Blocking FTP Brute Force Attack with Snort

I am trying to become familiar with Snort, and for this reason, I have set three VMs. A Kali, a windows machine with XAMPP and Ubuntu where I installed Snort. I believe I have Snort running in Afpacket Inline mode. Whenever Snort starts it says " Enabling inline operation-Running in IDS mode" On the windows machine, there is an FTP server running with a user "John" and Pass: 123456. I am attacking the server with Ncrack on Kali, and it is able to find the password in around 2 minutes. I am trying to block the attack and be able to distinguish between a real user (me trying to log in on the host machine) and the attacker. My plan is to make a rule that goes like this: "If the server receives more than 5 attempts to login in 1 second then drop the packet/attempt." I have searched a lot, I have spend a good amount of hours this week not being able to find the correct rule. Do you have any tips? any rules I should try? Am I doing something that wrong? Thanks What I have tried until now: > alert tcp any any -> $HOME_NET 21 (msg:"Incoming FTP connection"; flags:S; sid:10000010;) > #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "Incoming SSH Connection"; GID:1; sid:10000012; rev:001;) > #drop tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login"; nocase; flow:from_server,established; > classtype:bad-unknown; threshold: type both, track by_dst, count 5, > seconds 5; sid:491; rev:5;) > > #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Possible FTP brute force attack"; metadata:service ftp-data; session:binary; > sid:10000011; rev:001;) > > #drop tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute Force Attack Attempt"; content:"530 Login or password incorrect!"; nocase; > flow: stateless; threshold: type both, track by_dst, count 3, seconds > 1; sid:10000012;rev:1;) > > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Incoming Connections"; flags:S; threshold: type both, track by_src, count 3, seconds 1; sid:100000011; rev:1;) > > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP USER overflow attempt"; flow:to_server,established; content:"USER",nocase; > isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; > metadata:policy max-detect-ips drop,ruleset community; > reference:bugtraq,1> > >#drop tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP PASS overflow attempt";flow:to_server,established; content:"PASS",nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop,ruleset community reference:bugtraq,1> > > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ProFTPD username sql injection attempt"; flow:to_server, established; content:"|25 27|",fast_pattern,nocase; content:"USER";pcre:"/USER\s*[^\x0d]+\x25\x27/smi"; metadata:policy max-detect-ips drop; reference:> > #drop tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP login failure"; content: "530 Login "; nocase; flow:from_server,established; threshold: type both,track by_dst,count 10,seconds 15; sid:10000011; ) > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP login success"; content: "PASS"; nocase; offset:0; depth:4; content: "|0a|" ; > within:3; flow:from_client,established; threshold: type both,track > by_dst,count 10,seconds 15; sid:10000012; ) > > reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg: > "BLEEDING-EDGE-SCAN Potential FTP Brute-Force attempt"; > flow:from_server,established; content:"530 "; pcre: > "/^530\s+(Login|User)/smi"; classtype:unsuccessful-user; threshold: > type threshold,track by_dst, count 5, seconds 30; sid:2002383; rev:3;) > > #alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established; dsize: content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; > classtype:unsuccessful-user; threshold: type both, track by_dst, count 5, seconds 30; reference:url,doc.emergingthreats.net/2002383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force; sid:2002383; rev:11;) Most of the above bring logs, and I think some blocks, but not what I am really looking for.