Symantec Critical System manual Validating rule types and criteria

You should also check other migrated rule elements such as patterns and actions for accuracy. Note that OR'ing of select clauses is no longer supported, so rules with OR'ed select clauses are split into multiple rules. You should also check this split for accuracy.

Some of the more advanced IDS policy features from Symantec Intruder Alert and Symantec Host IDS have not been carried forward to Symantec Critical System Protection, and are not migrated.

Symantec did not implement the following Symantec Intruder Alert features:

■OR'ing of selects within a rule

■Select on another Rule as select or Ignore criteria

■Shared Action, which allows user to reuse the same Action(s) in different policies or rules

■Start and Cancel Timer actions

■Pager Action

Symantec changed the following Symantec Intruder Alert features:

■Select on System is changed due to architecture limitations.

■Email and SNMP is implemented at the management server side.

■Append to file action is limited to the local file system. With Symantec Intruder Alert, you can specify to append to c:\temp\log.txt@anotherITAgentname.

Validating rule types and criteria

The policy conversion utility typically types migrated rules as Generic.

See the Symantec Critical System Protection Policy Authoring Guide for complete details about rule types and criteria.

To validate rule types and criteria

1On the Library tab, display your migrated rulesets.

2Double-click a ruleset that contains the rules to validate.

3On the Outline tab, click the Source icon.

4Read the source code for each rule to discover the rule type to which it was converted and note any rules that need to be changed.

5In the right corner of the right pane, click the arrow icon.