Build 6948 seems to be subject to major flaw with the IDS rules.

During my tests I was not able successfully get an IP address added to the IDS block as a Brute Force By Protocol Failure violation - all blocks were a result of a Denial Of Service Violation.

Removing or increasing the Denial of Service threshold values above the Brute Force By Protocol thresholds results in a system open to brute force.

When Brute Force By Protocol & Denial of Service exist with the same values, its only possible to get the offending IP added to the Denial of Service block list - which indicates that Denial of Service takes precedence over Brute Force By Protocol

The logs below show 11 failed login attempts via POP 3 where an IDS rule exists that is configured to block the offending IP for 60 minutes after 2 failed login attempts within a 5 minute period

[2019.01.15] 14:24:32.892 [REDACTED][25486715] connected at 1/15/2019 2:24:32 PM
[2019.01.15] 14:24:32.892 [REDACTED][25486715] CAPA
[2019.01.15] 14:24:32.892 [REDACTED][25486715] USER REDACTED
[2019.01.15] 14:24:32.892 [REDACTED][25486715] PASS XXXX
[2019.01.15] 14:24:32.892 [REDACTED][25486715] -ERR UserName or Password is incorrect
[2019.01.15] 14:24:32.892 [REDACTED][25486715]  login failed
[2019.01.15] 14:24:32.892 [REDACTED][25486715] disconnected at 1/15/2019 2:24:32 PM
[2019.01.15] 14:24:33.888 [REDACTED][40469593] connected at 1/15/2019 2:24:33 PM
[2019.01.15] 14:24:33.888 [REDACTED][40469593] CAPA
[2019.01.15] 14:24:33.888 [REDACTED][40469593] USER REDACTED
[2019.01.15] 14:24:33.888 [REDACTED][40469593] PASS XXXX
[2019.01.15] 14:24:33.888 [REDACTED][40469593] -ERR UserName or Password is incorrect
[2019.01.15] 14:24:33.888 [REDACTED][40469593]  login failed
[2019.01.15] 14:24:33.888 [REDACTED][40469593] disconnected at 1/15/2019 2:24:33 PM
[2019.01.15] 14:25:14.887 [REDACTED][50614836] connected at 1/15/2019 2:25:14 PM
[2019.01.15] 14:25:14.887 [REDACTED][50614836] CAPA
[2019.01.15] 14:25:14.887 [REDACTED][50614836] USER REDACTED
[2019.01.15] 14:25:14.887 [REDACTED][50614836] PASS XXXX
[2019.01.15] 14:25:14.887 [REDACTED][50614836] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:14.887 [REDACTED][50614836]  login failed
[2019.01.15] 14:25:14.887 [REDACTED][50614836] disconnected at 1/15/2019 2:25:14 PM
[2019.01.15] 14:25:15.895 [REDACTED][36745369] connected at 1/15/2019 2:25:15 PM
[2019.01.15] 14:25:15.895 [REDACTED][36745369] CAPA
[2019.01.15] 14:25:15.895 [REDACTED][36745369] USER REDACTED
[2019.01.15] 14:25:15.895 [REDACTED][36745369] PASS XXXX
[2019.01.15] 14:25:15.895 [REDACTED][36745369] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:15.895 [REDACTED][36745369]  login failed
[2019.01.15] 14:25:15.895 [REDACTED][36745369] disconnected at 1/15/2019 2:25:15 PM
[2019.01.15] 14:25:28.894 [REDACTED][4685816] connected at 1/15/2019 2:25:28 PM
[2019.01.15] 14:25:28.894 [REDACTED][4685816] CAPA
[2019.01.15] 14:25:28.894 [REDACTED][4685816] USER REDACTED
[2019.01.15] 14:25:28.894 [REDACTED][4685816] PASS XXXX
[2019.01.15] 14:25:28.894 [REDACTED][4685816] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:28.894 [REDACTED][4685816]  login failed
[2019.01.15] 14:25:28.894 [REDACTED][4685816] disconnected at 1/15/2019 2:25:28 PM
[2019.01.15] 14:25:29.890 [REDACTED][13474264] connected at 1/15/2019 2:25:29 PM
[2019.01.15] 14:25:29.890 [REDACTED][13474264] CAPA
[2019.01.15] 14:25:29.890 [REDACTED][13474264] USER REDACTED
[2019.01.15] 14:25:29.890 [REDACTED][13474264] PASS XXXX
[2019.01.15] 14:25:29.890 [REDACTED][13474264] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:29.890 [REDACTED][13474264]  login failed
[2019.01.15] 14:25:29.890 [REDACTED][13474264] disconnected at 1/15/2019 2:25:29 PM
[2019.01.15] 14:25:30.894 [REDACTED][63607995] connected at 1/15/2019 2:25:30 PM
[2019.01.15] 14:25:30.894 [REDACTED][63607995] CAPA
[2019.01.15] 14:25:30.894 [REDACTED][63607995] USER REDACTED
[2019.01.15] 14:25:30.894 [REDACTED][63607995] PASS XXXX
