loginfail, >, 5;)
alert tcp any any → any any (msg:“Start a login count”; content:“login failed”;
flowint:loginfail, notset; flowint:loginfail, =, 1; noalert;)
So we detect the initial fail if the variable is not yet set and set it to 1 if so. Our first hit.

At the same time, maybe instead of flowint you would want to use thresholds/rate-limit?
https://docs.suricata.io/en/latest/configuration/global-thresholds.html#threshold-event-filter

my rule works for every packet if you add flowint :icmp_count, +, 1; flowint:icmp_count, >, 5;), then it stops working altogether

If you put both flowint :icmp_count, +, 1; flowint:icmp_count, >, 5;) in the same rule, the rule does not trigger because icmp_count can never get above 5 (because it gets increased only if the rule matches)

So, you can split in 2 rules one with flowint :icmp_count, +, 1; and use noalert; keyword, and another one with flowint:icmp_count, >, 5;)

Thank you! Everything works