Excluding non-existent usernames from IDS tracking would mean that most password probing attempts would be missed by the IDS until they started hitting real accounts as well. We frequently see hackers/scripts attempting to guess passwords and they typically start with a list of non-existent usernames meaning we have them IDS blocked before they get to valid accounts.
Kyle Kerst
Acting IT Manager
SmarterTools Inc.
www.smartertools.com