So in UTM 9 there was a SNORT decay rule...i.e. Ability to choose rules that were more than 6, 12, 24 months old. Thus a user who was diligent in patching their system didn't have to relay on indefinite/total SNORT rules but only use those who are let say within the last 6 months. This allowed the user/admin to reduce the SNORT signature and thus reduce the false positive rate along with increasing the total bandwidth throughout the network...since well SNORT is heavy as FCK.
Hence my question; is there a way to decay SNORT rules or at least have a list of known frequent false positives since I am getting 100's of hits on stuff that I know it's safe. (using all the rules).
Thank you.
P.S.
I know this is posted in general but if I were to post it in the IPS/IDS sub forum only a fraction of folks would see it. If Admins feel like this belongs there than please feel free to move it.
This thread was automatically locked due to age.