Validating rule types and criteria – Symantec Critical System User Manual

115

Migrating to the latest version

Migrating legacy detection policy files

You should also check other migrated rule elements such as patterns and
actions for accuracy. Note that OR'ing of select clauses is no longer supported,
so rules with OR'ed select clauses are split into multiple rules. You should also
check this split for accuracy.

Some of the more advanced IDS policy features from Symantec Intruder Alert
and Symantec Host IDS have not been carried forward to Symantec Critical
System Protection, and are not migrated.

Symantec did not implement the following Symantec Intruder Alert features:

■

OR'ing of selects within a rule

■

Select on another Rule as select or Ignore criteria

■

Shared Action, which allows user to reuse the same Action(s) in different
policies or rules

■

Start and Cancel Timer actions

■

Pager Action

Symantec changed the following Symantec Intruder Alert features:

■

Select on System is changed due to architecture limitations.

■

Email and SNMP is implemented at the management server side.

■

Append to file action is limited to the local file system. With Symantec
Intruder Alert, you can specify to append to
c:\temp\log.txt@anotherITAgentname.

Validating rule types and criteria

The policy conversion utility typically types migrated rules as Generic.

See the Symantec Critical System Protection Policy Authoring Guide for complete
details about rule types and criteria.

To validate rule types and criteria

1

On the Library tab, display your migrated rulesets.

2

Double-click a ruleset that contains the rules to validate.

3

On the Outline tab, click the Source icon.

4

Read the source code for each rule to discover the rule type to which it was
converted and note any rules that need to be changed.

5

In the right corner of the right pane, click the arrow icon.

Status

Symantec Critical System Protection agent status messages