I would like to be able to detect the creation of directories only under
c:\Documents and Settings or c:\Users to detect when a new user profile is
created on a system.
I have done the mandatory enabling of <auto_ignore>yes</auto_ignore> ,
<alert_new_files>yes</alert_new_files>
and the rule
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<match>Documents and Settings</match>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
However I do not want alerts on all files that get created under these
locations for obvious reasons. Is there a more elegant solution?
Ash
