The question comes up every now and again - when do we (IPS signature team) disable or retire signatures.

Remember that there is a difference between disabled and retired. Essentially:

Disabled/enabled - turns the written alert off/on.

Retired/active - signature "does not"/"does" get compiled in memory.

As a rule of thumb, we will release signatures active and enabled.

We may release a signature disabled by default if the vulnerability is severe, but it is unlikely that the software is in wide-spread use.

We may disable a signature that in certain environments would fire excessively on benign traffic.

We will generally release policy signatures (for example, MSN traffic, AIM traffic, p2p, etc.) as disabled by default since they alert on legitimate and normally expected traffic for that application/protocol.

It is up to the organization to enable the alerts if they care too.

We will disable and retire signatures where the vulnerability is 18+ months old, is not a protocol vulnerability (tcp, udp, ip, http, etc.), and has had no active exploitation in the past 6 months.

There will always be exceptions, but this covers most scenarios.