Suricata

App layer anomalies and other anomalies can be verbose - however this in most cases is due to the fact that if the stream has a gap - there will be an avalanche of anomaly events for that stream. In most cases, people switch them off as they are actually not so useful. We should just alert those anomalies once we know there is a problem in the stream.