Hello everyone,
I just completed adding support for monitoring the Windows registry on ossec. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required). The configuration will have the following options available: (inside the syscheck area): <windows_registry>HKEY_LOCAL_MACHINE,HKEY_LOCAL_MACHINE\Software, HKEY_USERS\Example</windows_registry> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft<registry_ignore> Where the first option is a list (comma separated) of registry entries to monitor and the second is a list of entries to ignore. A question now for you guys (Windows users): -Which registry entries should we monitor by default? I was thinking on everything at HKEY_LOCAL_MACHINE\SYSTEM, HKEY_LOCAL_MACHINE\SECURITY and HKEY_LOCAL_MACHINE\SAM. Is there anything else worth checking too? Please let me know your comments... *btw, next version (1.0) is comming soon... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
