Q: I'm getting a lot of false positives on a rule from particular systems. How do I eliminate these without disabling the rule entirely?

A:

Use rule suppression to eliminate known false positives from particular hosts. Go to Policy & Response // Intrusion Sensor // Detection & Prevention and edit your policy. Choose the "suppression" as the thing to edit. In the suppression dialog, you can select any rule using a radio button. When you do this, the suppression settings that you have already set for that rule are shown in the textarea at the top. You can suppress alerts from that rule based on either source IP address or destination IP address. This will result in no alerts from that rule for that policy, as long as the source or destination IP matches what you have put in the suppression dialog.