We are getting people attempting a dictionary attack on one of our ftp servers. We have a ASA with a SSM module protecting the edge. When the attempt this attack, they trigger signature 6250 'FTP Authorization Failure' alerts.
I would like to set up a shun onto the ASA for anyone that triggers this signature more than 3 times in 5 minutes. Do I need to create a meta type signature for this or can I modify the existing signature? If I need to create a new signature for this, how would I set up the 3 times in 5 minutes part? Would this be something that would be better answered by putting in a TAC ticket?