I don’t use NS for ips… with that in mind, I will say that et policy is not a category I would block.
If your server isn’t vulnerable to poodle, and it should be patched, then that’s not a rule to be concerned with, as is all the rest of the traffic probing for content management vulnerabilities, etc.
Would you want to block this; “ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)”?
or this; “ET POLICY PE EXE or DLL Windows file download”?
Because if you do, you’re going to create a world of hurt for yourself with any windows machines behind your gateway.