Validating your rules – Symantec Critical System User Manual

114 Migrating to the latest version

Migrating legacy detection policy files

3

In the right pane, on the General tab, in the Name box, type a name for your
detection policy.
You might want to use a name that reflects the ruleset.

4

Click File > Save.

5

In the Save As dialog, select the folder that you created for converted
policies, and then click Save As.

6

On the Outline tab, select Detection Rulesets in your new policy, click the
Add icon, and then click Browse.

7

Expand the folder that contains your converted policy, select the converted
ruleset that you want for your new policy, and then click Include.

8

Click File > Save All.

9

On the Library tab, expand the folder that you created, if it is not expanded,
and then select the name of your new policy.
The blue policy icon indicates an uncompiled policy.

10 Click Tools > Validate.

Validating your rules

In Symantec Host IDS and Symantec Intruder Alert, rules are not typed. In
Symantec Critical System Protection, rules are typed such as event log, registry,
etc. When you validated your new policy, you validated that the initial
conversion was successful. You must now validate your rules by using visual
inspection because the conversion routine used a best guess to determine the
type of each migrated rule. As a result, you need to check that each migrated
rule has the correct rule type and select criteria.

The following rule types and items are parsed for select criteria:

Event Log

Windows event log .evt files

Text Log

User-specified text logs

Registry

User-specified registry keys

Filewatch

User-specified files and subdirectories

Syslog

Named pipe as specified in /etc/syslog.conf

WTMP

WTMP file on UNIX-based operating systems (and BTMP file on some
operating systems)

Generic

All parsed items in all rules in all policies installed on an Agent

Error

Symantec Critical System Protection agent error messages