Try a "|" character after "Services" Like <match>Services|</match> or <match>Services|Enum|BITS</match>
Ash On May 20, 11:29 am, B/K Walker <[email protected]> wrote: > So, I've got this rule: > > <rule id="100008" level="0"> > <if_sid>550,551,552</if_sid> > <match>Services</match> > <match>Enum|BITS</match> > <description>Ignoring innocuous registry changes</description> > </rule> > > However it fails to catch this: > > Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)." > Portion of the log(s): > > Integrity checksum changed for: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fvevol\Enum' > > As far as I know this should work?
