here is my rule
alert icmp any any -> any any (msg: "icmp ping";flow:to_server; sid: 10000001 ;gid: 1;priority: 1; threshold:type limit, track by_src, count 1, seconds 5;)
This rule limits the same source IP to generate one alarm within 5 seconds, but I hope that the same source IP will generate an alarm within 5 seconds for different destination IPs. For example, if the IP 1.1.1.1 is pinged first, an alarm will be generated at this time. In the next 5 seconds, pinging 1.1.1.1 will not generate an alarm. However, if this IP pings 2.2.2.2 within 5 seconds, I hope to receive an alarm.