Once I had broken it into 2 rules and started testing, I realised that
there were other rules (5503, 5720, 2501, 25020) which kick in on
multiple authentication failures.
So I lowered the level of rules 1002 and 5716, and am using the
default rules listed above.
Thanks for your help
On 23 Sep, 11
In my haste, I forgot to take out the frequency and timeframe from the
first rule. So here's my updated recommendation:
! Ignore mistyped passwords until 3rd occurrence -->
1002
error trying to bind as user
Wrong password
101002
Wrong password entered repeatedly