I wish I had (*) a sensitivity knob for the attack blocker.
Normally it would be set at 1, for normal operation.
But I could turn it up (in increments TBD) to 2, doubling its sensitivity globally.
I could also turn it down, to something like 0.1, lowering its sensitivity for the whole box.
I could turn the knob to a new setting, and then watch the log page to see how that new setting shows up in the logs, and also monitor (and talk to) my problem children on the network to see if the new setting helps.
If twiddling the knob helps, then I could go in and add/change exceptions for specific users/classes to match, but the knob gives me a quick way of changing behaviour over the whole box and observing the results.
As a possible implementation, the knob sets the value of a multiplier applied to each user. Effective range TBD, but I suspect 0.1 to 2 in steps of 0.1 would probably be a good first cut.
(The "I wish I had..." and "I wish I had a button/knob that..." was a brainstorming approach we used in a research lab I was in for a number of years. That approach helped us come up with a number of interesting/wild/useful things)
--bob in sunny silicon valley