Set your HIPS IPS Protection policy to log informational on those servers (or create a group to place those servers in and set the group to log informational) modify the signature values to be informational. Doing this you can then create a query to review the specific signature fires on that group or servers. You will see what signatures would impact the servers performance and make the decision if you want to turn the signature up to a blocking value. If I recall one of them is quite noisy but I have seen a number of them turned on with no negative impact.
Thanks for the reply, bookz :-)
Yeah, there was no way I was going to map them to a prevent action! I am familiar with the deployment technique (slight modification - I was going to map them to 'low' due to the fact that I rarely recommend anything other than 'ignore' for informational. Saying that, we have got a SIEM environment which may benefit from the informational sigs..., so I may bring this up as a discussion point...
I think what I would like to see from McAfee is something along the lines of 'the signatures have been disabled as they are not relevant to a general deployment, but we recommend using them on web application servers'. And if this *is* the case, it is disappointing not to see an 'out of the box' IPS rules policy for these situations. Not to mention better descriptions for the signatures! Would you agree?