Structure the filtering part when parsing the alerts

[jzelenjak]

Description

Sometimes, there are attackers which generate 99% of the alerts, which in the code are called bad_ip and are skipped. Furthermore, there are alerts that occur way too often and could be filtered, if necessary (see below).

The bad_ip might be dataset-specific, and the checks for "Attempted Information Leak" and "Non Suspicious Traffic" might be needed only in case of bad_ip.

Proposed Solution

1. Check bad IPs for CPTC/CCDC and decide on how to proceed
2. Check what happens if we remove the check for "Not Suspicious Traffic"? _remove_duplicate method checks for NON_MALICIOUS traffic, however the former is a SURICATA category, while the latter is part of the MicroAttackStage framework
3. Update the _parse function accordingly

[azqanadeem]

Also kinda links to #24