Looking at the security log each day or more often, we block IPs that are doing malicious things. Obviously, there are a fair amount of counties blocked but we have single IPs in the block list too. How many are too many? (We have a 450 MX.)
Also, how do you decide to enable snort rules that are not enabled by default?