First thing you should know is that all signautres were not ment to be enabled simultainously. Some signatures are appropriate for your envioment and some are not (say you run a Lunix only shop). Some signatures have such a high false positive rate that they are essentially useless. Some signatures are actionable (meaning you can do somthing about it) others are not (like scans and recon sigs). You need to define what your goals of having a IPS are:
To generate pretty reports for management?
To investigate all your high severity events to clean up your infected hosts?
To "set it and forget it"?
Your goals will drive you toward an appropriate set of signatures and actions you wish enabled. As always, whatch your sensor load when you make changes, you don't want to overload that thing and start missing packets.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...