[2019.01.15] 14:25:30.894 [REDACTED][63607995] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:30.894 [REDACTED][63607995]  login failed
[2019.01.15] 14:25:30.894 [REDACTED][63607995] disconnected at 1/15/2019 2:25:30 PM
[2019.01.15] 14:25:53.883 [REDACTED][21439574] connected at 1/15/2019 2:25:53 PM
[2019.01.15] 14:25:53.883 [REDACTED][21439574] CAPA
[2019.01.15] 14:25:53.899 [REDACTED][21439574] USER REDACTED
[2019.01.15] 14:25:53.899 [REDACTED][21439574] PASS XXXX
[2019.01.15] 14:25:53.899 [REDACTED][21439574] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:53.899 [REDACTED][21439574]  login failed
[2019.01.15] 14:25:53.899 [REDACTED][21439574] disconnected at 1/15/2019 2:25:53 PM
[2019.01.15] 14:25:54.890 [REDACTED][24191953] connected at 1/15/2019 2:25:54 PM
[2019.01.15] 14:25:54.890 [REDACTED][24191953] CAPA
[2019.01.15] 14:25:54.890 [REDACTED][24191953] USER REDACTED
[2019.01.15] 14:25:54.890 [REDACTED][24191953] PASS XXXX
[2019.01.15] 14:25:54.890 [REDACTED][24191953] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:54.890 [REDACTED][24191953]  login failed
[2019.01.15] 14:25:54.890 [REDACTED][24191953] disconnected at 1/15/2019 2:25:54 PM
[2019.01.15] 14:26:12.894 [REDACTED][6658339] connected at 1/15/2019 2:26:12 PM
[2019.01.15] 14:26:12.894 [REDACTED][6658339] CAPA
[2019.01.15] 14:26:12.894 [REDACTED][6658339] USER REDACTED
[2019.01.15] 14:26:12.894 [REDACTED][6658339] PASS XXXX
[2019.01.15] 14:26:12.894 [REDACTED][6658339] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:12.894 [REDACTED][6658339]  login failed
[2019.01.15] 14:26:12.894 [REDACTED][6658339] disconnected at 1/15/2019 2:26:12 PM
[2019.01.15] 14:26:13.896 [REDACTED][37675339] connected at 1/15/2019 2:26:13 PM
[2019.01.15] 14:26:13.896 [REDACTED][37675339] CAPA
[2019.01.15] 14:26:13.896 [REDACTED][37675339] USER REDACTED
[2019.01.15] 14:26:13.896 [REDACTED][37675339] PASS XXXX
[2019.01.15] 14:26:13.896 [REDACTED][37675339] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:13.896 [REDACTED][37675339]  login failed
[2019.01.15] 14:26:13.896 [REDACTED][37675339] disconnected at 1/15/2019 2:26:13 PM
[2019.01.15] 14:26:27.894 [REDACTED][56978075] connected at 1/15/2019 2:26:27 PM
[2019.01.15] 14:26:27.894 [REDACTED][56978075] CAPA
[2019.01.15] 14:26:27.894 [REDACTED][56978075] USER REDACTED
[2019.01.15] 14:26:27.894 [REDACTED][56978075] PASS XXXX
[2019.01.15] 14:26:27.894 [REDACTED][56978075] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:27.894 [REDACTED][56978075]  login failed
[2019.01.15] 14:26:27.894 [REDACTED][56978075] disconnected at 1/15/2019 2:26:27 PM
[2019.01.15] 14:26:28.890 [REDACTED][18789829] connected at 1/15/2019 2:26:28 PM
[2019.01.15] 14:26:28.890 [REDACTED][18789829] CAPA
[2019.01.15] 14:26:28.890 [REDACTED][18789829] USER REDACTED
[2019.01.15] 14:26:28.890 [REDACTED][18789829] PASS XXXX
[2019.01.15] 14:26:28.890 [REDACTED][18789829] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:28.890 [REDACTED][18789829]  login failed
[2019.01.15] 14:26:28.890 [REDACTED][18789829] disconnected at 1/15/2019 2:26:28 PM
[2019.01.15] 14:26:47.885 [REDACTED][32197522] connected at 1/15/2019 2:26:47 PM
[2019.01.15] 14:26:47.885 [REDACTED][32197522] CAPA
[2019.01.15] 14:26:47.885 [REDACTED][32197522] USER REDACTED
[2019.01.15] 14:26:47.885 [REDACTED][32197522] PASS XXXX
[2019.01.15] 14:26:47.885 [REDACTED][32197522] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:47.901 [REDACTED][32197522]  login failed
[2019.01.15] 14:26:47.901 [REDACTED][32197522] disconnected at 1/15/2019 2:26:47 PM
[2019.01.15] 14:26:48.881 [REDACTED][11959282] connected at 1/15/2019 2:26:48 PM
[2019.01.15] 14:26:48.897 [REDACTED][11959282] CAPA
[2019.01.15] 14:26:48.897 [REDACTED][11959282] USER REDACTED
[2019.01.15] 14:26:48.897 [REDACTED][11959282] PASS XXXX
[2019.01.15] 14:26:48.897 [REDACTED][11959282] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:48.897 [REDACTED][11959282]  login failed
[2019.01.15] 14:26:48.897 [REDACTED][11959282] disconnected at 1/15/2019 2:26:48 PM

