I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
1. It will take a long time.
2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.