One of the questions we receive here at Snort Headquarters a lot within the Vulnerability Research Team (VRT) is "Why are rules on/off by default"
I've explained what is the criteria is for the three policies (Connectivity, Balanced, and Security) already in previous blog posts here, but we thought we'd expand on that subject a bit and add it to the Snort FAQ.
So here you go:
https://github.com/vrtadmin/snort-faq/blob/master/Rules/Why-are-rules-commented-out.md