After creating the corresponding Brute Force By Protocol & Denial of Service rules the offending IP is added to the IDS block for triggering the Denial of Service rule

[2019.01.15] 14:41:05.893 [REDACTED][5249868] connected at 1/15/2019 2:41:05 PM
[2019.01.15] 14:41:05.893 [REDACTED][5249868] CAPA
[2019.01.15] 14:41:05.893 [REDACTED][5249868] USER REDACTED
[2019.01.15] 14:41:05.893 [REDACTED][5249868] PASS XXXX
[2019.01.15] 14:41:05.893 [REDACTED][5249868] -ERR UserName or Password is incorrect
[2019.01.15] 14:41:05.893 [REDACTED][5249868]  login failed
[2019.01.15] 14:41:05.893 [REDACTED][5249868] disconnected at 1/15/2019 2:41:05 PM
[2019.01.15] 14:41:06.894 [REDACTED][44381200] connected at 1/15/2019 2:41:06 PM
[2019.01.15] 14:41:06.894 [REDACTED][44381200] "421 Server is busy, try again later." response returned.
[2019.01.15] 14:41:06.894 [REDACTED][44381200] IP is blacklisted
[2019.01.15] 14:41:06.894 [REDACTED][44381200] disconnected at 1/15/2019 2:41:06 PM