The snort rules are downloaded everyday at night:
root@keepout:~# grep -iR ns-snort-rules /etc
/etc/crontabs/root:30 2 * * * sleep $((RANDOM % 1800)) && /usr/bin/ns-snort-rules --download --restart
The bad password attempts are coming from a private LAN IP address so it doesn’t get banned.
Maybe you need to configure your router in front of the NethSec to send the public IP instead of the internal one or use NethSec as the first router/firewall.