Last month I did a presentation about OSSEC for the Ottawa security group and showed some custom rules that I have been using for a while (to monitor MSN usage, internal http user agents, etc). The core of the presentation starts at slide 11, if you want to skip through the definitions of HIDS, OSSEC, etc.