Question about SSH SCAN rule

Hello,

I get a lot of alerts with this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

This rule is supposed to generate an alert if it detects 5 or more SSH scans in 120 seconds. In my analysis, i noticed that, in this particular example, some external address is generating traffic to one internal IP:

ssh_scan_11627×53 14.5 KB

We can see that the traffic is composed of 14 packets is is enough to generate the alert. But, when i check the alert info it shows this (only 1 packet):

How can i explain this behaviour?

Thanks in advance

Suricata threashold in your rule track this rule by source ip, and it basically count the flows not the packets.

Once the flows number is reached, it alerts on the flow that passed the threshold, probably on the first packets (depending on how protocol is detected), thats why you see only the numbers related to latest flow (the one that triggered the threshold)