Jake, Please refer to the recent archive thread "Re: active-response rules for blocking multiple BIND Query cache denied events"
The ossec response depends upon how you have your bind logging setup. You might not need a new decoder if you log queries to the syslog; but you will need local rules similar to what I have provided there.
