On this signature, you need to look at following fields-

Event Count

Event Count Key

Alert Interval

Event Action

By configuring the following event counter fields, you specify how many instances of the signature's traffic are required to cause an alert:

Event Count - Here you can specify lets say 5.

Event Count Key - Here You can specify Attacker Address.

Alert Interval - You may leave this blank or lets say specify 20 seconds.

Event Action - Specify Produce Alert+Request Block Host

The Event Count field identifies how many instances of the signature's traffic need to occur before an alert is generated. So with above values defined, if a specific host hits the command 5 times within 20 seconds, alert will be generated and host will be blocked on the blocking device.

By specifying an Alert Interval, you indicate the time period (in seconds) over which the sensor must see the number of instances of the intrusive traffic equal to the Event Count in order to generate an alert. For instance, if the Alert Interval is set to 20 and the Event Count is 5, then the sensor must see five instances of the signature's traffic in 20 seconds before it generates an alert. At the end of the alert interval, the instance count is reset to 0.

You can also configure a signature without an Alert Interval parameter. In that situation, an alert is generated when the instances of the signature's traffic reach the Event Count, regardless of the time interval.

Please make sure that signature is configured accordingly. If it is then we need to start looking into other domains.

Regards,

Vibhor.