Following the "success" of the online logtest, I decided to write a rule creator online. You paste the alert (from alerts.log or the one you get by email) and it will create a rule for you.
Link: http://sucuri.net/index.php?page=docs&title=ossecrules Example: Pasting my last email alert: OSSEC HIDS Notification. 2009 Jun 04 11:36:20 Received From: agentgentoo->/var/log/messages Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s): 10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php 33 HTTP/1.0" 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" I get: " Suggested rule: <rule id="100301" level="0"> <if_sid>31151</if_sid> <description>OSSEC rule online. set your description and severity.</description> </rule> Additional options you can use: <hostname>agentgentoo->/var/log/messages</hostname> <match>10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php HTTP/1.0" 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"</match> <regex>10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php HTTP/1.0" 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"</regex> <srcip>10.20.1.2</srcip> <url>/foo.php</url> <id>404</id> " --dd
