While I'm here - it seems a similar approach could be taken with process listings. Any processes not on a list of known-good processes are flagged as intruders. Does tripwire do this stuff? Stu --- Stuart Udall stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2)