While tuning a Web Application Firewall (WAF), I'm attempting to filter out all the hostile IP addresses attacking the web server. My intent is to see legit traffic, and identify false positives that need to be allowed through.  For example, if I search for the directory traversal signature, I'd like to take all the ip_client address and filter them out. If a client IP is trying to do a traversal attack, then most likely they are attempting other attacks. The goal is to systematically remove all the hostile IPs and leave clients attempting legit traffic. Making a list or table is not practical, the source IPs are vast and constantly changing.   ... View more