Many services typically send the commands in upper case letters. FTP is a good example. In FTP, to send the username, the client sends:
A simple rule to look for FTP root login attempts could be:
alert tcp any any -> any any 21 (content:"user root";)
While it may seem trivial to write a rule that looks for the username root, a good rule will handle all of the odd things that the protocol might handle when accepting the user command.
For example, each of the following are accepted by most FTP servers:
user root user root user root user root user<tab>root
To handle all of the cases that the FTP server might handle, the rule needs more smarts than a simple string match.
A good rule that looks for root login on ftp would be:
alert tcp any any -> any 21 (flow:to_server,established; \ content:"root"; pcre:"/user\s+root/i";)
There are a few important things to note in this rule: