ACID and Snort rules

["snort" <snort () michaelslab com>]

I will like to make a rule for users accessing certian sites via their log.  I am tasked to prove that users are 
authenticating into specific sites.  I will like to get as specific as user name and password.  
 
I want to create rules based on payload data however i have not been successfull
 an example.  I would like to trigger this rule to happen for any ip address the sensor sees. Im going to change the 
content around to something like passwd  etc etc.  I understand its case sensative when searching the payload data. 
 
alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP root login";) 

 
Can some one give me more examples of a snort rule  to accomplish this task.  What would rules look like searching the 
payload data??    Where do I put the rule and how do i have it both alert and log to the database.
 
I been reading some fourms and they are helpful in talking about the construction of a rule and its parts  and what 
each one means.  I can use some help now   thank you