Telnet alert...

["Syed Mohammad Talha" <talha () cbq com qa>]

Hi all,

I have a machine as a gateway to my network with two public and private IP addresses. I am using ipchains for the 
masquerading and running snort on both the interfaces and trying to secure the machines from internal and external 
users. Now when ever I get an alert, I am using a guardian script to block that IP for a certain period of time.

My problem is that when someone tries to telnet from internal machine to some external machine it pick the external 
machine's IP as source and if the user gives the wrong password it blocks the source IP which results in stopping all 
the traffic for that machine for all the network users, because that script puts a deny rule in ipchains for that 
source address. I want to block such access but not for all for the users who are giving the wrong passwords. Also is 
there a way that I can define in snort that don't put an alert for first two failed tries. If anyone can help in this 
regards.

Thanks and Regards.
Talha