There's an Add button at the top left-hand corner to create a new rule:
​

…or the Copy button along the right-hand side of the Rules tab that will make an editable copy of any of the default rules. You can customize the copy and disable the default if that fits your environment better.

No you cannot edit the rules sets that are there, but you can make your own.

The reason the default rules were made static is updating the rules regularly was nearly impossible trying to determine how to update if the rules were changed. It's better to have regular updates to the rules than the previous model. Like others have said, you can clone the rule and make your edits there.

I don't think I explained my issue quite right. So in the signatures tab, each signature belongs to a specific classtype. The rules reference the classtypes and applies the recommended action for the specific rule (enable block, enable log, etc.). For example, the classtype "attempted-admin" currently contains 1644 signatures. Each signature has a recommended action and a rule action. Some signatures, the recommended action and the rule action are disabled. Others, the recommended action is log and the rule action is block. Signatures can have any combination of recommended and rule actions. The rules defined in the rules tab looks at a specific classtype and applies the rule action based on the signature's rule action.

If I am understanding how it all works, lets say for the sake of argument that traffic on the network matches the signature ET WEB_CLIENT Apple Quicktime RTSP Overflow (1), but I don't have any web browsers in my environment with Apple Quicktime plugin. Since the rule action is blocked and the Recommended action is Log (not disable) and because I have the Critical Priority rule enabled, this traffic will be blocked. The two screenshots below look at the signature I mentioned and the rule in which this signature will be applied if a match occures.

​
​
So the question then is since the predefined rules are generic, you are saying that I can disable these rules and write my own and create them more specific to my environment. But what is the best method for ensuring that the rules that will be checked are only those for things I have in my envrionment? The choices for the rule to check specific conditions are shown in the screenshot below:



Making a rule by classtype by the examples shown above would create a generic rule to process anything that matches the specific conditions in the rule. I wouldn't know the signature identifier, but I suppose I could write ones on specific ports used by a device or a protocol, or maybe even the contents of the message contain something that matches a device or software I'm using, or even write a custom signature, which is cool that this is an option.

I hope this makes sense what I am trying to do. And thank you all for taking the time to read this! ​
​​

I to have this same question. I get a lot of the false positives and right now the only way I have to get around it is to create rules above 1 by 1 that whitelist the false positive. I was assuming I'd just be able to go in and modify the signature itself rather than creating rules to whitelist the false positives. I can't help but think I'm missing something here.