Hello,
To answer your first question, you could create a service-http signature on header-regex of:
^X-Client-IP:
(with perhaps [0-9]+\x2e[0-9]+\x2e[0-9]+\x2e[0-9] for IPv4 addresses).
As for the changing IP addresses, I don't know of any way to handle that within the regex. However, if the X-Client-IP address is within a certain range (ie, class C/B), you could include that in the regex above).
You might be able to do a suitable alert with event management software, however, I don't know of any way of doing exactly what you want with a single signature (though I may be wrong and it may be possible).
I have some questions which may help with writing a suitable signature though:
How different is the IP addresses used in X-Client-IP?
Have you tested if the CDM passes on the clients X-Client-IP header (if specified), or if it replaces the header completely (or possibly inserts an additional header).
If the client's X-Client-IP header is honoured, then the client might be inserting random IP addresses to try and trick software using X-Client-IP.