Proposing the following two concepts:

Creation of IDS Category/Rule "BRUTE FORCE RELAY ATTEMPTS".  One of the current attacks is constantly attempting to relay through the server without logging in.  We are a provider that does not allow any form of relay without prior login - so if that option was set, this rule would be beneficial.

Addition of the ability to specify what protocol to apply a rule to.

Most of our attackers try to attack our SMTP service only - they rarely bother with IMAP and we don't offer POP3 except on a domain level special use case need only.  The SMTP attack consists of attempting to login once or twice through an IP - wait for a LONG period of time - sometimes a day or two - then try again. - but doing this with HUNDREDS of IPs at a time - continuously.  We want to craft a different Brute force rule based on this concept, while giving our IMAP and Webmail users a little more breathing room.  If they're already setup in IMAP, they are using a client with a saved password 99% of the time, so manually mitigating those rare cases would be a non-issue.