I am in the process to document all ossec rules at the project’s wiki. We currently have 402 rules and I just finished beta-documenting all apache and arpwatch ones. My main goal is to provide for each rule a simple explanation, false positives causes and some sample logs… Since this is a manual task, I am inviting all ossec users to help me out with that. Just go to the rules index page and choose one that is not documented yet. For a simple example, go to the rule 30108.