Symantec Critical System Network Card User Manual


 
114 Migrating to the latest version
Migrating legacy detection policy files
3 In the right pane, on the General tab, in the Name box, type a name for your
detection policy.
You might want to use a name that reflects the ruleset.
4 Click File > Save.
5 In the Save As dialog, select the folder that you created for converted
policies, and then click Save As.
6 On the Outline tab, select Detection Rulesets in your new policy, click the
Add icon, and then click Browse.
7 Expand the folder that contains your converted policy, select the converted
ruleset that you want for your new policy, and then click Include.
8 Click File > Save All.
9 On the Library tab, expand the folder that you created, if it is not expanded,
and then select the name of your new policy.
The blue policy icon indicates an uncompiled policy.
10 Click Tools > Validate.
Validating your rules
In Symantec Host IDS and Symantec Intruder Alert, rules are not typed. In
Symantec Critical System Protection, rules are typed such as event log, registry,
etc. When you validated your new policy, you validated that the initial
conversion was successful. You must now validate your rules by using visual
inspection because the conversion routine used a best guess to determine the
type of each migrated rule. As a result, you need to check that each migrated
rule has the correct rule type and select criteria.
The following rule types and items are parsed for select criteria:
Event Log Windows event log .evt files
Text Log User-specified text logs
Registry User-specified registry keys
Filewatch User-specified files and subdirectories
Syslog Named pipe as specified in /etc/syslog.conf
WTMP WTMP file on UNIX-based operating systems (and BTMP file on some
operating systems)
Generic All parsed items in all rules in all policies installed on an Agent
Error Symantec Critical System Protection agent error messages