Just use an OR gate like this:
Rule 1 (SigID + Source IP + Source User)
Rule 2 (SigID + Source IP)
Thank You, this would work if I had a finite list of SigIDs.
Unfortunately we are dealing with a very high volume environment and more than one Signature will often trigger on one Field.
However, I did find a work around last week.
In my case I added a Normalization filter Authentication for the rule that filter out users.
and Not Authentication for all else.
this effectively made sure that only SigIDs with username fields are filtered against that rule. A bit hacky but it works