114
Migrating to the latest version
Migrating legacy detection policy files
3In the right pane, on the General tab, in the Name box, type a name for your detection policy.
You might want to use a name that reflects the ruleset.
4Click File > Save.
5In the Save As dialog, select the folder that you created for converted policies, and then click Save As.
6On the Outline tab, select Detection Rulesets in your new policy, click the Add icon, and then click Browse.
7Expand the folder that contains your converted policy, select the converted ruleset that you want for your new policy, and then click Include.
8Click File > Save All.
9On the Library tab, expand the folder that you created, if it is not expanded, and then select the name of your new policy.
The blue policy icon indicates an uncompiled policy.
10Click Tools > Validate.
Validating your rules
In Symantec Host IDS and Symantec Intruder Alert, rules are not typed. In Symantec Critical System Protection, rules are typed such as event log, registry, etc. When you validated your new policy, you validated that the initial conversion was successful. You must now validate your rules by using visual inspection because the conversion routine used a best guess to determine the type of each migrated rule. As a result, you need to check that each migrated rule has the correct rule type and select criteria.
The following rule types and items are parsed for select criteria:
Event Log | Windows event log .evt files |
Text Log | |
Registry | |
Filewatch | |
Syslog | Named pipe as specified in /etc/syslog.conf |
WTMP | WTMP file on |
| operating systems) |
Generic | All parsed items in all rules in all policies installed on an Agent |
Error | Symantec Critical System Protection agent error messages |
