+
+ <rule id="594" level="5">
+ <category>ossec</category>
+ <if_sid>550</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed</description>
+ </rule>
+
+ <rule id="595" level="5">
+ <category>ossec</category>
+ <if_sid>551</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (2nd time)</description>
+ </rule>
+
+ <rule id="596" level="5">
+ <category>ossec</category>
+ <if_sid>552</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (3rd time)</description>
+ </rule>
+
+ <rule id="597" level="5">
+ <category>ossec</category>
+ <if_sid>553</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+ </rule>
+
+ <rule id="598" level="5">
+ <category>ossec</category>
+ <if_sid>554</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Added to the System</description>
+ </rule>
+
+<!-- active response rules
+Example:
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+
+ <rule id="600" level="0">
+ <decoded_as>ar_log</decoded_as>
+ <description>Active Response Messages Grouped</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="601" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>add</status>
+ <description>Host Blocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="602" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="603" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>add</status>
+ <description>Host Blocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="604" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="605" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>add</status>
+ <description>Host Blocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="606" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="700" level="0">
+ <category>ossec</category>
+ <decoded_as>ossec-logcollector</decoded_as>
+ <description>Logcollector Messages Grouped</description>
+ </rule>
+
+ <rule id="701" level="0">
+ <if_sid>700</if_sid>
+ <match>INFO: </match>
+ <description>Ignore informational messages (usually at startup)</description>
+ </rule>
+