Snort not showing blocked/dropped packets -

i'm trying detect ping flood attacks snort. have included rule

(drop icmp any -> any (itype:8; threshold, track by_src, count 20, seconds; msg:"ping flood attack detected"; sid:100121)) 

in snort's ddos.rule file.

i'm attacking using command

hping3 -1 --fast 

the ping statistics in attacking machine says

100% packet loss

however, snort action stats shows verdicts as

block ->0.

why happening?

a few things note:

1) rule missing value seconds. need specify timeout value, have "seconds;" need "seconds 5;". since not valid i'm not sure when snort going generate alert, means may dropping of icmp packets, not generating alerts.

2) rule going drop every icmp packet itype 8. threshold specifies when alert, not when drop. going drop packets match , generate 1 alert per 20 drops. see manual on rule thresholds here.

3) if not have snort configured in inline mode, not able block packets. see more on information 3 different modes here.

if want detect , drop ping floods should change use detection_filter option, instead of threshold. if want allow legitimate pings, , drop ping floods not want use threshold because way have rule written block icmp itype 8 packets. if use detection_filter can write rule if snort sees 20 pings in 5 seconds same source host drop. here example of rule might like:

drop icmp any -> any (itype:8; detection_filter:track by_src, count 20, seconds 5; sid:100121) 

if snort sees 20 pings same source host within 5 seconds of each other drop , generate alert. see snort manual detection filters here.

with configuration, can allow legitimate pings on network , block ping floods same source host.