Suricata dos rule help

ok sorry for the frequent questions but i ran into another weird error? it doesnt say error but my alert rule is not triggering…
alert icmp 192.168.199.132 any → $HOME_NET 80 (msg: “Possible DoS attack”; flags: S; flow: stateless,to_client; threshold: type both, track by_dst, count 200, seconds 5; sid:1000002; rev:1;)

and im trying to use kali linux to test this rule, using sudo ping -f 192.168.199.129…

while using the command sudo tail -f /var/log/suricata/fast.log,
i dont see the alert when i test the ping command. output:
sudo tail -f /var/log/suricata/fast.log
07/15/2023-22:36:41.716734 [] [1:1000004:0] Possible TCP flow anomaly if ACK or push flags detected within established flow with abnormal delay [] [Classification: (null)] [Priority: 3] {TCP} 185.125.188.58:443 → 192.168.199.129:39974
07/15/2023-22:36:41.716735 [] [1:1000004:0] Possible TCP flow anomaly if ACK or push flags detected within established flow with abnormal delay [] [Classification: (null)] [Priority: 3] {TCP} 185.125.188.58:443 → 192.168.199.129:39974
07/15/2023-22:36:46.527543 [] [1:1000004:0] Possible TCP flow anomaly if ACK or push flags detected within established flow with abnormal delay [] [Classification: (null)] [Priority: 3] {TCP} 192.168.199.129:39974 → 185.125.188.58:443
07/15/2023-22:36:46.527585 [] [1:1000004:0] Possible TCP flow anomaly if ACK or push flags detected within established flow with abnormal delay [] [Classification: (null)] [Priority: 3] {TCP} 192.168.199.129:39974 → 185.125.188.58:443
07/15/2023-22:41:31.247942 [] [1:2013028:7] ET POLICY curl User-Agent Outbound [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.199.129:33918 → 18.155.68.66:80
07/15/2023-22:41:31.247940 [] [1:2013028:7] ET POLICY curl User-Agent Outbound [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.199.129:33918 → 18.155.68.66:80
07/15/2023-22:41:31.251365 [] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.155.68.66:80 → 192.168.199.129:33918
07/15/2023-22:41:31.251399 [] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.155.68.66:80 → 192.168.199.129:33918
07/15/2023-22:47:13.629182 [] [1:2022973:1] ET POLICY Possible Kali Linux hostname in DHCP Request Packet [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.199.132:68 → 192.168.199.254:67
07/15/2023-22:47:13.629257 [] [1:2022973:1] ET POLICY Possible Kali Linux hostname in DHCP Request Packet [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.199.132:68 → 192.168.199.254:67

is my method of testing wrong? ive also tried instead of alert icmp, i used alert tcp, and used the hping3 command, hping3 -S -p 80 --flood --rand-source 192.168.199.129.
or does ping not do it fast enough even with -f option to trigger the alert?

You have a rule that looks for ICMP but also Port 80, that does not make much sense. Port 80 is normally used for HTTP.

alright. so i changed it to this,
alert icmp 192.168.199.132 any → $HOME_NET any (msg: “Possible DoS attack”; flags: S; flow: stateless,to_client; threshold: type both, track by_dst, count 200, seconds 5; sid:1000002; rev:1;)

and tested using sudo ping -f 192.168.199.129

but the alert will still not trigger.
am i doing something wrong with my rules?

What is $HOME_NET for you?
Also, could you please write down what does your rule mean and is supposed to do? Often that helps self debugging. Go over one item at a time in the rule.
What’s the value of HOME_NET. Why am I using flags, what does it mean. What should the flow state be. etc.

the $HOME_NET is 192.168.199.129, i have tried both using this ip addr in the rule and $HOME_NET.

so the rule is suppose to send an alert if there is too many packets that gets sent into the system, regardless of the packet source.