I'm trying to figure out how to select signatures. I suppose one could just watch the alert chatter and disable or delete signatures that seem too noisy. Doesn't seem very secure.
I'd prefer to analyse the traffic that's triggering them, but if I only get, say, a dozen hits a day, how to I analyze that traffic? Sniffing doesn't seem too practical. Is there any way to set debugging or alerts to save/send the suspect packets? Alerts for packets out of order, long SMTP headers, might be benign, might not. How do I tell?
As they say in the military, never ask a question if you don't know what you'll do with the answer.