Enterasys Intrusion Prevention System Manual page 188

Example of Signature Creation
Comparing these two traces, you can see that once you are logged in, all your transactions
have a user ID attached to them. Your user ID is 85. The Administrator user ID is 1. Without
even realizing it, we have already completed two of our three tasks - identify when someone is
accessing the web page, and when they are using Administrator.
Our next task is to figure out exactly what happens when someone fails a login attempt. For
this step, we will start up Ethereal again and log in incorrectly to see what happens.
and
Figure 3-4
3-46 Creating Network Sensor Signatures
Figure 3-5 provide examples of failed login attempts.
Failed Login Attempt
Figure 3-4