So you override the default actions for those severities? I have that configuration in place in some places, but the way the default actions as described to my be an SE from Palo Alto which got me thinking about that approach. He said something to the effect that default action is evaluated very differently than severity. They are basically set based on confidence that there will be no false positives. Another example he gave was the Poodle signature which simply detected any SSLv3 - which you certainly wouldn't want to block, particularly at that time. Granted that was an informational signature, not medium or higher, but you can look at Vulnerability Protection signatures '( severity contains 'critical' ) and ( action contains 'alert' )' and see 1704 signatures (over 1/10th) where the default action is alert (and one that is allow.) Do you even alert below medium? All I have investigated in those severities have ended up on our whitelist so far.
... View more