I need some help on customizing sig 3171, FTP priviledged login. I would like once this sig fires a certain number of times it will block the host. I have my device setup for blocking and I thought I had this sig cloned correctly to block the host after a certain number events, but this sig is still firing from the same host well past the desired number. I don't really want to block this after the first event in case their is any legitimate traffic.
Any advice or direction is appreciated.