Whitelisting of rules is a part of a process named "IPS tuning". Typically it is done (not a complete list) when a rule causes a false positive and or processing the rule is a waste of resources because they are not relevant in the environment. All whitelisted rules, the same as with firewall rules, should be evaluated from time to time to see if they are still implemented correctly. At least I have seen lots of whitelisting that was added when troubleshooting problems. Based on "oh, there is an event in the IPS dashboard, let's disable this rule" the rule was disabled, but regardless if this was the problem or not, the whitelisting stayed in the config. Given that the MX-IPS is meant to be more or less a "black box" without extensive tuning possibilities, I would look up the rules in the Snort documentation and enable them if it is likely that they will not harm you. Another approach (but with more risk), switch from Prevention to Detection, and delete the whitelist. If no events will show up, you can go back to Prevention. If Events still show up, it will get harder if it is traffic that is needed for operation. But then, there are no easy rules on how to proceed.
... View more