Just wanted to get an idea of what others thought about signatures that are enabled by default with an action.
In our environment we've already seen a few false positives but we have all signatures set for "alert only" for now. We got hit by the ASA normalizer and the MSS Exceeded event so I wanted to make sure we didn't get hit when we enabled the AIP-SSMs.
Having signatures enbled with actions set in theory gives more immediate protection, but it stops us from being able to run auto updates effectively because we prefer to test signatures for false positives for a few days at least before configuring for drop/reset.
So in my case I'd like to see any drop/block/reset actions set on by default. That would allow me to update my signatures via SCP on a timely basis and not have to be here to turn off any actions.
Am I the lone minority on this and how do others handle sig updates? We are a small team and anything we can automate is a hughe plus.