Wanna my suricata ips limit traffic

save host from syn flood,
just like
iptables -t filter -A INPUT -p tcp -m tcp --syn -m hashlimit --hashlimit-mode srcip --hashlimit-above 50/second --hashlimit-burst 50 --hashlimit-name ddos -j DROP

i’ve read

suricata 5.0.4
test.rules, only two rule:
#drop tcp any any → any any (msg:“possible syn flood!!”;flags:S;threshold:type both,track by_src,count 50,seconds 1;)
alert tcp any any → any any (msg:“possible syn flood!!”;flags:S;sid:202206011; rev:1;)
drop icmp any any → any any (msg:“icmp request flood!!”;icode:0; itype:8; threshold:type both,track by_src,count 50,seconds 1;sid:202206012; rev:1;)

threshold.config, only one config:
rate_filter gen_id 1, sig_id 202206011, track by_src, count 50, seconds 1, new_action drop, timeout 1

pc1[be attacked]---------[linux ips]--------------pc2[attacker]
at pc1, tcpdump -i eth0 tcp and dst port 80
at pc2 hping3 -S -p 80 -i u100 -c 300 $pc1

disable linux ips, i can capture packets with tcp port 80 at pc1
enable ips, i get none packet
it’s seem that ips block all the matched packets, the config in threshold.config is useless
in eve.json and fast.log, there is info of blocked packets
stop the hping3,
use curl http://pc1ip:80,at pc2,
it’s ok
the rule sid: 202206001 doesn’t fully workd

but, where enabled, at pc1, hping3 -1 -i u100 -c 300 $pc2 ,
i can capture some of packets in pc1 from pc2
rule2 worked

so, where’s the problem
suricata ips treate tcp defrented with icmp?
thanks all of you

While hping3 at pc2 send flood tcp syn packets

I tcpdump at income port, there are flood tcp pkts
at outgo port, thare are none packet

I set only one rule about icmp in test.rules file
It’s same, outgo port have none packet

So, it’s suricata engine has block tcp syn packets from hping3, none of rule’s business

If Suricata is running with only one ICMP rule and TCP SYN packets are dropped then it sounds like a configuration error. Clearing any existing iptables rules, using threshold: type threshold to get a complete view of blocked packets and not using threshold.config might a place to start.