how can you tell if a valid user is trying to brute force crack root's password using 'su'? please let me know of unusual user activities, log files to look at, can IDS spot this?, etc. etc.

If you say "a PID that seems to never end" is a sure sign, well, is it ethical for me to peek at the user's file to make sure that it is a brute forcer?

can anyone suggest a good brute force script using 'su'? Is it possible in the first place? Please don't think that this is a lame question. No flames please. I just want to try it on our network before some valid user with a lot of spare time starts thinking like I do. Others may learn from this post too. thanks.