Thanks Ben for Help
Finally was able to solve this.
First thing which I was not aware of , was the fact that chain attack work in AND fashion if not expressoin defined.. stupid of me.
Second when i tried .*[microsoft].* and turned on traceoptions I saw an error in compiling..
Dec 3 12:25:26 idpd_need_policy_compile:712 Active policy path /var/db/idpd/sets/idpengine.set
Dec 3 12:25:26 Active Policy (idpengine) rule base configuration is changed so need to recompile active policy
Dec 3 12:25:26 Compiling policy idpengine....
Dec 3 12:25:26 Apply policy configuration, policy ops bitmask = 41
Dec 3 12:25:26 Starting policy(idpengine) compile with compress; dfa compile flags(0x000000f1)...
Dec 3 12:25:26 Failed to optimize rulebase idp.
Dec 3 12:25:26 idpd_policy_compile_no_fork:3620:(input && idpd_pc_compile(input, output, policy)): Policy compilation failed, errno 2: No such file or directory
Dec 3 12:25:26 ...Failed
Dec 3 12:25:26 idpd_config_read:2103:(idpd_policy_config_apply(pname, NULL, IDP_POLICY_OP_COMPILE | IDP_POLICY_OP_PACKAGE)):
Dec 3 12:25:26 Returning from commit mode, status = 0
Dec 3 12:25:26 [get_secupdate_cb_status] state = 0x1
Dec 3 12:25:26 Got signal SIGCHLD....
So I modified .*microsoft.* to .*Microsoft.* and checked with anonymous login .. it worked .. both conditions matched and connection was droped..
read more about regular expressions and used .*\[microsoft\].* to cater upper/lower case .. worked successfully..
I also tried pattern for ftp-user "^anonymous$" .. which is supposed to match this exaclty in a string .. but it did not work..looking more into it
Ciao
kashif