[ossec-list] To block based on user

[Michael Clark]

I've been using OSSEC for a while, but only with the default rules. 
I've experimented, but just not understanding how to make a custom rule 
kick in when a loser tries guessing passwords to a non-existent user. 
Basically, if someone uses dovecot and tries a password for the user 
"root" (or admin, or adm, or a bunch of others that I frequently see) I 
want the IP blocked on the first request. Thanks, Mike