Rules for 2 public IPs?

Hello,

I’m trying to get suricata to alert on traffic from my public site. I’m currently mirroring the traffic to Suricata, and the source IP would be another public address.

I’ve written some sample test rules:
alert icmp x.x.x.x any <> any any (msg:“ICMP connection attempt:”; sid:1000002; rev:1;)
alert tcp x.x.x.x 22 <> any any (msg:“SSH connection attempt:”; sid:1000003; rev:1;)
alert tcp x.x.x.x 3000 <> any any (msg:“TCP connection to App:”; sid:1000004; rev:1;)

If i use my browser and hit x.x.x.x, Suricata is not picking it up. I do a tcpdump and can see the mirrored traffic hit the interface.

Does suricata not support two non-rfc1918 for monitoring? I attempted something like
alert icmp x.x.x.x any <> y.y.y.y any (msg:“ICMP connection attempt:”; sid:1000002; rev:1;)

replacing y.y.y.y with my ISP address, but it’s still not triggering any alerts when i ping.

Any guidance is appreciated. Thanks.

alert icmp 1.2.3.4 any <> any any (msg:"test"; sid:1; rev;1)
This should match on ICMP packets to or from 1.2.3.4, it should not matter if the IP is rfc1918 or not.
Can you see the flow you want to match on in Suricata if you enable flow logging?