Hi John, Yes, you can have a pre-defined white list of entries that change often.
A simple way is to create a local_rule ignoring these entries (on the server): <group name="local"> <rule id="100101" level="0"> <if_sid>550, 551, 552, 553, 554</if_sid> <match>RegistryEntry1|Entry2|Entry3</match> <description>Events ignored</description> </rule> </group> Also, ossec will by default auto ignore files that change very often.. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Dec 7, 2007 6:18 AM, Verlag Neue Stadt <[EMAIL PROTECTED]> wrote: > > Hello, > > we did not yet install OSSEC and therefore would like to now, how the > Windows Registry-monitoring does handle > common changes in the Windows Regsitry... > > Is there a way to save/define allowed registry changes in a "predefined > allowed registry changes"-list, > or does OSSEC handle this challenge smarter? > > > Thank's a lot for your feedback! > > John >
